The Tag Barnakle campaign is able to bypass the initial scrutiny by going straight for the jugular, that is, mass compromise of ad serving infrastructure, to inject code in order to serve malicious advertisements that redirect users to rogue websites, and exposing victims to malware.
According to security researchers at Confiant, Tag Barnakle is now able to push mobile targeted campaigns, whereas they were happy to take only desktop traffic last year.
How 120 Ad Servers were Compromised to Target Millions of Internet Users?
The threat actors behind Tag Barnakle were able to compromise nearly 60 ad servers in April 2020, primarily targeting an open-source ad server called Revive.
Now, the latest attacks aren't any different, albeit the actors seems to have upgraded their working tools to target even more ecosystem, such as mobile devices. As it currently pushes mobile targeted campaigns, and given that Revive is used by a sizable number of ad companies, Confiant believes the reach of Tag Barnakle should be in the range of "tens if not hundreds of millions" of devices.
Over the last 12 months, Confiant has identified over 120 revive instances that bear some attribution markers of Tag Barnakle related compromise with several still impacted today.
Tag Barnakle's interesting Pivot towards Mobile
Tag Barnakle’s targeting criteria now includes a WebGL debug parameters that are consistent with mobile devices, with many of these campaigns meant to lure the victim to the app store listing for obscure Security / Safety / VPN apps with hidden subscription costs or just to siphon off traffic for nefarious ends.
However, it is incredibly difficult to calculate the full reach of Tag Barnakle’s malvertisements, even though the compromise appears to impact several of long-tail websites, the list of which includes a sizable amount of ad companies that have built their technical stack on Revive.