Over the past few months, malvertising campaigns have been making headlines in the infosec community like never before. Sites like eBay, Forbes, and Yahoo have been hit, some not only once, and with more and more vicious malware waiting for users at the other end of the malicious ad.
We spoke about this rising trend in online threats with John Wilson, Field CTO at Agari, an email security company. Mr. Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions.
Mr. Wilson now continues his mission to rid the world of email fraud at Agari, a venture-backed startup that helped develop the DMARC standard.
Leveraging DMARC and private-channel email data, Mr. Wilson assisted Microsoft and the FS-ISAC with the B54 Citadel botnet takedown by providing data related to Citadel botnet infections and by acting as a declarant in the civil forfeiture action filed in US District Court. He also holds a B.S. in Computer Science and Engineering from MIT.
As journalists, we are seeing a higher number of reports from cyber-security vendors on malvertising. Is this trend based on a true increase in malvertising attacks, or are the tools used to detect them getting better at spotting them?
A recent Cyphort research report suggests that there is indeed an increase in malvertising attacks. Cyphort sampled 100,000 popular websites to determine which were serving up malicious ads and found a definitive upward trend.
What drives these cyber-criminals to choose malvertising campaigns over corporate network intrusions or other types of attacks?
The Angler exploit kit, which provides “malware as a service,” has made it extremely easy for non-technical cybercriminals to execute “drive-by-download” attacks. In this type of attack, the user need only visit the infected webpage in order to become infected with the criminal’s choice of malicious software. The challenge for the cybercriminal has become one of delivering victims to those infected websites. Traditionally email was used for this task; the criminal would impersonate a well-known brand hoping the recipient would click a link in the message. While email continues to be a common infection vector, developments such as DMARC as well as end user education have reduced the effectiveness of this medium for the cybercriminal.
Ad networks are the perfect vehicle for drive-by-download infections because no action is required on the part of the victim. The criminal doesn’t even care if anyone clicks on their ad; the infection occurs when the ad is rendered. Furthermore, the ad networks provide excellent targeting capabilities. Do you want to infect senior citizens with a net worth over $10M, or 30-somethings who work in the transportation industry? The criminal just configures his targeting parameters and lets the ad network find his preferred victims.
Are the people behind these malvertising campaigns part of organized crime groups, APTs, or just simple lone wolves seeking monetary profit?
The scope and scale of the campaigns point to organized crime syndicates rather than lone-wolves.
Most of the time, we see adware and ransomware being distributed via an exploit kit, all of them attack tools that can be purchased at quite low prices these days on the Dark Web. Is there a correlation between the proliferation of Dark Web hacking marketplaces and the increase in malvertising?
Absolutely. The level of technical expertise required to pull off these attacks is way beyond most criminals’ capabilities. The proliferation of low-cost crimeware kits significantly lowers the bar.
Do malvertisers have a special appetite for corporate targets, home users, or most of the time is it just a random, catch-all campaign?
Different criminal groups have different motivations and target accordingly. For example, the well- publicized Porn Hub and XHamster attacks were clearly targeting home users, while the malicious advertisements on Forbes.com were probably focusing more on corporate users. Some criminal groups like to target businesses because the individual payouts can be so much higher, while others are content to steal a few thousand dollars from many individuals.
Why are so many high-profile websites getting abused and spreading malvertising lately?
Running ads on your website only makes financial sense if you have a lot of visitors, so it’s not surprising that the best-known websites are being hit the most. There is also a media bias; if my 200-visitors-a-day blog infects 3 people, that’s not news, but when a major well-known website infects 30,000 people, it tends to make headlines.
Google and Amazon have announced plans to move away from running Flash ads. Will this affect the efficiency of malvertising attacks?
Yes, to a degree. Exploit kits are like a Swiss-army knife; if you try every tool, you have a great chance of finding one that works. Removing Flash ads will render a large number of exploits useless; however, there are still plenty of non-Flash exploits that may suffice.