Malvertisers hacked 120 ad servers to load malicious ads

A malvertising operation known under the codename of Tag Barnakle has breached more than 120 ad servers over the past year and inserted malicious code into legitimate ads that redirected website visitors to sites promoting scams and malware.

Security firm Confiant first reported on this campaign last year, in April 2020, when it said it found 60 ad servers that were left unpatched and compromised by the Tag Barnakle gang.

One year later, Confiant said that despite exposing the group's tactics and raising an alarm in the online advertising industry, the Tag Barnakle group has continued to operate unchecked and has doubled the number of servers it breached.

Tag Barnakle targets unpatched Revive servers

In a report today, Eliya Stein, a Senior Security Engineer at Confiant, said the group did not change anything in its modus operandi and is still targeting advertising companies that have left Revive ad servers unpatched and vulnerable to attacks.

Stein says Tag Barnakle uses known exploits for vulnerabilities in the Revive software to breach servers and then tamper with legitimate ads managed by a particular victim ad company.

The group's malicious code mostly consists of browser fingerprinting code that activates a redirect to a predetermined website whenever certain user parameters are met—such as users using a specific device or browser.


Stein says that while last year Tag Barnakle had targeted users of desktop browsers with redirects to malware download sites, over the past year, the gang has switched to going after mobile users and redirecting them to online scams peddling various scammy products.

"Most of these campaigns are going to lure the victim to the app store listing for obscure Security / Safety / VPN apps that are loaded with hidden subscription costs or siphon off traffic for nefarious ends," Stein explained in a report shared with The Record today.

Image: Confiant

Hundreds of millions of users possibly impacted

But while security experts will downplay the fact that 120 hacked ad servers might be a low number, Stein says the owners of these compromised ad inventories are also using real-time bidding (RTB) systems to broadcast their ads to other ad companies, which has broadened Tag Barnakle's reach way beyond the initial hacked servers.

The Confiant security expert says that while it would be almost impossible to accurately quantify the number of users who've seen Tag Barnakle's malicious ads, "tens or hundreds of millions" would still be a conservative estimate.

In an interview with this reporter last year, Stein also said that Confiant had notified the owners of the 60 Revive servers they initially found to have been hacked but did not receive a response from any of the companies.

With the number of hacked servers having doubled within a year, it is clear that ad companies are not taking the security of their ad inventory seriously enough, putting their customers (website owners) and their userbases at huge risks.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.