shadowy computer

Malvertising — a form of online and, increasingly, mobile ad-related fraud — is getting frighteningly bad. 

How bad is frighteningly bad? Well, besides costing the industry some $8 billion a year in costs and lost revenue it actually drove one security researcher to say that maybe, just maybe, ad blocking technology might be the answer, at least on corporate work stations. Yes, he went there.

Ad blocking is perhaps almost as hated by the legitimate Internet as is malware. After all, it undermines the core business model of online, well, everything. Users have made clear they are not paying for online content.  The implicit agreement struck between them and publishers was that they would accept advertising along with their free content.

Some — well, many — users have gotten weary of ads that have become cumbersome and intrusive. They have started to use ad-blocking software both on the desktop and their mobile devices, a movement that really caused alarm when Apple made ad blockers available in its iOS 9 release this fall.  

But few people have indicated they use ad blockers to keep their devices and desktops free of malware — and that is where Craig Young, a cybersecurity researcher for Tripwire just went.

Patching Silverlight. Again

Several days ago Microsoft issued several security patches, including two for Silverlight.

"MS15-128 and MS15-129 are a reminder of the wide attack surface exposed by Silverlight,"  Young said. "With malvertising on the rise, even reputable sites cannot always be assumed free from malicious content so patching these holes should be very high priority."

"Some administrators may wish to go a step further and consider the use of ad-blocking technology on corporate workstations."

Bad In Action

The kicker is, those vulnerabilities Young was referring to were not the worst developments in malvertising news that week.

Around the same time, Malwarebytes Labs uncovered a malvertising attack against a popular streaming video site DailyMotion, which ranks among Alexa's top 100 sites with over 128 million users. The attack was particularly scary as the hackers were able to profile potential victims and the level of security they had installed, while also evading identification by security researchers, security researcher Jérôme Segura wrote in a blog post.

This is what happened.

The company had been tracking an attack via .eu sites for several days but kept missing the final payload. Finally it managed to reproduce a live infection via an ad call coming from DailyMotion and was able to trace the malvertising to real-time bidding within the WWWPromoter marketplace. It turned out that a rogue advertiser was using a decoy ad to initiate series of series of redirections to .eu sites. The malware was uploading the Angler exploit kit. 

"The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim,"  Segura wrote. "In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler."

Malwarebytes contacted the parties involved and the issue was quickly resolved. But it left everyone a bit shaken.

Wrote Segura: "This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment."

Video Sites Popular Targets

Just to be clear it was not Daily Motion itself that was targeted — but rather the ad network used by the site as well as other sites that are customers of the ad network, Adam Kujawa, head of Malware Intelligence at Malwarebytes Labs, told CMSWire.

But video sites are popular so that is where the hackers go, either by posing as one -- similar to the way Syrian Rebels were fooled into installing malicious software because of a shared link that directed to a fake YouTube site -- or by attacking the technology.

Because Silverlight is so heavily used by services like Netflix, it is often a target, Kujawa said.

In this case the payload was Bedep, a distribution botnet that can load multiple payloads on the infected host but exploit kits can drop basically anything, Kujawa said.

"Bedep specifically installs on the system and secretly navigates the users browsers to various cyber criminal controlled advertisement pages, all in an effort to artificially increase hits to an ad and increase the revenue that cyber criminal would receive from the hit."

But what had the security researchers on edge was that this malvertising attack was profiling the potential victim, Kujawa  said.

Hackers have gone from actively hiding their attacks from cyber security products to trying to detect the use of such products to identify potential targets, he said. That means that not only will their attacks continue longer without detection, but they will be more successful because their targets are not taking the proper precautions.

And that, actually, is the crux of the matter — lack of security is still a huge problem as can be seen by the successful attacks against retailers, health insurers and even the US federal government.  If only we could get everyone to regard malware with as much disdain and hatred as intrusive ads are viewed so they could take the necessary precautions.

Title image by Thom