FYI.

This story is over 5 years old.

Encryption and Other Tricks Are Making Malvertising Harder to Hunt

The latest malvertising campaigns "go to great lengths to fly under the radar."
December 9, 2015, 5:20pm
Image: Yuangeng Zhang/Shutterstock

Malvertising—the practice of using adverts to automatically deliver malware en masse—continues to hit some of the biggest sites on the web. On Tuesday, researchers from MalwareBytes reported that rogue ads had been diverting visitors from DailyMotion, one of the top 100 sites according to Alexa, to a malware-laden web page.

The sophisticated nature of the attack shows how hackers are using different methods to increase the efficiency of their malicious ads while avoiding detection by law enforcement or researchers.

Advertisement

"This attack is part of a new wave of malvertising campaigns that go to great lengths to fly under the radar," Jérôme Segura, senior security researcher at MalwareBytes, told Motherboard in a Twitter message.

Malvertising is when cybercriminals upload content to an ad network, which then sends the adverts to a website. Typically, the process of getting an ad in front of users involves real-time bidding, where ad buyers pay for a number of ad impressions beforehand and specify the demographic they're after. When a visitor matching that demographic goes to the site, whoever has the winning bid gets their ad loaded on the site.

More sophisticated malvertisers have adopted some tactics to cover up their tracks from researchers (who usually inform websites and ad network when they find suspicious activity).

"The whole malvertising sequence goes through an encrypted tunnel, making attribution extremely difficult"

The DailyMotion malvertisers used SSL encryption—the same sort of encryption your bank might use to protect your login details. Segura explained that this masks the URL which presents the advert, which may indicate who had orchestrated the attack, and also encrypts the content of the server responses, where you would typically see malicious code.

"In a nutshell, the whole malvertising sequence goes through an encrypted tunnel, making attribution extremely difficult and hiding any key elements," he told Motherboard.

This DailyMotion attack also used IP blacklisting, which "ensures that malicious content is only reproduceable once [for each user]," Segura said. This makes it increasingly difficult to trigger the malicious code in a lab environment, slowing research.

Finally, malvertisers are obfuscating their attacks with cleverly-written JavaScript. Lately, Segura said he had noticed cybercriminals mix lengthy, legitimate code and malicious code. "The JavaScript can be several pages long and go through several loops before delivering its secret," he explained.

The DailyMotion case is just the latest example; earlier this year, a wide-ranging malvertising campaign that hit sites such as Ebay, Drudge Report, and TalkTalk, managed to go undetected for weeks, thanks to at least some of these tactics.

"We can say that lately threat actors have really stepped up their game," Segura wrote on the MalwareBytes blog.