Malware menaces poison ads as Google, Yahoo! look away

[steven36]

Booming attack vector offers mass malware distribution, stealthy targeting

Feature Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet's money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world's most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks.

Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions.

It is a scourge that is, according to malvertising research, will inflict up to US$1 billion in damages this year, making the threat difficult to overstate. June was at the time the worst month for malvertising in history. The record was usurped the next month. Now some researchers say August might be next.

The threat, coupled with privacy concerns, is driving users to block ads. PageFair statistics indicate some 198 million users operate ad blocking software, up by 41 percent globally since last year, and digging a $22 billion hole in the online ad industry.

"Malvertising is one of the biggest vectors for mass compromise out there," says Jason Schultz, technical leader of Cisco's Talos threat research team. "There is not much vetting (of ad buyers) going on at all, and unfortunately the big sites are displaying these ads."

The pitch
Malvertising is a parasite that feeds on the popularity and trust of big-name websites, notably news publications. Advertising on these big-name web assets offers malvertisers the means to attack masses of unsuspecting people who otherwise avoid or are suspicious of less popular sites. The compromise is almost always immediate and invisible to victims and admins.

Much of it takes place when legitimate websites, often those in news or pornography, load a third party ad banner that an attacker has brought through an ad network or exchange. That ad contains some malcode that redirects visitors who receive it to a malicious landing page that executes various exploits tailored to the user's system. It establishes a beachhead through which payloads like bank trojans, bots, and ransomware are pushed.

The ad machine also offers easy access for criminals, who, thanks to the fast-moving nature of the advertising machine, appear indistinguishable from legitimate customers. In this marketplace, attackers reside in the lawless bottom tier where traffic, or inventory, is sold and re-sold off to buyers wanting to post their ads.

Moreover, the malvertising can be targeted to specific victims using the same features that legitimate advertisers use to hit users interested in the kinds of products they sell. This means criminals can target government IT shops looking for extended Windows support, or defence contractors seeking state tenders.

This buying and selling happens in real-time advertising exchanges, where anyone with the cash can pay to play. Once an attacker buys an advertisement, their creative can be served to targeted users on specific websites as part of the deal. An attacker's ads may contain malicious redirects, exploit kits, or Adobe Flash exploits at the point of sale – or it may be introduced later.

"Malvertising can be hard to measure because so many attacks go undetected," says Jerome Segura (@jeromesegura), senior security researcher at California-based MalwareBytes. "This is due to the fact that malicious actors are extremely agile and stealthy."

The malvertisements too are dynamic, meaning only some visitors to a site are exposed, which makes reproducing attacks difficult. Schultz says Flash advertisements are "basically miniature programs," meaning that the bad bits of an ad can be turned on once it is showing on a big-name site without triggering alarms, unless those analysing the creative are really good at disassembling. Coupled with targeted user advertising, and attackers have "the ultimate flexibility in infecting who they want to infect and serving the exploit that matches a victim's system".

Poisoned ads are a natural progression for net villains in search of a means for mass distribution of payload, according to Nick Bilogorskiy (@belogor), security research director of California-based Cyphort. "Unlike worms' peer-to-peer viral approach, malvertising follows the one-to-many client-server approach, [where] attackers infect one advertising network and reach hundreds of websites that load ads from it, and millions of visitors to each of those websites," Bilogorskiy says. "And they don't even need to hijack or compromise the ad network – only need to buy an ad and obfuscate the malicious nature of the ad until it is reviewed by the ad censors."

Here hackers have many tricks to conceal their advertisements, according to the accomplished security boffin. These include enabling the malicious payload after a delay, serving the exploits to every fifth or so user, verifying user agent strings and IP addresses before delivering the exploit, and using SSL for redirection to frustrate efforts to follow attacker footsteps.

Fire sale
The industry's top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to not attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

Craig Spiezle (@craigspi) has spent a career in the advertising and marketing business, most recently a product privacy and security-focused product director with Microsoft, before joining the Online Trust Alliance as president. He paints a picture of an advertising sector that has lost control of its ability to know its ad space buyers, since moving from intimate discussion between client and customer to an automatic and instantaneous online machine.

