A massive malvertising campaign has been exposed today in a report published by cybersecurity firm Check Point.

Researchers believe the operators of this malvertising campaign have cozied up to an ad network and ad resellers in order to make sure their hijacked traffic reaches preferred bad actors, who then redirect victims to tech support scams or exploit kits that infect them with ransomware, banking trojans, or others.

Check Point named this complex scheme Master134, after the URL of a central and crucial server in the campaign’s entire operational scheme.

Master134 network steals traffic from hacked WordPress sites

According to the Check Point report, it all starts with the Master134 crooks taking over WordPress sites. Researchers say they unearthed over 10,000 WordPress sites compromised by this gang.

Check Point claims all these hacked WordPress sites were running WordPress CMS version 4.7.1, known to be vulnerable to a remote code execution flaw that allows crooks to take over sites.

Attackers inserted code on these sites to inject ads on these sites, which later hijacked users and redirected them to the main Master134 “redirection” service.

In addition, researchers say the group also used PUPs (potentially unwanted programs), such as browser homepage hijackers, to redirect users to the Master134 redirection portal.

How traffic flowed through ad networks and resellers

The role of the Master134 service was then to advertise “ad slots” on the AdsTerra advertising network, under a “publisher” account, which are available for site owners who have ads slots available on their websites.

Check Point says these ad slots were later bought by one of four ad resellers, such as AdKernel, AdventureFeeds, EvoLeads, and ExoClick.

Under an immense “coincidence” various bad actors would buy all of Master134’s ad slots made available through these four resellers and capture all the hijacked traffic, which they later funneled towards malware.

Check Point says it observed almost all of the major online criminal groups buying traffic from Master134 via the “AdsTerra-reseller” system. The groups included exploit kit operators (RIG, Magnitude, GrandSoft, FakeFlash), traffic distribution systems (Fobos, HookAds, Seamless, BowMan, TorchLie, BlackTDS, Slyip), and many tech support scam operators.

The suspected conspiracy

But Check Point researchers don’t believe that all these bad actors buying hijacked traffic from Master134 is just a coincidence.

“It appears […] that somehow, an extensive collaboration between several malicious parties is successfully maintained via third-party ad networks, the biggest one being AdsTerra,” the security firm says.

“Based on our findings, we speculate that the threat actors pay Master134 directly. Master134 then pays the ad-network companies to re-route and perhaps even disguise the origins of the traffic,” they added.

“In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands.”

Check Point says this malvertising operation is still going on and says it’s seen around 40,000 infection attempts taking place each week against users ensnared by Master134.