Cyber security firm Confiant has discovered a huge malvertising operation that ran through 2017, involving multiple fake advertising agencies, which built relationships with 16 different ad platforms and bought as many as 1 billion ad views last year - reaching more than 60 per cent of ad-monetised websites every week.

A group called Zirconium has allegedly been running the operation. Confiant released its technical analysis of the group's work today, when Google released a new version of its Chrome browser that blocks the forced redirect techniques abused by the group.

Forced redirects involve redirecting a website visitor to a different site - normally a dirty one hosting affiliate fraud or malware - through no action of their own. With increasing browser security reducing the effectiveness of exploit kits, these redirects have become the favoured attack vector of malvertising operations.

The redirection chain

Zirconium operates by placing an advert, bought through one of its fake agencies, on a legitimate website. The visitor is redirected through a central gateway called Beginads to an ‘affiliate marketing' business, also owned by Zirconium. From here the victim is shown various payloads, such as fake tech support and Flash updates. Zirconium makes money by selling the traffic it catches and redirects to affiliates like Voluum and AdSupply.

Confiant has also found evidence of a so-called ‘black hat affiliate network' using a real ad network created by Zirconium called MyAdsBro. The group runs its own campaigns through MyAdsBro, but anyone else can also push traffic to it and leave a revenue commission.

A wide-ranging network

Zirconium operates almost 30 fake advertising agencies, most of which were created in February last year. Currently there are eight that remain unused, ready to replace any that are caught and blacklisted. These ‘dormant' agencies have been building a reputation, mostly through a social media following (operated by bots), to strengthen their appearance as legitimate companies.

Each agency is what is described as a ‘long tail' type, buying a large amount of media at once that is then released slowly over the course of several months. This is a common strategy used by smaller agencies, and Zirconium has been able to build relationships with as many as 16 ad platforms.

The front man

According to Confiant, the legal entity fronting Zirconium is called Cape Diamond LP: a shell company incorporated in Scotland, with partners (Damitra Group Ltd and Lamen Business Ltd) in the Seychelles. Both partners have allegedly been ‘extensively involved' in online fraud, including the btc-e.com cryptocurrency exchange, which was closed down by the US government in June.

The Zirconium group focuses its efforts on the USA, with 95 per cent of Confiant's telemetry pointing to the region; followed by France, Great Britain and Canada. It's unclear how many payloads were triggered last year, although the cysec estimates five per cent (around 2.5 million victims).

As a large and established criminal body, it is likely that Zirconium will pivot to some other technique, now that Google has blocked its operations in Chrome.