Over the past few months, malvertising campaigns have been making headlines in the infosec community like never before. Sites like eBay, Forbes, and Yahoo have been hit, some not only once, and with more and more vicious malware waiting for users at the other end of the malicious ad.
We spoke about this rising trend in online threats with John Wilson, Field CTO at Agari, an email security company. Mr. Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions.
Mr. Wilson now continues his mission to rid the world of email fraud at Agari, a venture-backed startup that helped develop the DMARC standard.
Leveraging DMARC and private-channel email data, Mr. Wilson assisted Microsoft and the FS-ISAC with the B54 Citadel botnet takedown by providing data related to Citadel botnet infections and by acting as a declarant in the civil forfeiture action filed in US District Court. He also holds a B.S. in Computer Science and Engineering from MIT.
A recent Cyphort research report suggests that there is indeed an increase in malvertising attacks. Cyphort sampled 100,000 popular websites to determine which were serving up malicious ads and found a definitive upward trend.
The Angler exploit kit, which provides “malware as a service,” has made it extremely easy for non-technical cybercriminals to execute “drive-by-download” attacks. In this type of attack, the user need only visit the infected webpage in order to become infected with the criminal’s choice of malicious software. The challenge for the cybercriminal has become one of delivering victims to those infected websites. Traditionally email was used for this task; the criminal would impersonate a well-known brand hoping the recipient would click a link in the message. While email continues to be a common infection vector, developments such as DMARC as well as end user education have reduced the effectiveness of this medium for the cybercriminal.
Ad networks are the perfect vehicle for drive-by-download infections because no action is required on the part of the victim. The criminal doesn’t even care if anyone clicks on their ad; the infection occurs when the ad is rendered. Furthermore, the ad networks provide excellent targeting capabilities. Do you want to infect senior citizens with a net worth over $10M, or 30-somethings who work in the transportation industry? The criminal just configures his targeting parameters and lets the ad network find his preferred victims.
The scope and scale of the campaigns point to organized crime syndicates rather than lone-wolves.
Absolutely. The level of technical expertise required to pull off these attacks is way beyond most criminals’ capabilities. The proliferation of low-cost crimeware kits significantly lowers the bar.
Different criminal groups have different motivations and target accordingly. For example, the well- publicized Porn Hub and XHamster attacks were clearly targeting home users, while the malicious advertisements on Forbes.com were probably focusing more on corporate users. Some criminal groups like to target businesses because the individual payouts can be so much higher, while others are content to steal a few thousand dollars from many individuals.
Running ads on your website only makes financial sense if you have a lot of visitors, so it’s not surprising that the best-known websites are being hit the most. There is also a media bias; if my 200-visitors-a-day blog infects 3 people, that’s not news, but when a major well-known website infects 30,000 people, it tends to make headlines.
Yes, to a degree. Exploit kits are like a Swiss-army knife; if you try every tool, you have a great chance of finding one that works. Removing Flash ads will render a large number of exploits useless; however, there are still plenty of non-Flash exploits that may suffice.