Update (11/9/2105): This campaign is still active and we catch up with it again:
berlin-auto.space/deliver2/deliver2?kampagnen=29&ads=2&adl=VviuKIfBb8b9stgEwY6o5QcAAAAQASCBssUgOABYmYK5u3JglYKAgLAHsgELd3d3Lm5ld3MuZGW6AQlnZn&r_id=0.0472178136001Interesting to note that the registrant info changed:
- Domain name: berlin-auto.space
- Registrant email: alex@webaoox.us
- Creation Date: 2015-11-05T18:24:01.0Z
A large malvertising campaign is currently targeting German users on some popular web sites such as eBay.de or T-Online.de, the latter being a top ISP.
A rogue actor has been successful in gaining the trust from reputable ad networks including German ad-serving technology platform MP New Media, and by extension affecting top publishers and ad networks.
We spotted two bogus ad servers which bear the same structure that was inspired by the legitimate German platform they were abusing: www1.mpnrs.com/deliver2/deliver2?
- deutschlandauto.xyz/deliver2/deliver2?kampagnen=30
- deutschewelle.pw/deliver2/deliver2?kampagnen=30
- [New domain on 10/24/2015]: de-auto.pw/deliver2/deliver2?kampagnen=30
- [New domain on 10/25/2015]: altreich.pw/deliver2/deliver2?kampagnen=30

We decided to nickname this campaign 'kampagnen' which is German for 'campaigns' based on a unique identifier we saw being used in each attack: kampagnen=30
A quick lookup on these domain names easily reveals that they are completely bogus. The domains were registered the day before the malvertising campaign started, and the admin's email address is, well, pretty obviously untrustworthy.
- Creation Date: 2015-10-17T07:30
- Admin Email: ipsec@ihateclowns.com
Publishers:
- ebay.de 131.5M
- t-online.de 79M
- arcor.de 7.6M
- swp.de 790K
- fischkopf.de 300K
- donaukurier.de 240K
As mentioned, eBay Germany was victim of this campaign. Here is the infection flow leading to the Angler Exploit Kit.
Infection flow:
- Publisher: ebay.de
- Ad call: ad-emea.doubleclick.net/N3837/adi/ebay.de.myebay/{redacted}
- Ad network: www1.mpnrs.com/deliver2/deliver2?adl=10671&ads=1043&nojs=true&clk=https://adclick.g.doubleclick.net/aclk?sa={redacted}
- Ad network: www3.mpnrs.com/maxx/22685/22685_array.php?redacted}
- Fake advertiser: deutschlandauto.xyz/deliver2/deliver2?kampagnen=30&ads={redacted}
- Angler Exploit Kit: card.shannonsebastiancreations.com/civis/viewtopic.php?t=05u&f={redacted}
lrhgj.sdwikqutcvbyagelael.ml/1996/05/30/tense/young/mistaken/worm-temper-explode-entire-everywhere-gallop-beach-observe-wooden-forty.html -> Referer: www3.mpnrs.com/maxx/25185/index.php?{redacted}We have alerted the publishers and ad networks mentioned in this blog about this attack and were told by MP NewMedia that they identified the issue and took care of it.
However, we think this campaign may still be going on via other ad networks. We advise caution and as usual the recommendation of keeping your systems up to date with multiple layers of defense is the best way to fight malvertising and drive-by download attacks.
Malwarebytes Anti-Exploit users were already protected against this latest malvertising campaign.
COMMENTS