Update (11/9/2105): This campaign is still active and we catch up with it again:

berlin-auto.space/deliver2/deliver2?kampagnen=29&ads=2&adl=VviuKIfBb8b9stgEwY6o5QcAAAAQASCBssUgOABYmYK5u3JglYKAgLAHsgELd3d3Lm5ld3MuZGW6AQlnZn&r_id=0.0472178136001

Interesting to note that the registrant info changed:

  • Domain name: berlin-auto.space
  • Registrant email: alex@webaoox.us
  • Creation Date: 2015-11-05T18:24:01.0Z

– –

A large malvertising campaign is currently targeting German users on some popular web sites such as eBay.de or T-Online.de, the latter being a top ISP.

A rogue actor has been successful in gaining the trust from reputable ad networks including German ad-serving technology platform MP New Media, and by extension affecting top publishers and ad networks.

We spotted two bogus ad servers which bear the same structure that was inspired by the legitimate German platform they were abusing: www1.mpnrs.com/deliver2/deliver2?

  • deutschlandauto.xyz/deliver2/deliver2?kampagnen=30
  • deutschewelle.pw/deliver2/deliver2?kampagnen=30
  • [New domain on 10/24/2015]: de-auto.pw/deliver2/deliver2?kampagnen=30
  • [New domain on 10/25/2015]: altreich.pw/deliver2/deliver2?kampagnen=30

kampagnen

We decided to nickname this campaign ‘kampagnen’ which is German for ‘campaigns’ based on a unique identifier we saw being used in each attack: kampagnen=30

A quick lookup on these domain names easily reveals that they are completely bogus. The domains were registered the day before the malvertising campaign started, and the admin’s email address is, well, pretty obviously untrustworthy.

  • Creation Date: 2015-10-17T07:30
  • Admin Email: ipsec@ihateclowns.com

Here are some the publishers that were affected by this attack as far as we could tell from our telemetry. There are undoubtedly many more and the same pattern is noticeable, all of them are German sites where the rogue advertiser managed to display its ads.

Publishers:

  • ebay.de 131.5M
  • t-online.de 79M
  • arcor.de 7.6M
  • swp.de 790K
  • fischkopf.de 300K
  • donaukurier.de 240K

Sites sorted by monthly visits according to SimilarWeb.

As mentioned, eBay Germany was victim of this campaign. Here is the infection flow leading to the Angler Exploit Kit.

Infection flow:

  • Publisher: ebay.de
  • Ad callad-emea.doubleclick.net/N3837/adi/ebay.de.myebay/{redacted}
  • Ad network: www1.mpnrs.com/deliver2/deliver2?adl=10671&ads=1043&nojs=true&clk=https://adclick.g.doubleclick.net/aclk?sa={redacted}
  • Ad network: www3.mpnrs.com/maxx/22685/22685_array.php?redacted}
  • Fake advertiser: deutschlandauto.xyz/deliver2/deliver2?kampagnen=30&ads={redacted}
  • Angler Exploit Kit: card.shannonsebastiancreations.com/civis/viewtopic.php?t=05u&f={redacted}

This malvertising campaign redirected to Angler EK but Neutrino EK as well:

lrhgj.sdwikqutcvbyagelael.ml/1996/05/30/tense/young/mistaken/worm-temper-explode-entire-everywhere-gallop-beach-observe-wooden-forty.html
 -> Referer: www3.mpnrs.com/maxx/25185/index.php?{redacted}

We have alerted the publishers and ad networks mentioned in this blog about this attack and were told by MP NewMedia that they identified the issue and took care of it.

However, we think this campaign may still be going on via other ad networks. We advise caution and as usual the recommendation of keeping your systems up to date with multiple layers of defense is the best way to fight malvertising and drive-by download attacks.

Malwarebytes Anti-Exploit users were already protected against this latest malvertising campaign.