"There is no friction or circuit breaker to vet the ads. It wasn't that long ago that you would come to me on a first-party basis, and we would take pixels, and now there is no insight anymore, and the publishers have no impact on this because they need to take ads to stay in business," says Spiezle.

And this opaqueness leads to reoffending, Bilogorskiy says, noting that more than a third of malvertising-affected websites are re-offenders, which implies that advertising companies lack an "effective proactive prevention solution" to the problem.
For its part, Google has pushed its Safe Browsing initiative, born in 2006, that it badges as a user's often "last line of defence". It is tasked with stopping Chrome users from being hit with malware served by ad injectors and "ad networks lacking strict quality guidelines", but makes no note of attacks made through its flagship DoubleClick platform.

Bilogorskiy says AOL is another big ad network name he sees exploited in the malvertising game, operating a network reaching 199 million unique visitors a month and a whopping 88.8 percent of US internet users.

Meanwhile, ad giants have joined forces to protect their revenue under the Trustworthy Accountability Group to better blacklist robot web crawlers that generate fake banner clicks.

Creative
The biggest-name news websites and web properties have been hosed: The New York Times, Reuters, Yahoo!, and Bloomberg are just a few. Yahoo! and Google's fragile ad networks have also seen their news and YouTube assets popped.
This month, Australian telco Telstra was found serving exploit kits through malvertising, while industry sources say in unconfirmed reports that Foxtel was last week doing the same.

News sites are so vulnerable because they tend to pull in and display a lot of un-vetted third-party content. Browser script blockers register up to 30 of these sources, of which only a few are required for the sites to run. Any of these has the potential capability to hose visitors.

The most capable malvertisers foist exploit kits like Angler and Nuclear, which identify the best vulnerabilities – from Adobe Flash to Internet Explorer – to compromise website visitors. Cisco says (PDF) 40 percent of users who encounter these exploit kits are compromised by them.

Angler’s "success" can be attributed partly to its simple but well-constructed web landing pages. Cisco researchers suggest that the exploit kit’s authors may be relying on data science to create computer-generated landing pages that resemble normal webpages and easily dupe users.

It is difficult to pick a winner for the most damaging malvertising case, but Yahoo!'s malvertising breach this month had the potential to expose any of the site's pool of 6.9 billion monthly visitors.

Earlier this month the Huffington Post was, for at least the fourth time this year, hit with malvertising that redirected users to exploit kits in an attack launched through AOL's adtech.de ad platform.

In July, a malvertising campaign potentially netted some 10 million visitors in 10 days with attacks across popular Asian web sites. Those attacks were also launched through adtech.de.

These examples are very much a drop in the ocean of attacks. Readers looking for further evidence of the carnage should search the web for malvertising attacks over the last six, twelve, and 24 months to see what is surely the tip of the iceberg of publicly-reported malvertising breaches.

However users do not have to be completely hacked in order for criminals to make bank. Cisco this year was surprised by what it says is an "extensive" operation involving professional and sophisticated code to foist browser add-ons onto users' machines by way of malvertising operations.

It also notes that adware is a popular piece of kit to foist as it generates illegitimate ads that like add-ons are harder to detect than exploit kits and bring in long-term money through pay-per-install and ad-click models.

Mad men
Malvertising campaigns are something criminal groups can keep in-house or pull off by paying outsiders. The service-based cyber-crime model is well-greased and allows for bad guys to pay niche experts for encryption, stolen, traffic and so on.

Independent French malware researcher Kafeine (@kafeine) points out operators on underground forums who are selling stolen traffic relating to malvertising with prices ranging from US$4000 for 100,000 multi-geographic hits (know in the marketplace as 'loads') to US$70 for 1000. By country, GrandClix sold United States traffic for the highest buck with US$500 for 1000 hits, and Australia and the United Kingdom attracting US$450 for the same amount.

