Adsterra used to promote malicious content using hacked Facebook pages

7 February 2024

The Nation Media Group is the largest independent media house in East and Central Africa with operations in print, broadcast and digital media serving audiences in Kenya, Uganda, Tanzania and Rwanda.

Since mid November 2023, a number of Facebook Reels and Posts associated to media brands owned by Nation Media Group have been used to drive traffic to malicious advertisements. Among the affected brands were 933 KFM (radio station), SQOOP (gossip site), My Wedding (wedding planning) and Dembe fm (radio station).

Nation Media Group reached out to the Meta Pro Team to inform that their accounts had been compromised and that malicious content of erotic nature was posted on several of their pages. However, their attempts to recover their accounts were unsuccessful.

Since early January 2024, Qurium has been monitoring the activity of the four compromised Facebook Pages, who have been in the hands of the attackers for several weeks, to better understand the methods and motivation of the attackers.

The plot – use adult content to attract attention and redirect traffic to malicious sites

The four compromised Facebook Pages were posting Facebook Reels and Posts with adult content to attract attention and lure viewers to one specific link, namely: https://abruptlydummy.com/jecaf9pr5a?key=4b0475f7372629173ea0f37760d1fec2

The domain name abruptlydummy{.}com was registered on 25 November 2023, just around the time the Facebook pages were compromised. The domain is currently hosted on five IP addresses belonging to Servers.com Inc, USA (AS7979) and Advanced Hosters, Netherlands (AS39572).

173.233.137.44 abruptlydummy.com AS7979 Servers.com
173.233.137.52 abruptlydummy.com AS7979 Servers.com
192.243.59.13 abruptlydummy.com AS39572 Advanced Hosters
192.243.59.20 abruptlydummy.com AS39572 Advanced Hosters
192.243.61.227 abruptlydummy.com AS39572 Advanced Hosters

Adult content on MyWedding Facebook page.

Adult content on Dembe FM Facebook page.

The (abruptlydummy) link was then used to forward traffic to four intermediate domains that were also hosted on the very same hosting providers. The domains used to drive the traffic were served from a load balancer in AS7979 and AS39572.

192.243.59.20    AS39572 antlerrecordingcat{.}com 
192.243.61.227   AS39572 antlerrecordingcat{.}com 
192.243.59.13    AS39572 antlerrecordingcat{.}com 
192.243.59.12    AS39572 antlerrecordingcat{.}com 
173.233.137.44   AS7979 antlerrecordingcat{.}com 
173.233.137.44   AS7979 antlerrecordingcat{.}com 
173.233.137.60   AS7979 antlerrecordingcat{.}com 
173.233.137.60   AS7979 antlerrecordingcat{.}com 

173.233.137.36  beakexcursion{.}.com
173.233.137.52  beakexcursion{.}.com
173.233.139.164 beakexcursion{.}.com
192.243.59.13   beakexcursion{.}.com
192.243.59.20   beakexcursion{.}.com

173.233.137.36  dazedarticulate{.}.com
173.233.137.60  dazedarticulate{.}.com
192.243.59.12   dazedarticulate{.}.com
192.243.59.13   dazedarticulate{.}.com
192.243.59.20   dazedarticulate{.}.com
192.243.61.225  dazedarticulate{.}.com 

173.233.137.36  highcpmrevenuegate{.}.com
173.233.137.52  highcpmrevenuegate{.}.com
173.233.137.60  highcpmrevenuegate{.}.com
173.233.139.164 highcpmrevenuegate{.}.com
192.243.59.12   highcpmrevenuegate{.}.com
192.243.59.13   highcpmrevenuegate{.}.com
192.243.59.20   highcpmrevenuegate{.}.com
192.243.61.225  highcpmrevenuegate{.}.com

173.233.137.36  slippersphoto{.}.com
173.233.137.44  slippersphoto{.}.com
173.233.137.52  slippersphoto{.}.com
192.243.59.20   slippersphoto{.}.com
173.233.139.164 slippersphoto{.}.com
192.243.59.13   slippersphoto{.}.com
192.243.61.227  slippersphoto{.}.com

173.233.137.44  abruptlydummy{.}.com
173.233.137.52  abruptlydummy{.}.com
192.243.59.13   abruptlydummy{.}.com
192.243.59.20   abruptlydummy{.}.com
192.243.61.227  abruptlydummy{.}.com

Finding the advertisement network: Adsterra

The next step in our investigation was to find the actual advertisement network that was being used. We found several clues in leaked headers and previous forensic reports that pointed us in the direction of Adsterra, an advertisement network with global coverage. All the domains where “abruptlydummy” was initially redirecting to run in the hosting infrastructure of Adsterra.

Adsterra allows businesses to showcase their products or services through various ad formats while publishers can monetize their websites and traffic effectively. As many other advertisement platforms, Adsterra sits between the advertisers and the content producers. But what kind of content is currently promoted via those hacked Facebook Pages?

What content is being promoted?

We decided to follow the advertised links to know what kind of traffic was advertised via “abruptly dummy”.

After installing a fresh Windows machine and clicking on the links provided by the compromised Facebook Reels we were redirected to dozens of new domains that ultimately drive traffic to all sorts of interesting websites. For example, the site “exturmeter{.}com infects the victims with “Spam Notifications” to flood them with so called “scareware” – fake messages to scare the user that its machine has been infected by viruses and Trojans to encourage them to upgrade their defense. The victim is redirected to the real Norton or McAfee subscription plans carrying an affiliate identifier from the malicious site. Correct, the attacker profits from any anti-virus subscription driven by the malicious advertisements marketed by clients of Adsterra and distributed by compromised Facebook pages.

