Malvertising Gets Nastier with Fingerprint Technique


Most hackers prefer to use tried-and-true attacks, in many cases relying on exploits that take advantage of well-known software vulnerabilities.

"Attackers are lazy. They want maximum bang for the buck, so they will go for low-hanging fruit," said Chandra Rangan, vice president marketing, HPE Security Products at Hewlett Packard Enterprise, discussing some of the findings published in HPE's Cyber Risk Report 2016 in a recent interview with eSecurity Planet. According to the report, the most exploited bug in 2015 was over five years old.

Some hackers using old exploits put clever new spins on them, though, as appears to be the case with several malvertising campaigns recently discovered by Malwarebytes researchers, who released a brief on their findings at this month's RSA conference and wrote about it in a blog post.

More Sophisticated Malvertising

Jerome Segura, senior security researcher for Malwarebytes, explained that the new technique uses fingerprinting, a technique long used in exploit kits like Angler to determine whether PCs were viable targets, to increase the effectiveness of the malvertising attacks.

The use of fingerprinting helps those behind malvertising attacks better target their victims and evade detection, Segura said.

Until recently, malvertising was "pretty simple," with a malicious advertisement directing users to a payload, which could be a scam Web page or an exploit kit like Angler, Segura said. But he found a more sophisticated technique while looking at a malvertising campaign that targeted several big ad publishers last year.

Segura detected a tiny GIF file that contained a snippet of Javascript code he had never seen before. Using a well-known Internet Explorer vulnerability, it read the content of files on a machine.  "If it spotted security tools like antivirus or files belonging to VMs (virtual machines), the code would catalog it and stop right there," he said. "If the machine was a real machine and did not have security tools, you got an external redirection to an exploit kit URL."

Unlike traditional malvertising attacks, which require users to click on malicious advertisements, these malvertising attacks loaded the malicious code automatically, Segura said.

The clever techniques used by attackers to evade detection included serving the GIF image over HTTPS, using shortened URLs and hiding the IP address of the attacker's server via SSL. In the most sophisticated variation, the malicious code was encrypted and provided only once per IP address.

That kind of stealth is "meant to disrupt way security companies and ad networks identify bad actors and report them," Segura said. "In the past malvertising made a lot noise and was easily detectable. These attacks are a lot less noisy and leave less of a footprint on a system. It's much smarter."

Attackers targeted some of the largest ad publishers as well as smaller ones, he said, and used social engineering techniques to gain the trust of the advertising networks. Malwarebytes identified one malicious actor through a profile attackers had created, including a bogus Better Business Bureau Web page. "They use a combination of high technical skills with really smart social engineering," he said.

The malvertising techniques used by the attackers "let them really focus on the demographics of users who are susceptible to infection," he said, and to largely escape the attention of the ad networks as well as security researchers using honeypots and similar tools.  "If you can't see them, how do you report them?" The majority of ad networks had no idea this was going on. We had to show them screen captures."

Because the fingerprinting techniques used are so similar to methods used in exploit kits and because all of the campaigns directed to the Angler exploit kit, Malwarebytes suspects there could be cooperation between operators of the exploit kit and those running the malvertising campaigns, Segura said. "Either they were inspired by what the exploit kits were doing or they were provided with the code to put in their ad banners. We think there is probably a close tie."

As of today, Segura said, the malvertising attacks are still occurring. Malwarebytes has published a paper that Segura hopes will raise awareness about this cybersecurity threat.

How to Fight Malvertising

Security tools installed on machines are a definite deterrent. "Those machines only got a clean ad; no malicious code would execute," Segura said, noting that it is important to ensure that users are equipped with up-to-date versions of these tools.

Ad blockers also are effective in thwarting the attacks. "If you are blocking ads, the technique used by attackers does not matter. It's still an ad at the end of the day," he said.

Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.