theDocumentId => 752861 Malvertising Adds Sophistication to Disruption

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

7/17/2019
01:00 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Malvertising Adds Sophistication to Disruption

French security researcher Malekal delved into a murky world.

Eliya Stein, a senior security engineer at French security firm Confiant, was intrigued by what Malekal -- a French security researcher -- found out abouta malvertiser that was present on Microsoft services in France affecting Windows 10 desktops.

What concerned many people is that browser ad blockers wouldn't stop them. That seemed to imply that the malicious actor's effect was only secondary in a browser, and that the malvertising was being created and disseminated by other means than just an in-app placement.

Stein decided to publish what he was finding out about this situation.

The entry point for the served malvertising was initially "ads.creative-serving.com", the ad serving domain used by Platform161, acting as the DSP (realtime ad buying platform). Stein found that the DSP was being used unwittingly, and was not participating in the scheme.

The malvertiser can serve up innocuous code, or issue a redirect if certain criteria are met. Stein reminds us that malvertisers rely on forced redirections in order to drive victims to phishing pages, tech support scams, or drive-by downloads. Also, a large scale malvertiser needs at least some automation in their infrastructure deployments because they need to pivot often in order to maintain persistence. The automation that was chosen by the malvertiser correlates to an extremely reliable attribution formula. The first three letters of the domain are used for the ad serving php script.

This allowed Stein to track historic as well as predicted behavior of the threat actor. He found that in 2019 the attacker went through over 50 domains, all of which are registered at Namecheap.

He was also able to discern that malvertising activity that fits this pattern can be traced back to over 100 additional domains that were active since 2017.

Stein got a tip in March 2019 that pointed to a Hong Kong-based company named "fiber-ads" which fits this business model. He characterized them as a bunch of hucksters from the get-go. "The fiber-ads profile on MyMediAds reveals an active participant in a gray market where advertisers can transact or form joint ventures with hawkers of cheap inventory that has very questionable provenance."

This led to significant impression volume. Over 100 million impressions had been served this year as of mid June. He found that desktop and mobile devices were targeted in relatively equal quantities, but desktop Windows and iOS were also heavily favored by the attacker.

So, the malvertiser affected much more than just Windows 10 desktops. The "middleman" positioning that fiber-ads has chosen in this gray market insulates it from direct exposure. It is a evolution from what is usually seen, and requires more sophistication to pull off. Stein sums up this level of malvertising as, "The middle-men provide the delivery mechanism, but from there the trail can get murky very quickly as the ultimate payload probably goes to the highest bidder, or to whomever the malvertiser is partnered with at that particular moment."

Such a convoluted scheme can be as disruptive as the attackers think they can get away with.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26180
PUBLISHED: 2021-07-28
Dell EMC Isilon OneFS supported versions 8.1 and later and Dell EMC PowerScale OneFS supported version 9.0.0 contain an access issue with the remotesupport user account. A remote malicious user with low privileges may gain access to data stored on the /ifs directory through most protocols.
CVE-2020-5341
PUBLISHED: 2021-07-28
Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated ...
CVE-2020-5351
PUBLISHED: 2021-07-28
Dell EMC Data Protection Advisor versions 6.4, 6.5 and 18.1 contain an undocumented account with limited privileges that is protected with a hard-coded password. A remote unauthenticated malicious user with the knowledge of the hard-coded password may login to the system and gain read-only privilege...
CVE-2021-32788
PUBLISHED: 2021-07-27
Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal mes...
CVE-2021-32796
PUBLISHED: 2021-07-27
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes durin...