Malvertising campaigns are becoming harder to detect

The techniques used by attackers are difficult even for security researchers to study

Jerome Segura, a senior security researcher with Malwarebytes, was recently stumped by a cyberattack he was studying. It seemed to keep vanishing.

Segura often studies malvertising, which involves seeding ad networks with harmful online advertisements that then appear on websites, potentially delivering malware to a person's computer.

It's a particularly insidious type of attack, since a person merely has to view an advertisement to become infected if their computer has a software vulnerability. 

"We knew there was something different that malvertisers were doing," said Segura in a phone interview Thursday.

The problem was they couldn't replicate the attack by viewing the malicious ad. It's almost as if the attackers knew they were being watched.

Cyberattackers often profile machines -- known as fingerprinting -- in order to attack ones that are being used by security researchers. Machines on certain IP addresses or VPN networks or those running virtual machines won't be attacked.

Segura couldn't get another look at the attack until he went home and used his home computer rather than the ones in Malwarebytes' lab.

The suspicious advertisement contained a one-by-one pixel GIF image. That's not usual, as pixels are used for tracking purposes, but this one actually contained JavaScript.

The JavaScript exploits an information leakage vulnerability (CVE-2013-7331) in older unpatched versions of Internet Explorer, Segura said. The vulnerability can be used to parse a computer's file system and figure out if it's running certain AV programs.

If a computer checked out, its user was redirected by the advertisement to a server running the Angler exploit kit, Segura said.

It is not unusual for cyberattackers to do some quick reconnaissance on potential victims. But Segura said this time around, the attackers are also taking other steps that make it very difficult for ad networks and security researchers to detect bad behavior.

The malicious ad, including the one-by-one pixel, was also delivered over SSL/TLS, which makes it harder to detect potentially malicious behavior, Segura said.

The malicious ad was carried by Google's DoubleClick and dozens of other ad networks. It appears the attackers had set up fake domains and even LinkedIn profiles months before to appear they were legitimate before supplying their malicious advertisement to the online advertising companies.

"It shows you how deceptive they can be and how many fake advertisers are out there," he said.

Segura said he has been in touch with DoubleClick and other online advertising companies, but the malvertising ad is still running in some places.

The automated nature of online advertising and the labyrinth of relationships between companies has made filtering malicious ads difficult, he said.

"What criminals have figured out is it's easier to infiltrate a third partner that works with Google but doesn't necessarily have the same security screening and tight guidelines," Segura said.

Malwarebytes posted a writeup of its research on its blog.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?