Cyber Threat Actor: Rogue Advertiser
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
2 incidents |
|---|
Profile
The threat actor known as Rogue Advertiser operated malvertising campaigns targeting visitors to legitimate media websites in the United States. This actor compromised digital advertising infrastructure to distribute exploits, notably leveraging the Taggify self-serve ad platform in attacks against CBS-affiliated television stations KMOV and WBTV. Their tactics involved hijacking GoDaddy accounts to create malicious subdomains, such as som.barkisdesign.com, which hosted alternating legitimate and malicious content. These subdomains redirected victims to the Angler Exploit Kit, compromising system integrity and confidentiality. The attacks were designed to evade detection by filtering traffic based on user agents and IP addresses, ensuring automated security scanners received clean content while genuine users encountered exploits.
Rogue Advertiser demonstrated a focus on exploiting trusted advertising networks to deliver payloads. Their operations relied on domain hijacking, malicious iframes, and payload distribution through compromised servers. The Angler Exploit Kit served as the primary tool for compromising endpoints, indicating an intent to enable secondary infections. Targeting occurred through high-traffic media sector websites, though no broader sectoral or geographic objectives were explicitly documented beyond the confirmed U.S. incidents. Mitigation required coordinated efforts with advertising platforms and domain registrars to dismantle malicious infrastructure. The actor’s ability to dynamically switch between benign and malicious content exemplified deliberate evasion strategies to prolong attack effectiveness.
