A Weekend of Stars and Stripes - and Lucky Star Exploits

An explosion of forced redirect attacks hit browsers over the US holiday weekend.

Starting on Tuesday. July 2nd and continuing through Sunday, July 6th, DEVCON researchers observed a spike in malvertising across our platform. In our sample of analyzed impressions, exploit attempts doubled - even while overall ad impressions decreased.

The attack began earlier than the holiday itself, ramping up early in the week and peaking on Wednesday, July 3rd. This mirrors a trend from Memorial Day weekend - and could indicate that malvertisers are adjusting strategies to account for holiday plans among networks and publishers. But it’s more likely that this early activity is a symptom of “flash fire” attacks - when ad hackers flood networks and marketplaces with a ton of bad ads. They know they’re more likely to get caught this way, but they’re banking on getting to a bunch of people before the watchdogs sniff them out. You can read more about the tactics malvertisers deploy around holidays in our holiday exploit preview.

chart.png

It’s easy to think that attack volume is up because browsing activity is up - people off work and with some leisure time to kill might be more likely to be online. But Independence Day weekend brought with it a 140% increase in the share of attacks per impression. This means that users were well over twice as likely to encounter a bad ad while browsing over the holiday than the week before.

If you did encounter a bad ad over the weekend, it’s a good bet that we know what kind. Over 96% of the attacks we observed in our sample was a variety of the exploit our researchers call “Lucky Star.”

piechart.png

Lucky Star disguises itself as a legit offer for a gift card - and then starts a user down a long string of clicks, form fill outs, and other redirects. These kinds of attacks forcibly redirect the browser from the original site as soon as they execute - so not only does the user enter into this scammy environment, the publisher also loses the user session.

 
LuckyStar+%282%29.jpg
 

Over the weekend, DEVCON analysts saw Lucky Star morphing into new forms multiple times per day. trying to avoid detection and sneak through the ad pipes right into the browsers of people enjoying their holiday.

And there’s a lesson in that. If you’re browsing around during holiday revelry, don’t let the fun you’re having distract you from normal, healthy online skepticism.

If you’re running a website, short-staffed holidays can be your most vulnerable time. There’s no better reason to get real-time ad tech security than to save your day off! Contact us today to try DEVCON’s site protection free of charge and keep your holidays free of headaches.

Andy Kahl