Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting.
Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK.
Exploit kit searches for vulnerable routers, not browsers or Flash installs
Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.
For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.
The next step is for the attackers to send an image file to the user's browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography.
The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.
Malvertising campaign targets 166 router models
After the user receives his encryption key, the DNSChanger exploit kit sends each victim a list of router "fingerprints." Proofpoint researchers say they've seen the exploit kit serving 166 router fingerprints at the time of writing.
The malicious ad uses these fingerprints to test the router type the user is using, and then report back to the exploit kit's server.
The DNSChanger EK replies back with exploit packages that can take over the router and change its DNS settings in order to relay traffic through the crooks' servers.
The exploit packages contain vulnerabilities or list of hardcoded admin credentials that can allow the crooks to control the victim's local router.
Proofpoint says that in some instances, where router models allow this, the crooks try to open the router's administration ports to external connections so that attackers can control the routers directly. Researchers say they've seen attackers open administration ports for 36 routers of the list of 166 router fingerprints.
All this happens in a matter of seconds and out of the user's sight, via an HTML iframe hidden away from the browser's viewport.
Attackers use compromised routers to replace ads in the user's normal traffic
Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn't feature ads.
While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.
Proofpoint says the crooks have been replacing ads delivered by advertising networks such as AdSupply, OutBrain, Popcash, Propellerads, and Taboola.
Researchers haven't yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel.
Updating router firmware is the recommended course of action
Because the attack is carried out via the user's browser, using strong router passwords or disabling the administration interface is not enough.
The only way users can stay safe is if they update their router's firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by the DNSChanger EK.
This malvertising campaign has nothing to do with the exploit against Netgear routers that came to light over the weekend, or the malvertising campaign discovered by ESET last week, which embedded malicious code inside the pixels of banner ads.