Menu
Malvertising campaigns are becoming harder to detect

Malvertising campaigns are becoming harder to detect

The techniques used by attackers are difficult even for security researchers to study

Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyberattack he was studying. It seemed to keep vanishing.

Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer.

It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability. 

"We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday.

The problem was they couldn't replicate the attack by viewing the malicious ad. It's almost as if the attackers knew they were being watched.

Cyberattackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked.

Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab.

The suspicious advertisement contained a one-by-one pixel GIF image. That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript.

The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said. The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs.

If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said.

It is not unusual for cyberattackers to do some quick reconnaissance on potential victims. But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior.

The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said.

The malicious ad was carried by Google's DoubleClick and dozens of other ad networks. It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies.

"It shows you how deceptive they can be and how many fake advertisers are out there," he said.

Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places.

The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said.

"What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said.

Malwarebytes posted a writeup of its research on its blog.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments