Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Cyphort Labs has reported an uptick in drive-by-infection through malvertising in 2014 and sounded alarms for the web property owners regarding this emerging trend. We believe that this trend presents a significant cybersecurity challenge in 2015. In this session, we will discuss this increasing trend of drive-by attacks by dissecting examples of recent web infections, as well as share observed, sophisticated behavior of modern exploit pack and the challenges for research and discovery. As we present exploit kit information, trends and statistics from research derived from our Cyphort Crawler, you will gain an awareness and an understanding of these malvertising threats to better protect your site visitors from malware infection.
5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
6. Malvertising is the use of online advertising to spread
malware.
Malvertising involves injecting malicious ads into
legitimate online advertising networks and web pages.
Anti-Malvertising.com
What is Malvertising
7. How Malvertising works
df
User
Visits a popular
website, gets infected
via exploit kit
Website
Serves a banner ad,
sometimes malicious
Attacker
Creates and injects malware
ads into advertising network
Advertising Network
Selects an ad based on
auction, sends to the website
9. Malvertising history timeline
Speedtest.net ad
network OpenX
serves malware
ad
New York Times
“Vonage” banner
hijacked, installed
FakeAV
2007 2008 2009 2010 2011 2012 2013 2014
Malvertising
technique was
first identified
in Flash files
Malvertising uses
dynamic domain
names
HuffPo, LA
Weekly
malvertising
ads reach 1.5
Billion users
10. Poll Question #1
o How many ad impressions were driven by malvertising
in 2013?
o Over 10 million
o Over 1 Billion
o Over 10 Billion
11. Rise of Malvertising
OTA stats
• Malvertising increased 200%+ in
2013 to over 209,000 incidents,
generating 12.4B+ malicious ad
impressions.
Google stats
• Google filtered 524 million 'bad' ads
in 2014, and disabled 214,000
malware websites.
Cyphort stats
• Cyphort own data shows a 300%
malvertising growth in 2014
13. Online Advertising Complexity
Karina Sanz
P
u
b
l
i
s
h
e
r
s
Agencies
Media Buying
Platforms
DSPs
Creative
Optimization
Data
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges
SSPs
Ad Networks
Sharing Data/
Social Tools
Data Suppliers
DMP’s and Data
Aggregators
Verification
Attribution
Analytics
Yield Optimization
Publisher Tools
A
u
d
i
e
n
c
e
A
d
v
e
r
t
i
s
e
r
s
The combination of technology and services that connect Advertisers with Publishers can be a complex process with
many parties involved.
14. Online Advertising Complexity
Karina Sanz
P
u
b
l
i
s
h
e
r
s
Agencies
Media Buying
Platforms
DSPs
Creative
Optimization
Data
Optimization
Ad OpsAd Servers
Ad Servers
Ad Exchanges
SSPs
Ad Networks
Sharing Data/
Social Tools
Data Suppliers
DMP’s and Data
Aggregators
Verification
Attribution
Analytics
Yield Optimization
Publisher Tools
A
u
d
i
e
n
c
e
A
d
v
e
r
t
i
s
e
r
s
Almost everyone of them vulnerable to malware injection
17. Techniques to avoid detection
o Enable malicious
payload after a delay
o Only serve exploits to
every 10th user
o Verifying user agents
and IP addresses
o HTTPS redirectors
18. What is an Exploit Kit
o Exploit kit is a delivery mechanism
for a variety of different types of
malware
o First exploit kit was WebAttacker
developed in 2006 and sold for
$20 dollars
secpod.org
19. o Exploit Kits infect you without a “click”
o Examples: Angler, Sweet Orange, Nuclear, RIG
Fox-it.com
24. GOPEGO malvertising
GOPEGO
Feb 4, 2015
gopego.com malvertising downloads
CryptoWall ransomware.
The attack serves an exploit package
embedded in a flash file, including exploits
which target four vulnerabilities. Among
them the notorious CVE-2015-0311 .
www.cyphort.com/gopego-malvertising-
cryptowall/
26. HuffingtonPost malware – Kovter analysis
o Kovter is an ad-fraud Trojan (MD5 sum: A2A6A36C94D4FF5B42C346F3A3A49E7)
o Communication to C&C is RC4 encrypted and BASE64
encoded
o If it detects any indication of analysis tools, virtualization
and debugging tools,
o it will POST the following data to a16-kite.pw then and exit
o Else,
o it will post data to a16-car.biz and then it will wait for commands.
o The C&C server can issue the following commands:
o RUN – execute a file
o UPDATE – update itself
o RESTART
o FEED – Ad Fraud
o SLEEP
27. Crawler Trends and Stats
o 35% of the domains we found were infected
more than once (repeated infections)
o AskMen.com - Jun 2014
o Indowebster - Sep 2014
o ThePirateBay.se - Oct 2014
o HuffingtonPost.com, LAWeekly,
WeatherBug.com - Jan 2015
28. Poll Question #2
o On which day of the week is malvertising most active?
o Monday
o Wednesday
o Sunday
o All days equally
29. 0 100 200 300 400 500 600
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
Day of the Week
Most attacks on Weekends
32. Infected domains
0 200 400 600 800 1000 1200 1400 1600 1800 2000
fr
de
tv
it
info
ir
ru
org
net
com
Infected TLDs
Russia
1%
Austria
1%
Thailand
1% Ukraine
1%
Korea
2%
Hong
Kong
2%
Italy
2%
Canada
2%
China
2%
Spain
3%
EU
3%
Netherlands
4%UK
4%
France
6%
Germany
8%
US
59%
Infected Hosting
Country Origin
33. Payload domains
0 200 400 600 800 1000 1200
eu
vu
in
us
ua
biz
org
pl
net
com
Payload TLDs
Switzerland
1%
Canada
1% France
1%
Germany
2%
Korea
2% Russia
2%
UK
3% EU
5%
Turkey
11%
US
72%
Payload Hosting
Country Origin
34. Conclusions
o Advertising networks get millions of submissions, and it is
difficult to filter out every single malicious one.
o Attackers will use a variety of techniques to hide from
detection by analysts and scanners
o Advertising networks should use continuous monitoring –
automated systems for repeated checking for malware ads,
need to scan early and scan often, picking up changes in the
advertising chains.
o Ad networks should have the latest security intelligence to
power these monitoring systems.
o The risk increases on weekends and holidays.