uncovering the secrets of malvertising · uncovering the secrets of malvertising jérôme segura,...

UncoveringTheSecretsofMalvertisingJérômeSegura,@jeromesegura,LeadMalwareIntelligenceAnalyst

ChrisBoyd,@paperghost,LeadMalwareIntelligenceAnalyst

Agenda

•Legacyandrealitybehindadvertising

•Malvertising101andsocialengineering

•Evasiontechniquesthatkeepresearchersatbay

•Malvertisingbeyondmalware(scams,fraud)

10yearsago...

Earlydaysofadblocking•Adoverlaysanger

pornwebmasters

•They'drathersacrifice

trafficalongsidethe

saleslostfrompop-

overredirects

Onlineadsin2016:Onewebsite,mixedmessages

Malvertising (n)Maliciousadvertising istheuseofonlineadvertisingtodistributemalwareorscamswithlittleornouserinteractionrequired.

Malvertisinginthenews…

Theimpact•Millionsofusers

exposed

•Payloadsrange

fromransomware

tobankingTrojans

Malvertising101

MalvertisingandExploitKits

Maliciousad Redir./Gate ExploitKit Malware

https://blog.malwarebytes.com/threat-analysis/2016/01/msn-home-page-drops-more-malware-via-malvertising/

AdTechbasics•Publisher:Websitethatdisplaysads

•Creative:Shortfor‘adcreative’,meaninganadvert

•Impression:Referstoanadbeingviewedoncebyavisitor

•Adcall:Thebrowserrequestthattriggersanimpression

•RTB:ARealTimeBiddingauctionforeachimpression

•CPM:Costper1Kimpressions

Whythreatactorsgetontopopularwebsites

Inoneparticularcampaign,withjust$5,threatactorswereabletoexposeoversixthousandpeopletomalware!!!

https://blog.malwarebytes.com/threat-analysis/2015/02/hanjuan-ek-fires-third-flash-player-0day/

• Hugetrafficvolumes• PayPerImpression

becomes‘PayPerInfection’

Howthreatactorsgetontopopularwebsites•Inconsistentguidelinesweakentheadindustry

•Profitvssecurity(i.e.‘arbitrage’)

•3rd partytagscanbehijackedonthefly

•Neweradformats(videoads)

•Exploiting‘Trustedpartners’

•Socialengineeringtobypassadscanners

Fakeadvertisers•Threatactorscreate

fakeprofiles

•Socialengineeringis

usedtodupead

agencies/networks

•It’salongtermgame

Domainshadowing:Stolenidentities•Abuseslegitimate

businesses

•Adbannersarecreated

andhosted‘silently’

•Difficulttofindthe

‘smokinggun’

Domainshadowing:FunwithPhotoshop

Evasiontechniques

AdsmovingtoHTTPS• The‘adcall’URLinplainHTTPversusHTTPS

Usefulmetadata

Nothingtosee,muchtohide

Anti-researchers,honeypots(fingerprinting)• Identifynongenuinetargetsvia

informationdisclosurebugs

• Readlocalfilenamesviathebrowser

(XMLDOM)

• CheckforMIMEtype(.pcap,.saz)

• Ifvmware,virtualbox,wireshark,etc

arefound,showthe‘cleanad’

Fingerprinting:XMLDOMvuln.

Fingerprinting:XMLDOMandMimeType inaGIF

Malvertisingbeyondmalware

Hidingblockersfrom...blockerblockers?

“Pleasedisableyouradblocker!”“Yes,but…”

Malvertising&scamsWithaVPN WithoutaVPN

Directtobillpaymentsdoneright•Directtobillpayments

– payforserviceswith

nocreditcard

•Merchants

(webmasters)can

subvertpayment

process

SMS- Clicklinkto

confirmacceptance

ofbilling for

product

www.exampleurl.com

555-555-5555

Directtobillpaymentsdonewrong•Advertonforumauto

redirectstoinstant

payment

•Forrefunds...contact

thescammer!

Digitalbecomesrealitybecomes...digi-reality?•Vehicletrackingservespersonalizedads

•Tracking/pricingviabatterystatus

•Augmentedreality

Let’sTakeYourQuestions

LearnMore:malwarebytes.com/business

LatestNews:blog.malwarebytes.com

RequestaTrial:malwarebytes.com/business/licensing

Thank You!