Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
UncoveringTheSecretsofMalvertisingJérômeSegura,@jeromesegura,LeadMalwareIntelligenceAnalyst
ChrisBoyd,@paperghost,LeadMalwareIntelligenceAnalyst
Agenda
•Legacyandrealitybehindadvertising
•Malvertising101andsocialengineering
•Evasiontechniquesthatkeepresearchersatbay
•Malvertisingbeyondmalware(scams,fraud)
10yearsago...
Earlydaysofadblocking•Adoverlaysanger
pornwebmasters
•They'drathersacrifice
trafficalongsidethe
saleslostfrompop-
overredirects
Onlineadsin2016:Onewebsite,mixedmessages
Malvertising (n)Maliciousadvertising istheuseofonlineadvertisingtodistributemalwareorscamswithlittleornouserinteractionrequired.
Malvertisinginthenews…
Theimpact•Millionsofusers
exposed
•Payloadsrange
fromransomware
tobankingTrojans
Malvertising101
MalvertisingandExploitKits
Maliciousad Redir./Gate ExploitKit Malware
https://blog.malwarebytes.com/threat-analysis/2016/01/msn-home-page-drops-more-malware-via-malvertising/
AdTechbasics•Publisher:Websitethatdisplaysads
•Creative:Shortfor‘adcreative’,meaninganadvert
•Impression:Referstoanadbeingviewedoncebyavisitor
•Adcall:Thebrowserrequestthattriggersanimpression
•RTB:ARealTimeBiddingauctionforeachimpression
•CPM:Costper1Kimpressions
Whythreatactorsgetontopopularwebsites
Inoneparticularcampaign,withjust$5,threatactorswereabletoexposeoversixthousandpeopletomalware!!!
https://blog.malwarebytes.com/threat-analysis/2015/02/hanjuan-ek-fires-third-flash-player-0day/
• Hugetrafficvolumes• PayPerImpression
becomes‘PayPerInfection’
Howthreatactorsgetontopopularwebsites•Inconsistentguidelinesweakentheadindustry
•Profitvssecurity(i.e.‘arbitrage’)
•3rd partytagscanbehijackedonthefly
•Neweradformats(videoads)
•Exploiting‘Trustedpartners’
•Socialengineeringtobypassadscanners
Fakeadvertisers•Threatactorscreate
fakeprofiles
•Socialengineeringis
usedtodupead
agencies/networks
•It’salongtermgame
Domainshadowing:Stolenidentities•Abuseslegitimate
businesses
•Adbannersarecreated
andhosted‘silently’
•Difficulttofindthe
‘smokinggun’
Domainshadowing:FunwithPhotoshop
Evasiontechniques
AdsmovingtoHTTPS• The‘adcall’URLinplainHTTPversusHTTPS
Usefulmetadata
Nothingtosee,muchtohide
Anti-researchers,honeypots(fingerprinting)• Identifynongenuinetargetsvia
informationdisclosurebugs
• Readlocalfilenamesviathebrowser
(XMLDOM)
• CheckforMIMEtype(.pcap,.saz)
• Ifvmware,virtualbox,wireshark,etc
arefound,showthe‘cleanad’
Fingerprinting:XMLDOMvuln.
Fingerprinting:XMLDOMandMimeType inaGIF
Malvertisingbeyondmalware
Hidingblockersfrom...blockerblockers?
“Pleasedisableyouradblocker!”“Yes,but…”
Malvertising&scamsWithaVPN WithoutaVPN
Directtobillpaymentsdoneright•Directtobillpayments
– payforserviceswith
nocreditcard
•Merchants
(webmasters)can
subvertpayment
process
SMS- Clicklinkto
confirmacceptance
ofbilling for
product
www.exampleurl.com
555-555-5555
Directtobillpaymentsdonewrong•Advertonforumauto
redirectstoinstant
payment
•Forrefunds...contact
thescammer!
Digitalbecomesrealitybecomes...digi-reality?•Vehicletrackingservespersonalizedads
•Tracking/pricingviabatterystatus
•Augmentedreality
Let’sTakeYourQuestions
LearnMore:malwarebytes.com/business
LatestNews:blog.malwarebytes.com
RequestaTrial:malwarebytes.com/business/licensing
Thank You!