To ensure that the victim gets flooded by push notifications, multiple rotating subdomains are used. And when we say many, we mean a lot of them…

Sub-domains are being used to provide push notifications to the victim.

For how long has the malicious domain been in use?

To our surprise, the domain name (abruptlydummy{.}com) has been used inside Facebook Pages to promote malicious advertisements for several weeks, starting immediately after the domain was registered on November 25, 2023.

The presence of “direct link earning methods” from Adsterra inside Facebook can be easily traced to 2021.

Adsterra has already been flagged as a network associated to actors that distribute malware and their bouncing domains used for similar practices can easily be monitored as they are served from very specific IP addresses in Servers{.}com and Advanced Hosters. (2)

The domain was in use to promote malicious advertisement already 3 days after it has registered.

Other targets – dozens of hacked Facebook pages

The domain (abruptlydummy{.}com) has not only been used in Facebook pages from National Media Group Uganda, but we have found it in dozens of other hacked Facebook Pages including pages from Myanmar, Bangladesh, Philippines and India. Hence, the attack against National Media Group was not targeted.

Using “redirect chains” to reach Adsterra landing domain

To avoid detection and to extend the life span of the domain, we also found that the Adsterra domain “abruptlydummy{.}com” is being used in combination with Anyimage.io’s service. Anyimage is a company associated with the Website Group Limited (UK) that provides means to create free clickable “Social Cards” (clickable images) that redirects the user to another domain.

This creative “trick” can be used to redirect a user from a Anyimage social card to a direct link from Adsterra. We found that building multiple chains of link-redirects is a common method to steer clicks into Adsterra advertisers.

abruptlydummy.clicksocialimage{.}top/aejrspk (Anyimage) -> AbruptlyDummy (Adsterra) -> Malicious Sites
  
abruptlydummy.clicksocialimg{.}top/4opblmx  (Anyimage) -> AbruptlyDummy (Adsterra) -> Malicious Sites

Other domain names used by Anytime.io include: clickable{.}cards, createdacard{.}me, justsharedthis{.}info, sharedacard{.}info or sharedalink{.}me

Facebook ignores block of malicious domain names

Although the malicious domain name (abruptlydummy.com) had already been flag as malicious by Microsoft Defender and other domain blacklists, it was a surprise to us to see that the domain remained active inside Facebook.

Abruptlydummy{.}com has flagged as malicious in Microsoft Defender but remained active inside of Facebook.

The location of the attackers

The Facebook Pages that contains the abruptlydummy{.}com domain have been compromised for financial gain. No authentic articles have been posted since the pages were compromised, only content with nude character linking to malicious sites.

While we can not confirm the attackers’ location, there are some clues revealing their origin.

The “Page transparency” feature of the compromised Facebook accounts reports administrators in based in Pakistan, Bangladesh and India. Once can only assume that this is the geolocation of the attackers.

How are the Facebook pages compromised?

The last part of research was to find out how the pages were compromised as victims claim that they never shared passwords with anyone.

– Phishing credentials from victims

During the past weeks Qurium has received other reports of Facebook accounts that has been compromised using the same attack pattern, namely “Direct Links inside Reels leading to Adsterra”.

One plausible attack vector can be summarized as follows:

The attacker creates a Facebook page with a name like: Team Monetization, 24 hours left Blocked your account, See why, or Your page goes against our community standards. Only you can see it. The Page contain a post claiming some copyright infringement on the victims’ website.
The Post is shared with the victim by email so that an email coming from “Facebook’s infrastructure” arrives to the victim.
The Victim is warned of the possibility of losing the Facebook Page and follows the instructions of the e-mail. The instructions provide a link to a website outside Meta to fix the problem (3a). We have seen the use of helpmeta{.}shop, several subdomains under replit.app, glitch.me etc. and the use of formspree{.}io to receive the data. In the phising page, a video (3b) provides details to the victim in how to obtain the values of two cookies: c_user and xs
Once the attacker obtains the cookies, they can gain admin rights to the website and post videos linking to Adsterra advertisements.

Step 1: Setting up a Facebook page with copyright infringement claims.

Step 3a: Landing Page outside Facebook requesting Cookie information.

Step 3b: Instructions how to obtain the Cookie information.

Reaching out

META – Facebook: In late December 2023, Ugandan Nation Media Group reached out to Facebook to recover their compromised pages. It took several weeks to retake control over the pages. Meanwhile the attackers kept posting Reels with direct links from Adsterra.

Qurium reached Meta on 8 January 2024 to follow up on the two open cases (#900740061457962 and #1511111169734673) that the victim had open with Meta without receiving any response.

Anyimage.io: Qurium has reached out to Website Group Limited that runs Anyimage.io to explain that their service is used to drive traffic to malicious websites. At the time of writing no response has been received.

Adsterra: Qurium reaches out to Adsterra to discuss the case. At the time of writing no response has been received.

Conclusions

Our investigation shows how compromised Facebook Pages have been used to drive traffic to the Adsterra advertisement network and its clients.

Attackers compromise the Pages by means of phishing attacks to obtain revenue from Adsterra. Readers of the compromised Pages are exposed to several malicious advertisements including those that are designed to obtain commissions from antivirus or VPN companies.

Most importantly, we discovered that this phenomena is not new inside Meta where dozens of groups are dedicated to explain how to use the Adsterra network to drive traffic.

While both Facebook and Adsterra have a common policy that consider promoting deceptive content a violation, we found no tangible signs that there is a real effort to stop this activity.

By building a network of resellers and affiliates, companies like Adsterra remain accountable while they profit from hacking groups driving traffic to their advertisers or from VPN and anti-virus advertisers. Meanwhile, Facebook does what it does best: Nothing.

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.