A hacking group is targeting companies using the self-hosted ad serving platform Revive to inject and deliver malicious advertising to website visitors.

In an attack detailed today by security researcher Eliya Stein from Confiant Inc., the ad servers are being targeted by a group dubbed Tag Barnacle. Revive Adserver is a popular open-source ad serving platform for those who don’t wish to use hosted services from the likes of Google LLC.

Tag Barnacle is attacking Revive installations through the injection of an obfuscated Javascript payload that gives it the ability to hijack and display its own ads. Those ads are typically for sites offering malware such as fraudulent Adobe Flash updates.

Stein discovered 60 compromised Revive ad servers serving about 360 websites. That’s not a particularly large number, but one of the compromised ad servers was found to have served 1.25 million malicious ad impressions in a single day. Those using Revive are often small online advertising companies that may not be aware they have been breached.

Compromising ad servers isn’t a new activity, but the Tag Barnacle campaign is somewhat unusual in that the methodology used hasn’t been seen at scale since about 2016, according to Stein. Most groups seeking to serve malicious ads since that time have tended to buy ads on major advertising networks using fake companies.

“Digital and e-commerce sites are now unknowingly hosting these ads from bad actors, holding malicious code,” Reesha Dedhia, security evangelist at application protection firm PerimeterX Inc., told SiliconANGLE. “When visiting a site, a user expects a smooth and trusted experience. Coming to a site and experiencing redirects and malware gives the user a negative impression and tarnishes the site’s brand and reputation.”

Dedhia explained that when users visit a website, malicious code redirects them to sites where their browsers and servers start to download malware. “Browsers are like the new supercookie, with users often downloading extensions and malware like this unknowingly,” she said.

As a result, both the user’s privacy, data and user experience and the site owner’s reputation and revenues are at risk. “Users should keep their browsers updated and use antivirus solutions, while digital site owners should look for browser-malware protection solutions that can give them visibility into client-side malware on their site,” she advised.

Image: Revive