View
1.079
Download
1
Category
Tags:
Preview:
Citation preview
Uncovering Micro-Targeted Malvertising Against US Defense Industrial Base
WEBINAROCTOBER 16, 2014
PATRICK BELCHER, DIRECTOR OF SECURITY ANALYTICS, INVINCEA, INC.
Patrick Belcher, CISSP, CISM
2
• Analysis Team manager at Riptech, absorbed by Symantec in 2004. • Helped stand up the US-CERT for the DHS • Lead Cyber Security Analyst for FDIC • RSA/NetWitness• Cyber analysis and numerous Federal
agencies including the State Department and Department of Defense
• Performed incident response and analysis for several fortune 50 companies.
• Invincea- Director of Security and Malware Analytics
Agenda
Thanks for Attending this Webinar! Today we will discuss:
• Operation DeathClick: Attacks Against the US Defense Industrial Base
• How Advanced Adversaries are Using Micro-Targeting techniques via Malvertising to Target Your Enterprise
• How Real Time Bidding Works
• How do malvertisers choose targets?
• How do malvertisers setup their malware delivery?
• How to Protect your organization against Targeted Malvertising
Operation DeathClick
• Invincea discovered a concerted campaign against US Defense companies
• Operation DeathClick represents a blending of traditional cyber-crime techniques (malvertising) with APT targeting and objectives
• Expect campaign will soon be used to target other sectors: financial, Federal, manufacturing, healthcare, etc.
• Leverages advertising networks on ad-supported web sites to compromise specific company networks
• The TTPs involved in DeathClick evade almost all network-based and traditional endpoint controls. There is no patch for this TTP.
Micro-Targeting: How Targeted Can it Be?
You can push targeted ads to:• A Region• A City• A Neighborhood• Type of shopper• Gender-specific Ads• Industry Vertical• Specific Corporation• Captive Audience/Wireless
Tower• Specific peoples’ Mobile
platform• Any combination of the
AboveA couple of scenarios….• Activism• Product Placement• Special Audience• Network intrusion
Traditional Web Advertising
• Ads were once sold in bulk. Advertisers paid by the number of viewer impressions delivered.
• Advertisers paid more money if the ad is clicked.
• Actual Ad content is hosted elsewhere.
• Advertisers chose which sites to deliver ad content.
Drawbacks:• Indiscriminate• Costly• No great ROI• Easily Abused
Now Ads are Targeted
Ironic targeted ad by Ad Targeting Company. This ad is a result of my research into ad bidding.(cookie based)
This ad delivery targeted me based on my IP address location in Orlando, FL(GEO-IP based)
How Does Ad Targeting Work?
Big Data!• Ad Slots Provide the Real
Estate, Typically Doubleclick
• Other Ad Services and Intelligence Services Enhance Targeting
Neustar, Facebook, Twitter, Pubmatic and Others Sell IP intelligence to Ad Networks.
Ad Networks now sell targeted ads for Advertisers
RTB is Now Standard
Ad placement has evolved. Ad networks now run based on Real-Time Ad Bidding.Backend Auction happens in millisecondsLess expensive than bulk impression buys
Targeted Advertising Too Creepy?
Who knows more about you? Ad networks or the NSA?
Now Malvertisers Have the Power of RTB Targeting and they are coming after YOU!
Evading Traditional Defenses
The ability to select a target for compromise and the ease of the execution via RTB malvertising is known as “micro-targeting via malvertising.”
Without Advanced host protection, this attack is over 95% successful!• Avoids Proxy blacklists• Avoids AV detection• Bypasses most advanced malware interception• See the Invincea Snipertising Whitepaper for full details
Operation DeathClick (Case Study Available)Large Defense and Aerospace contractors targeted by RTB for penetrationMalvertising delivered via:• Pakistani News Outlet• Fantasy Football Site• Webmail Ads• Any advertising supported site
Attacks bypassed superior defense in depth controls including web proxies were stopped by Invincea
Exploited: TheBlaze.com
12 Ads on Homepage!Pubmatic redirects to GumGumDrops Kryptik- changing hashes
Exploited: ShootersForum
Shootersforum:Openx RTB bid redirects to in.ua free host; drops exploit kit that pops Silverlight
Exploited: Trade2win.com
Trade2win.com:Oxygenmedia ad bid redirects to German ad provider, drops bundler malware.
Exploited: Answers.com
Answers.com:Clickbait articles drop KryptikHashes constantly changeMalware delivered from compromised Polish government sites.
How Hard is it to do Targeted Malvertising?
From SiteScout: You got cash, you can create your own landing pages and begin bidding.
What Much does a Targeted Malvertisement Bid cost?
Log File from Winning bid against Cox IP Address to drop Trojan:
http://delivery.firstimpression.com/delivery?action=serve&ssp_id=3&ssp_wsid=2191400908&dssp_id=100&domain_id=2191400908&ad_id=748271&margin=0.4&cid=155380&bn=sj14&ip_addr=24.234.123.133&ua=1540937276&top_level_id=24.234.123.133&second_level_id=1540937276&page=thanhniennews.com&retargeted=null&height=90&width=728&idfa=null&android_id=null&android_ad_id=null&bid_price=0.654&count_notify=1&win_price=$AAABSMPg1dmFEPqXEZe5_CYviub3uOlabldGew
65 cents!
Funding a Micro-Targeted Malvertising Campaign
• Click Fraud funds the operation. Logs show fake Chrome installed in Java cache to click on ad banners.
• Kyle and Stan malvertising uses bundled malware and referral abuse to generate cash.
• Chrome and bundled programs evade AV detection.
• Bundled programs spy on endpoints to improve ad targeting.
Where Malvertisers Host Exploit Landing Pages
• Compromised WordPress Blogs• Unconfigured Apache hosts• Cloud-based NGINX subdirectories• Government and News pages in Poland• Free Hosting sites such as ua.in
To avoid proxy blacklisting, landing pages are unique and only online for minutes.
To avoid AV or hash detection, exploits employ unique names and hashes
Landing exploit kits currently focused on cash generation, but can easily be converted to exfiltration or banking kits.
Protect Yourself from Malvertising
• Deploy Invincea on EndPoints
Or• Disallow external web
re-direction.• Demand change in the
ad network business• OptOut
Only 636 Targeting Ad Companies to opt out from! http://www.rubiconproject.com/privacy/consumer-online-profile-and-opt-out/http://preferences-mgr.truste.com/http://www.ghosteryenterprise.com/global-opt-out/
Invincea Threat Protection
• Contain all web-based attacks in secure virtual containers• Collect threat forensics on attack• Protect against known, unknown, and 0-day threats without
requiring signatures
Free Invincea Research Edition
Each detection shown in this presentation is available for online viewing in the Invincea Research Edition Portal.
Sign up for the Research Edition and get a free licensed copy of Invincea FreeSpace Research Edition. Click without fear.
Special Thanks and Resources
Invincea Whitepaper on Real Time Ad Bidding
Invincea Case Study: RTB Targeting Defense Industry
Threatpost Kyle and Stan Analysis http://threatpost.com/kyle-and-stan-malvertising-network-nine-times-bigger-than-first-reported/108435
Q&A Session
Invincea Research Edition: www.invincea.com/research-edition
Webinar Recording + Slide deck:
Demo Request: http://www.invincea.com/get-protected/enterprise-request-form
Recommended