{"id":5168,"date":"2023-06-07T15:00:27","date_gmt":"2023-06-07T15:00:27","guid":{"rendered":"https:\/\/adex.com\/?p=5168"},"modified":"2023-06-07T15:00:29","modified_gmt":"2023-06-07T15:00:29","slug":"new-threat-malicious-redirects-detected-in-ad-campaigns","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/","title":{"rendered":"[New Threat] Malicious Redirects Detected in Ad Campaigns"},"content":{"rendered":"\n

Continuous monitoring of ad campaigns aims to detect not only potential fraud but also serious security threats such as malware.<\/p>\n\n\n\n

Adex supports one of the largest global multisource ad platforms, PropellerAds, with ad fraud prevention and detection services. The company takes great care to ensure the quality of ad campaigns launched through its platform.<\/p>\n\n\n\n

During one of its routine checks, the system automatically rejected an ad campaign because of the malware. The client who launched this campaign was clearly confused, as he had never faced a similar issue before and was confident that none of his marketing materials could contain malicious activity.<\/p>\n\n\n\n

\n\n\n\n

Malicious Redirects and Code Injections<\/strong><\/h2>\n\n\n\n

Upon further investigation, the specialists at Adex have found out that the domain giftaward.life<\/strong> in the redirect chain has been tagged as malware by Security vendors’ analysis. The client was unaware of the redirect chain.<\/p>\n\n\n\n

Our experts assumed that the redirect in question from checking-browser.com<\/strong> was somehow related to a tracker. Next, they discovered that this domain is found in similar redirects in ad campaigns of other advertisers.<\/p>\n\n\n\n

Advanced checks have been performed on campaigns where this domain was encountered. As a result, it was found that the HTML of the page opens the target URL of the campaigns that uses the infected jQuery library with malicious code injection.<\/p>\n\n\n\n

\"Adex<\/a><\/figure>\n\n\n\n

This code checks for the presence of the PHPREFS cookie and if it is absent, embeds the script tag with https:\/\/cdnstat.net\/get\/script.js?referrer=……<\/em> and stores the PHPREFS=full<\/em> cookie with an 11-hour lifetime.<\/p>\n\n\n\n

In other words, if the same target URL is opened from the same browser, the code won’t be injected a second time.<\/p>\n\n\n\n

\n\n\n\n

How does the Script work?<\/strong><\/h2>\n\n\n\n

There are two possible scenarios for how the server responds to requesting https:\/\/cdnstat.net\/get\/script.js?referrer=.<\/em> <\/p>\n\n\n\n

    \n
  1. The script clears the Yandex Metrica, and Google Tag Manager data so that the redirect cannot be tracked. After that, it redirects to checking-browser.com. This removes all traces of the injection.<\/li>\n<\/ol>\n\n\n\n
    \"Adex<\/a><\/figure>\n\n\n\n

    <\/p>\n\n\n\n

    The domain we discussed earlier \u2013 checking-browser.com<\/strong> \u2013 responds with a simple redirect to the address specified in the query string of the request. In our case, this is a Giftaward domain.<\/p>\n\n\n\n

    \"Adex<\/a><\/figure>\n\n\n\n
      \n
    1. The script removes all traces of injected code.<\/li>\n<\/ol>\n\n\n\n

      <\/p>\n\n\n\n

      \"Adex<\/a><\/figure>\n\n\n\n
      \n\n\n\n

      Next steps: Mitigating the Risks<\/strong><\/h2>\n\n\n\n

      Once the malicious scheme had been identified and investigated, PropellerAds traffic specialists contacted the affected clients whose campaigns had been infected by the malware. They were advised to reinstall the server.<\/p>\n\n\n\n

      \n

      \u201cThis is not entirely unexpected. We know that fraudsters can strike at any moment, so our only weapon is careful monitoring. It allows us to mitigate threats in time and avoid serious damage to advertisers and site visitors,” <\/em>adds Adex’s leading anti-fraud expert.<\/p>\n<\/blockquote>\n\n\n\n

      Adex continues to monitor current threats and the emergence of new types of fraud.<\/p>\n","protected":false},"excerpt":{"rendered":"

      During one of its routine checks,we discovered potentially dangerous code injection and malicious redirects.<\/p>\n","protected":false},"author":4,"featured_media":5175,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[4],"tags":[16,17],"class_list":["post-5168","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-current_risks","tag-threat","tag-virus"],"acf":[],"yoast_head":"\n[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX\" \/>\n<meta property=\"og:description\" content=\"During one of its routine checks,we discovered potentially dangerous code injection and malicious redirects.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-07T15:00:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-07T15:00:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Content Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Content Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/\"},\"author\":{\"name\":\"Content Team\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\"},\"headline\":\"[New Threat] Malicious Redirects Detected in Ad Campaigns\",\"datePublished\":\"2023-06-07T15:00:27+00:00\",\"dateModified\":\"2023-06-07T15:00:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/\"},\"wordCount\":476,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/Adex-malicious-redirects-case-study.png\",\"keywords\":[\"Threat\",\"Virus\"],\"articleSection\":[\"Current risks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/\",\"name\":\"[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/Adex-malicious-redirects-case-study.png\",\"datePublished\":\"2023-06-07T15:00:27+00:00\",\"dateModified\":\"2023-06-07T15:00:29+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/Adex-malicious-redirects-case-study.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/06\\\/Adex-malicious-redirects-case-study.png\",\"width\":1200,\"height\":628,\"caption\":\"Adex - malicious redirects case study\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/new-threat-malicious-redirects-detected-in-ad-campaigns\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[New Threat] Malicious Redirects Detected in Ad Campaigns\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\",\"name\":\"Content Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"caption\":\"Content Team\"},\"sameAs\":[\"https:\\\/\\\/adex.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/","og_locale":"en_US","og_type":"article","og_title":"[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX","og_description":"During one of its routine checks,we discovered potentially dangerous code injection and malicious redirects.","og_url":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2023-06-07T15:00:27+00:00","article_modified_time":"2023-06-07T15:00:29+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png","type":"image\/png"}],"author":"Content Team","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Content Team","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/"},"author":{"name":"Content Team","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61"},"headline":"[New Threat] Malicious Redirects Detected in Ad Campaigns","datePublished":"2023-06-07T15:00:27+00:00","dateModified":"2023-06-07T15:00:29+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/"},"wordCount":476,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png","keywords":["Threat","Virus"],"articleSection":["Current risks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/","url":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/","name":"[New Threat] Malicious Redirects Detected in Ad Campaigns - ADEX","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png","datePublished":"2023-06-07T15:00:27+00:00","dateModified":"2023-06-07T15:00:29+00:00","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2023\/06\/Adex-malicious-redirects-case-study.png","width":1200,"height":628,"caption":"Adex - malicious redirects case study"},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/new-threat-malicious-redirects-detected-in-ad-campaigns\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"[New Threat] Malicious Redirects Detected in Ad Campaigns"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61","name":"Content Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","caption":"Content Team"},"sameAs":["https:\/\/adex.com"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5168"}],"version-history":[{"count":0,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5168\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5175"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}