Posted: March 29, 2016 by

Last updated:

Fraudsters game the ad industry system again to push malicious code.

Domain shadowing combined with fingerprinting continues to be an effective method to bypass security screenings and scanners from detecting advanced malvertising attacks. Just last week, some users visiting classifieds site Gumtree were exposed to malware via this very technique.

The latest victims from malvertising are two popular social sites: likes.com and livejournal.com. The former attracts close to 110M visitors a month, while the latter has over 140M.* It is worth reiterating that these malvertising attacks happen automatically and that users do not have to click on the ad banner to get infected.

Defrauding the ad industry

Online criminals harvest registrant/domain credentials from legitimate companies via phishing attacks or by using password stealers running on administrators’ machines.

They choose businesses that are most likely to offer a product or service and cleverly design an ad banner using some images and content from the site they are abusing. Last but not least, they register a subdomain (with the stolen username/password) to host that ad banner.

Figure 1: Advertisement’s source code in its ‘clean’ format. Nothing to see, much to hide.

When these fraudsters approach various ad platforms, they appear very much like legitimate businesses wanting to advertise. To make matters more complicated, they also serve clean content for a while and only target selected users which will be served the malware payload.

Evading the security industry

One such technique is called fingerprinting (for more information about it, please refer to our technical whitepaper). Malvertisers and exploit kit operators are looking to infect users with the highest possible success rate. To this regard, it makes sense to target people that are most likely to be vulnerable (outdated software, no security products installed, etc). This is also an effort to hide these campaigns from security researchers, honeypots and anyone trying to poke around.

The fingerprinting code looks for names of popular anti-virus and anti-malware software, security tools and other artifacts that would give away sandboxes and honeypots. It does so by leveraging a vulnerability in Internet Explorer allowing the webpage to enumerate the local hard-drive and its content.

Malvertising flow:

First attack:

Publisher : likes.com Ad network : AppNexus Fraudulent advertiser : crea.bouquetsandbunting.co.uk Google open redirect Angler EK

Second attack:

Publisher : livejournal.com Ad network : AppNexus Fraudulent advertiser : apis.arthurspools.com Google open redirect Angler EK

Below is an overview of the fingerprinting code and the ad banners that were served in these two attacks.

Figure 2: Sketch showing some fingerprinting code (background) hiding on the rogue ad server.

These two incidents both redirected users to the Angler exploit kit which can serve a variety of payloads ranging from banking Trojans, ad fraud or ransomware, just to name a few.

One of the best ways to prevent an infection from malvertising is to keep your computer up to date but also to use the security tools at your disposal. Interestingly, simply running Malwarebytes software automatically puts you in the “not a viable victim” bucket and the exploit kit won’t even launch.

We reported both of these attacks to the AppNexus ad network which quickly told us they had deactivated the two rogue accounts.

* numbers pulled from SimilarWeb.com.