Some groups do not need to outsource. "Depending on the individual case, some groups are almost owning the whole chain," Kaffeine says. "From the malvertising to the command and control of the malware loaded onto victims - they just rent the exploit kit slot."

Fessleak: The Zero-Day Driven Advanced RansomWare Malvertising Campaign http://t.co/aN6cHt7sUK pic.twitter.com/waInmhBRi8
— Invincea, Inc. (@Invincea) February 6, 2015

Cisco's Schultz points out much the same, illustrating in March how one group had a "business relationship" with malvertising redirectors who offered the necessary traffic for the criminals to foist and fund their pay-per-install malware.

Both Kafeine, a skilled anti-cyber crime boffin, and Patrick Belcher (@BelchSpeak), senior researcher for security firm Invincea, say a single actor, judging by its tools, tactics, and procedures, is behind the recent major malvertising attacks against Yahoo! and big news sites.

That actor known as Fessleak has popped Yahoo! News, Huffington Post, and AOL among dozens of others serving the Kovter malware and using various exploit kits. The Invincea man says the actor is a "lone wolf" focused mainly on bedep click-fraud or advertising fraud bots. "He buys ads for three bucks from an ad company and then defrauds them out of $1000s from ad fraud," he says.

Another group Belcher has yet to reveal is a Russian outfit called ISGroup and so dedicated it created an entire fake company website dedicated to solar energy to deliver a single convincing malvertisement which foists the Rovnix rootkit.

Google was one of the advertising companies that facilitated that attack. "The whole reason for the front company was to sneak past the vetters (ad networks)," he says.

Experts agree the sophistication of the attacks and the channels that allow criminals to pull it off are set to improve to take advantage of the huge profits on offer. For some $6000 of investment, the Mad Hatter found criminals can inflict more than US$500,000 in damages.

"..." – That's what big ad networks say about malvertising
The big ad networks are not talking, but they did in 2014 in a US Senate hearing chaired by one testy Republican John McCain. Google and Microsoft played down the malvertising threat which, then as now, was causing incalculable but immense online carnage.

They said malvertising was less of a threat than regular malware, and offered ultimately misleading metrics about how only a tiny percentage of ads are compromised, rather than the many thousands who are fully compromised when Google servers Angler on YouTube ads.

"Their (ad networks) defence is that 'this is a one percent problem and I don't want to design for it, 99 percent is good enough'," says Spiezle. "But one percent last year was over 15 billion impressions." The Online Trust Alliance formed the Advertising and Content Integrity Working Group to bring in the advertising players to help address the malvertising scourge, but it lacks interest from the big players.

"The challenge is in all candour that the big dominant players aren't willing to come to the table and will contend that they have the problem under control," Spiezle says. "These are the Yahoo!s and Googles of the world, and the impactful trade organisations." Ad networks and exchanges do not have the problem under control, according to Spiezle, and they do not know who their advertisers are, nor what code they are submitting. "Everyone says it's not their fault. The system has a lack of accountability."

Some US researchers believe members of the US Congress already savvy with the malvertising menace are likely to propose legislation to regulate the online advertising industry which they say is an unfortunate but ultimately necessary move when self-regulation fails.

"Unfortunately, there appears to be a lack of transparency within the largest advertising platforms," says one accomplished security pro on the condition of anonymity. "The cause is multi-faceted, but a systematic issue is that there are so many resellers within these advertising networks and no one has basic information on the end customer submitting the ads."

The criticisms are sentiments echoed by many experts interviewed for this story; citing the small number of bad ads is fact-fudging because in the wash those bad ads can reach easily 100,000 users in a day.

"Google has something like 3.5 billion searches a day, so what's one percent of that?" says Cisco's Schultz. "That's a lot of damage in a short amount of time. There is a big issue of trust because people's guard is already down."

Abhinav Singh (@abhinavbom) is a threat researcher formerly with Symantec and now at a major investment bank. The fraud and malware boffin joins the chorus of criticism against advertising networks for failing to implement proper security sanitisation checks of advertisement code. "It is the ad networks that are to blame," says Singh. "Their lack of sanitisation checks and security controls allows attackers to inject rogue ads and malicious code in order to convert an ad into a weapon."

Some networks will buddy-up with malvertisers, Singh says, to cash in on lucrative malvertising opportunities. "So its the responsibility of the ad channel owners to protect the rights of the users."

While the ad networks have kept mum, experts are full of recommendations. While the source of the crime points irrefutably to ad networks, big and small, website owners have a part to play in reducing or vetting the sources of content that display on their sites. The Register for its part goes to some length to pull ads from reputable entities.

MalwareBytes' Segura says ad networks need to implement more stringent security and validation measures like extending probation periods for new advertisers to trusted companies, while patching remains a perennial problem in allowing attacks to occur.

"Some of the biggest cases we have seen in the past have involved duping an advertiser that the ad network had already vetted," he says. "Also, another crucial aspect is ad networks' response time to minimise the impact on end users [which] is especially true for rogue advertisers that use a crash-and-burn approach where they know they will get caught and are trying to get as many impressions as they can before it happens."

The increasing deployment of secure sockets layer across ad networks will serve to complicate analysis for researchers to determine the source of attacks in what Segura sees as a "huge issue in the near future".

The unanimity of opinion continues. "Everyone is partly to blame," says Bilogorskiy. "Popular websites still using ads exchanges for monetisation, ignoring the risk to their users. Ad exchanges pass the blame onto other entities in the ad food chain , like ad networks. Ad networks are not filtering their ad creatives completely. Users do not secure their browsers , do not patch their systems and still use broken technologies from the 1990s like Java and Flash. Browsers do not yet disable all of these technologies by default for 'good user experience'."

For Schultz, and others, publishers have a part to play beyond poking fingers at the third party ad networks who they allow to display content on their sites, for good or ill. "You can't have it both ways. Some sites are loading third party content from maybe 50 domains and any one of these could load malicious JavaScript."
They say the use of so many and untrusted third parties for big sites needs to end. Some Schultz says should vet and load content from their own domain.

Crisis meeting
Experts recommend users run advertising or script blockers to prevent random redirection from malvertising. "Advertisers are really going to hate to hear this but blocking advertising for user protection is a really effective way of blocking malvertising," Schultz says.

Users can use script blockers or ad blockers to reduce their exposure. This reporter has anecdotal evidence that many in the industry run the likes of Ad-Block for security purposes. The scourge is so bad that Cisco's Schultz and the rest of the TALOS team recommend the blockers as a security measure. Schultz personally recommends Request Policy for Firefox users.

For Spiezle, advertising networks need to introduce a kind of fast-track ciricuit breaker system akin to the US' Trusted Traveller for air travel where indicators that reveal advertiser's identity are used to establish trust. These trusted advertisers would be known suppliers of legitimate advertisements and such would enjoy the current speed and flexibility of the ad marketplace. "Those who are not known, the company might have a new gmail and IP address, would be subject manual review.
He says trusted advertisers could still be used to foist malvertisements by insiders, but those threats are miniscule compared to the current threat. A continual rise in ad blocking adoption, which increased by 82 percent last year in the UK to include 12 million users, could be the prompting ad networks need to invest and change their business models, he says.

"I implore the advertising industry to work with us. Demonstrate that you are making sincere efforts to fight malvertising and work with the broader security community."

Bootnote The advertising systems that Google and the like have built are sophisticated systems that enable advertisements to be so dynamic that they target specific users on the sites they visit and for the things they buy, bringing what remains an advertising revenue trickle from the then golden age of print.

Therefore the need to block advertisements in the name of security is in your correspondent’s loaded and conflicted opinion (I run script blockers myself) an unfortunate solution to the growing scourge of malvertising. Ads on websites and mobile apps are like those on free-to-air television important alternatives for consumers who cannot or do not wish to pay access fees for quality content. Blocking that source of revenue as a permanent solution only throws fuel on the already raging fire.

Source