Malvertising is method that involves injecting malicious, or malware-laden advertisements into legitimate online advertising networks and webpages.
At this time, malvertising is a relatively new cyberattack technique, and that it's also difficult to detect by both internet users and publishers, simply because most of the infected ads are usually served to consumers through legitimate advertising networks.
With malvertising on the rise, it's found that threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners.
They do this to serve malicious code on nearly 15,000 websites, 2,500 of which were infected during September and October alone.

"The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," said Sucuri researcher Ben Martin said in a blog post.
Details of this campaign were first exposed back in November 2022.
The campaign, which is said to have been active since September 2022, is meant to redirect visitors from the compromised WordPress sites to fake Q&A portals.
The primary goal is to increase the authority of the spammy sites in search engine results.
"It's possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results," Sucuri noted at the time.

"This technique artificially sends Google signals that those pages are performing well in search."
While malvertising of this kind isn't exactly new, this campaign is unique because it uses Bing search result links and Twitter's link shortener service, along with Google, in their redirects, said Sucuri in another blog post.
Besides that, it also uses other popular URL shortening services, which include Bitly, Cuttly, and ShortURL, indicating an expansion of the threat actor's footprint.
" [...] it’s a pretty clever black hat SEO trick that we’ve rarely seen used in massive hack campaigns. However, its effect is questionable given that Google will be getting lots of 'clicks' on search results without any actual searches being performed."
The second plan, is to earn money from the campaign.
"More profits from Google AdSense was most likely the original plan for those Q&A sites — but it turned out that creating sites populated with scraped content from other sites didn’t generate enough traffic," Martin said. "It appears that the site operators eventually resorted to this malware campaign to try and address their main problems."

The unwanted redirects via fake short URL to fake Q&A sites are able to inflate ad views/clicks, and therefore inflate the revenue for whomever is behind this campaign.
The fake Q&A portals the malicious actors control, discuss topics like blockchain and cryptocurrency.
To make this campaign happen, the malicious actors also breached the WordPress websites to inject their backdoor code, in order to maintain persistent remote access, as well as the ability to continuously redirect visitors.
"Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website," Martin said.
"This ensures that the environment remains infected until all traces of the malware are dealt with."














































































































































































































































































































































































