Menu
Malvertising campaigns are becoming harder to detect

Malvertising campaigns are becoming harder to detect

The techniques used by attackers are difficult even for security researchers to study

Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyberattack he was studying. It seemed to keep vanishing.

Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer.

It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability. 

"We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday.

The problem was they couldn't replicate the attack by viewing the malicious ad. It's almost as if the attackers knew they were being watched.

Cyberattackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked.

Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab.

The suspicious advertisement contained a one-by-one pixel GIF image. That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript.

The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said. The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs.

If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said.

It is not unusual for cyberattackers to do some quick reconnaissance on potential victims. But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior.

The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said.

The malicious ad was carried by Google's DoubleClick and dozens of other ad networks. It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies.

"It shows you how deceptive they can be and how many fake advertisers are out there," he said.

Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places.

The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said.

"What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said.

Malwarebytes posted a writeup of its research on its blog.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments