Malvertising campaigns are becoming harder to detect

Malvertising campaigns are becoming harder to detect
Credit: IDGNS

The techniques used by attackers are difficult even for security experts to study, according to Malwarebytes researcher

RELATED TOPICS

Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyber attack he was studying. It seemed to keep vanishing.

Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer.

It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability. 

"We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday.

The problem was they couldn't replicate the attack by viewing the malicious ad. It's almost as if the attackers knew they were being watched.

Cyber attackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked.

Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab.

The suspicious advertisement contained a one-by-one pixel GIF image. That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript.

The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said. The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs.

If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said.

It is not unusual for cyber attackers to do some quick reconnaissance on potential victims. But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior.

The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said.

The malicious ad was carried by Google's DoubleClick and dozens of other ad networks. It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies.

"It shows you how deceptive they can be and how many fake advertisers are out there," he said.

Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places.

The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said.

"What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said.

Malwarebytes posted a writeup of its research on its blog.

RELATED TOPICS
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies