Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal
1. FEATURE
which he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo-
make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12
that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reports
parate industry bodies can only be a good number of information security prac- based on the outcomes to members of the
thing, he points out that their value to the titioners as to whether they considered working group, although other individu-
industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate.
and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup-
practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstracting
existence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical
“It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down as
debate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that,
be interesting to see the status of the cal guidance was currently available, most it will only be published with highlighted
principles in a year’s time.” of which he found unhelpful. case studies as you have to have examples
As a result, as of early February this and context. In my professional opinion,
Ethics project year, Carolina kicked off the first in a without that, it’s not much value.”
series of ethics workshops, made up of While such initiatives are, unfortu-
Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature,
the road to professionalisation is the an area where people are crying out for what they would appear to suggest is
creation of an initiative entitled the guidance, especially in the private sector,” that the information security industry is
Information Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the path
which is sponsored by and housed better information so that they feel less of becoming more professionalised.
within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things are
Security Professionals (IISP). hard decisions.” changing. There are lots of pockets of
The idea behind the project came work being done and, while they’re
from the Institute’s general counsel, Things are changing not consistent or global, you can see a
Robert Carolina, who is also a sen- day when the industry will get there –
ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.”
University’s information security group, of hypothetical case studies that were
where he teaches in its information secu- used to debate the right and wrong ways
About the author
rity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who
In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech-
for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areas
ity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/
BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketing
it created its own botnet for educational the basis for further discussion. and high-end software.
Malvertising – exploiting
web advertising
Aditya K Sood, Richard J Enbody, Michigan State University
Online advertisements provide a convenient platform for spreading malware.
Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use to
is put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection is
skillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali-
cious user only needs to co-opt a redirec-
Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, the
advertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so
11
April 2011 Computer Fraud & Security
2. FEATURE
order to redirect traffic from malver-
tisements that are distributed across
the World Wide Web. When a user
clicks on a malvertisement, the traf-
fic is redirected towards a malicious
domain rather the legitimate one.
• Generally, no verification check can
be imposed on advertisements to
detect whether the redirect occurs
appropriately or not. This lack of
verification results from the nature of
the web-advertising model that makes
it difficult for a publisher to scrutinise
web traffic related to ad delivery.
• Attackers can also tamper with spon-
sored links to distribute malicious
executables directly into the system as
a part of drive-by-download infection.
Internet Explorer has been a popular
target because of both its popularity
and its ability to run custom exploits
through ActiveX controls [8].
The irony is that advertisers pay the
publishers for the advertisements while
the attackers exploit those same ads to
spread malware.
Malvertising modes
Most of the web malware is triggered
through web injections to exploit the vul-
nerabilities in web software and domains.
Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used
for injecting malicious advertisements
the redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciate
of a red flag. content that is shared among different the severity and prevalence of this class
Another feature of online advertis- domains across the web. of attack, the Open Web Application
ing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placed
agents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in its
standard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2
code snippets that are used in conjunc- a convenient platform for malware deliv-
tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising with
embed advertisements. For example, by the following:
Doubleclick.net provides millions of ads • Malicious agents can register nearly
malicious widgets
that are served to different domains as any domain and can use it as a stor- and redirection
dynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularised
advertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and traffic
based on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the design
Service Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks to
between ad distributor and website to domains do not comply with any domains using those widgets for advertis-
define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirection
neither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users to
applying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.
12
Computer Fraud & Security April 2011
3. FEATURE
For example, we detected a widget vulner-
ability in a popular news publisher web-
site. The normal procedure is for a user
to register, which allows the publisher to
render news from various popular chan-
nels and embed them into the user’s web-
sites and blogs. However, because of flaws
in the publisher’s system, it’s possible to
redirect traffic.
In order to install the widget, the pub-
lishing domain requires certain steps to
be performed by a user to facilitate the
ability of the widget to include third-
party content. Specifically:
• The widget can only be installed after
Figure 2: Installed widget.
registration. The user selects the wid-
get code based on the target platform
– such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe
which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another.
• Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic
publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional-
to his or her website or blog so that ity of iframes can be exploited to trigger
widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively
After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy
sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain
the registered user website. Attack (CDA).5,6 Attackers can easily
• After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal-
user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware
random content from various content lisher’s site find themselves redirected to while interacting with legitimate users.
providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the
tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali-
diate service provider. in Figure 3. cious code:
For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to execute
able publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (the
tion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greater
publisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited).
can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restriction
widget is installed to any domain. This embedded with redirected URLs which on Active X object usage.
shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easily
any random domain can result in traffic able publishing domain in order to through iframes.
redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restricted
website through advertising links. The domain. This shows how a vulnerable completely.
attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis-
forming three steps: an attacker. ing are constructed as follows:
Step 1: The attacker registers as a
legitimate user (in order to get a widget <iframe src=“http://www.malicious.com/
for inclusion in some domain) as shown mal_ad.js “ width=1 height=1 style=“visibi
in Figure 1. The widget is included in Hidden iframes are one way for attack- lity:hidden;position:absolute”></iframe>
the same domain as shown in Figure 2. ers to hide the objects that are used
Step 2: The attacker can activate the for spreading malware. The concept <iframe src=“http://www.malicious.com/
apparently dead vulnerability through of hidden infection is not new, but software_ad.js” width=0 height=0></
hyperlinks by activating the URL from here we show a different variation. The iframe>
13
April 2011 Computer Fraud & Security
4. FEATURE
Player files and Javascript extensively.
However, this is a grave concern because if
a CDN server is exploited, the attacker can
inject malicious code in the form of mal-
vertisements and that code is widely dis-
tributed. There is a chain reaction because
if a parent server is infected, the child
nodes will automatically get infected, too.
Corrupting a server that serves thousands
of sites spreads the malvertisements broadly
and often in a trusted manner.
We have identified Windows Media
Player files being used in malvertising
Figure 3: Victim browser successfully gets redirected to the malware domain. for spreading malware. An attacker can
perform the following steps in order to
In addition, attackers can hide their for inline infections so that the detection design and inject malicious .wmv files as
malicious purpose using Javascript process becomes harder. malvertisements:
obfuscation techniques to encode the Step 1: The attacker ‘backdoors’ the
malicious links. Iframes possess a default Malvertising through .wmv file using Windows Script Editor,
inherited flaw of defining a trust rela- with malicious code (as presented in
tionship between different domains that
infected Content Figure 4) that executes through Cross
are communicating with each other. The Delivery Networks Site Scripting (XSS) attacks.
trust relationship cannot be determined A Content Delivery Network (CDN) Step 2: The attacker injects this .wmv
every time within different domains that is a third-party ad server that provides file in an iframe and injects the code in
are sharing content. content to different domains across the a vulnerable CDN domain. When this
The inability to precisely determine web. CDNs are the preferred choice for file is distributed across domains, it starts
trust is why it is very hard to restrict the attackers to spread malware by exploiting spreading the malicious XSS file and
content present in iframes and why it the CDN web servers – the attackers can bypasses the Internet Explorer XSS filter
is executed in the context of the parent simply let the servers assist in spreading as shown in Figure 5.
website. Attackers load malvertisements the malware. Advertisements use Flash, As you can see, CDNs have the poten-
in iframes to run in the parent domain Silverlight, pop-ups, Windows Media tial to be a big problem with respect to
web malware.
Malvertising through
malicious banners
Advertising banners are used exten-
sively in order to spread infections.7
Primarily, attackers exploit servers that
host a number of websites on a single
server – a common scenario. As above,
attacking servers is an easy way to infect
a large number of websites. In addition,
since advertising banners are widespread,
an attack through them will also be
widespread. In this attack, the attackers
exploit an XSS flaw or SQL injection
vulnerability in websites hosted on the
server in order to take full control. The
attacker then uses two specific tech-
Figure 4: Designing a .wmv file backdoor.
niques to infect websites with malicious
banners as follows:
14
Computer Fraud & Security April 2011
5. FEATURE
• Attackers update the database with
malicious iframes by exploiting SQL
injections in order to trigger persistent
infections.
• Attackers compromise the shared
hosting server and use automated
scripts to render malicious code on
the main web page of different hosts.
When a user visits a specific website,
malicious banners are displayed along
with dynamic content. Click on the ban-
ner and the user is infected, or simply dis-
playing the banner can lead to infection.
Figure 5: WMV file is spreading malicious VbScript file.
This trick can be used in conjunc-
tion with SEO poisoning in which an
attacker coerces a search engine to visit are becoming one of the main sources of pending on hardware buffer-overflow pro-
malicious domains or hijacked websites spreading web malware. One reason for tection, which will prevent most computer
that display malicious banners. their popularity is a dearth of appropri- worms and viruses. He recently co-authored
ate security procedures for content shar- a CS1 Python book, The Practice of
Solutions ing. For example, merely signing an SLA Computing using Python.
does not ensure security and integrity
• The design of web applications and in a shared network. There is a pressing
Resources
widgets should be thoroughly veri- need for rigorous security policies and • Polychronakis, Michalis;
fied before allowing their use in a procedures to curb the risk of this type Mavrommatis, Panayiotis; Provos,
production environment. The widget of infection. History indicates that it is Niels. ‘Ghost Turns Zombie:
should be installed with appropriate impossible to get rid of malware infec- Exploring the Life Cycle of Web-
access controls in order to avoid any tions completely, but continuous efforts based Malware’. Accessed Mar 2011.
rogue actions. can contribute towards enhancing the <http://www.usenix.org/event/leet08/
• The interface communication chan- security of our networks. tech/full_papers/polychronakis/poly-
nel between an installed widget and chronakis.pdf>.
a parent website should be moni-
About the authors • Provos, Niels; McNamee, Dean;
tored to catch the traffic redirection. Aditya K Sood is a security researcher, con- Mavrommatis, Panayiotis; Wang, Ke;
Generally, the main website should sultant and PhD candidate at Michigan Modadugu, Nagendra. ‘The Ghost in
not allow redirection in an open man- State University. He has worked in the the Browser: Analysis of Web-based
ner without restricted control. security domain for Armorize, COSEINC Malware’. Accessed Mar 2011. <http://
• Appropriate configuration should be and KPMG and founded SecNiche Security. www.usenix.org/event/hotbots07/tech/
used in shared hosting environments. He has been an active speaker at confer- full_papers/provos/provos.pdf>.
The servers should be audited regularly ences such as RSA, Toorcon, Hacker Halted, • Ford, Sean; Cova, Marco; Kreugel,
in order to detect any vulnerable hosts. TRISC, EuSecwest, XCON, OWASP Christopher; Vigna, Giovanni.
• A live malware monitoring system AppSec, CERT-IN and has written content ‘Analyzing and Detecting Malicious
should be used for dedicated and for HITB Ezine, ISSA, ISACA, Elsevier, Flash Advertisements’. Accessed Mar
shared hosting servers in order to trace Hakin9 and Usenix Login. 2011. <http://www.cs.ucsb.edu/~chris/
malware infections at inception. research/doc/acsac09_flash.pdf>.
• Systems should be updated with the Dr Richard Enbody is an Associate Professor • ‘Some 1.3 million malicious ads
latest software and patches. in the Department of Computer Science and served daily’. SC Magazine, 18 May
Engineering, Michigan State University. 2010. Accessed Mar 2011. <http://
Conclusion He joined the faculty in 1987 after earn- www.scmagazineus.com/report-some-
ing his PhD in Computer Science from 13-million-malicious-ads-served-
We’ve covered the essential dynamics the University of Minnesota. His research daily/article/170414/>.
of malvertising and the attack strategies interests are in computer security, computer • ‘Pay Per Click’. Wikipedia. Accessed
used to distribute malicious advertise- architecture, web-based distance education Mar 2011. <http://en.wikipedia.org/
ments across domains. Malvertisements and parallel processing. He has two patents wiki/Pay_per_click>.
15
April 2011 Computer Fraud & Security
6. FEATURE
• ‘Active X Controls’. Microsoft. References 4. Sood, AK. ‘Open Redirect Wreck
Accessed Mar 2011. <http://msdn. 1. Cova, M; Kruegel, C; Vigna, G. Off ’. HITB EZine. Accessed Mar
microsoft.com/en-us/library/ ‘Detection and Analysis of Drive- 2011. <http://magazine.hitb.org/
aa751968%28v=vs.85%29. by-Download Attacks and Malicious issues/HITB-Ezine-Issue-004.pdf>.
aspx>. JavaScript Code’. In Proceedings of 5. ‘Same Origin Policy’. W3C. Accessed
• Danchev, Dancho. ‘MSN Norway World Wide Web Conference, 2010. Mar 2011. <http://www.w3.org/
serving Flash exploits through mal- 2. OWASP top 10 Attack Vectors 2010. Security/wiki/Same_Origin_Policy>.
vertising’. ZDNet, 27 Aug 2008. Accessed Mar 2011. <http://www. 6. ‘Client-Side Cross-Domain Security’.
Accessed Mar 2011. <http://www. owasp.org/index.php/Top_10_2010- Microsoft. Accessed Mar 2011.
zdnet.com/blog/security/msn-nor- Main>. <http://msdn.microsoft.com/en-us/
way-serving-flash-exploits-through- 3. Nations, Daniel. ‘What’s the library/cc709423%28v=vs.85%29.
malvertising/1815>. Difference Between a Widget and a aspx>.
• ‘SEO Poisoning Attacks Growing’. Gadget?’. About.com Web Trends. 7. ‘Content Delivery and Distribution
Security Focus, 12 Mar 2008. Accessed Mar 2011. <http://webt- Services’. Web Caching. Accessed
Accessed Mar 2011. <http://www. rends.about.com/od/widgets/a/widget- Mar 2011. <http://www.web-cach-
securityfocus.com/brief/701>. gadget.htm>. ing.com/cdns.html>.
The UK fraud landscape
for financial services
Duncan Ash, SAS UK
Duncan Ash
Fraud in the financial services industry is a topic that constantly makes headlines,
but is the situation really as dire as the media would have us believe? Well, accord-
ing to the recent statistics from the National Fraud Authority (NFA), released 27 ware. The NFA figures show that online
January 2011, fraud is costing the UK over £38bn a year. In particular, the finan- banking has seen an increase of 14%
cial services industry recorded the highest loss to fraudsters at £3.6bn. However, (£60m) in fraud losses compared with the
on a more positive note this actually represented a slight decrease on the 2010 previous year. As such, the sector must
Annual Fraud Indicator figure of £3.8bn due to improved fraud prevention meth- continue to invest in anti-fraud systems
ods involving plastic card fraud (£440m) and cheque fraud (£30m). and solutions to help stay one step ahead
of the criminals.
Reducing levels of card fraud in particular banks and retailers have all contributed to However, because of the great varia-
have been cited as a success story in the the decline in losses. tion between the security levels of online
fight against fraudsters, with the latest sites and the increased measures that
figures from The UK Cards Association A moving target merchants can take to protect them-
(6 October 2010) revealing that total selves, there is a growing acceptance in
fraud losses on UK cards fell to £186.8m Unfortunately, criminals tend to be the banking industry that not all fraud
between January and June 2010 – a 20% opportunistic and are always on the in the online channel can be conquered.
reduction compared with losses in the lookout for the next weak link in the sys- Instead, the industry is positioning itself
first half of 2009. This figure represented tem that can be exploited. According to to pick and choose its battles, ensuring
the lowest half-year total for 10 years, Financial Fraud Action UK (12 January that damage can be limited and con-
and the reduction was attributed to the 2010), more than 50% of regular UK sumer confidence left intact.
success of a number of banking industry Internet users (41.4 million) are now Moreover, the latest Fraudscape report
initiatives. For instance, the increasing banking online. This substantial growth from CIFAS, the UK’s fraud prevention
roll-out of chip and PIN in the UK and in popularity of the online channel in service, issued in March 2011, depicts the
abroad, a greater number of sign-ups to recent years, both in terms of Internet continuing migration of fraud to new sec-
MasterCard SecureCode and Verified by shopping and online banking, has led to tors: fewer bank accounts and plastic cards
Visa by cardholders and retailers, and the an increased number of attacks, in partic- were targeted by fraudsters (15% and 37%
increasing use of fraud detection tools by ular through phishing and financial mal- decreases respectively) only to be offset
16
Computer Fraud & Security April 2011