Tag Barnakle Malvertising Group Targets Millions of Internet Users

Internet security researchers and news outlets are sounding the alarm this week, noting that a far-reaching malvertising campaign, known as “Tag Barnakle”, has compromised more than 120 ad-servers in the past year. The breach, first discovered and reported in April of 2020, allows the hacker group to insert malicious code into desktop and mobile advertisements that redirect unsuspecting users to sites that promote scams and malware -- typically fake security, anti-virus, or VPN applications.

This technique by-passes the traditional approach of posing as a legitimate ad-buyer and purchasing ad space on legitimate websites for running the malicious ads. Instead, the hacker group has been observed going directly after the ad server infrastructure, saving countless hours and huge sums of money to infiltrate web devices.  

Per AR Technica, “Once it has compromised an ad server, Tag Barnakle loads a malicious payload on it. To evade detection, the group uses client-side fingerprinting to ensure only a small number of the most attractive targets receive the malicious ads. The servers that deliver a secondary payload to those targets also use cloaking techniques to ensure that they also fly under the radar.”

Both Revive and Propeller Ads have been linked to the malvertising campaign according to anti-malware software provider Confiant. It is estimated that the malicious ads have been distributed on more than 360 web properties with an exposure of to tens-of, if not hundreds-of, millions of devices.

With a global database of over 36 billion URLs categorized, real-user telemetry from more 1.3 billion endpoints, and coupled with real-time comprehensive content analysis, entity recognition and topic modeling for new or changing websites, NetSTAR’s inCompass technology provides OEMs with a constant state of threat awareness.

inCompass employs a comprehensive scoring system and reduces risk of exposure to inappropriate and/or dangerous internet content. Each site is assigned a reputation and risk score. Additionally, inCompass is powered by more than 80 malware scan engines from both NetSTAR and our security partners. As inCompass identifies sites that are malicious in nature or that have become infected, a security category is assigned to the site, enabling web security partners and ad tech companies to quickly identify and block traffic to these destinations.

If you are in need of a comprehensive URL or IP categorization solution, whether adding new functionality to your solution, replacing a legacy solution, or enhancing coverage to your existing solutions, contact us for a free consultation.

Share this post



About Us

NetSTAR has become a global leader in providing high-quality OEM web categorization solutions to technology and telco partners. We deliver advanced categorization and filtering technology for URLs, IPs, web/SaaS apps, and mobile apps. Our categorization solutions and associated threat intelligence are used by hundreds of OEM partners around the globe, supporting over 1.3 billion endpoints.

NetSTAR has offices in Silicon Valley, London, and Tokyo, and is a wholly-owned subsidiary of Alps System Integration Co., Ltd. ALSI: Alps Electric Group.