CyberWire Daily - Unpacking the Malvertising Ecosystem. [Research Saturday]
Episode Date: August 10, 2019Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, an...d he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here:Â https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Our work in malvertising goes back to the really the admin of Talos.
That's Craig Williams. He's the head of Talos Outreach at Cisco. The research we're discussing today is titled Malvertising, Online Advertising's Darker Side.
Back when Talos was first formed, there was really one malvertising campaign and exploit kit that ruled them all.
And that was the Angler Exploit Kit.
We estimated it was making, I think it was something like $60 million a year.
You know, we plotted out how we arrived at that number. And I think it was a real eye opener to the security community about how
effective these campaigns were. Now, you know, as a result of that campaign, sorry, that research
and some other research, the industry started cracking down, groups were put in jail, and it
kind of disappeared a little bit for a while. And so the reason we wanted to
write this up is because we wanted to talk about what they're doing with the infrastructure,
what we're still seeing from an advertising standpoint, and some of the newer things that
they're doing that I think users need to be aware of. What I love about this research that you've
published is how there's something in here for everybody. No matter what level you consider
yourself to be at when it
comes to understanding this stuff, this is a great place to start when it comes to understanding how
the online advertising world works and these threats against it and how they get to us and
do the things they do. So let's start with that together. Let's start with the very beginning with
some basic stuff. Can you walk us through what happens when someone starts doing online advertising? How does it work?
So basically, a user will go to a website and that website will need an ad, right? And that
ad request will go to a publisher. And then basically that goes to what's called an ad
exchange. Now, here's where it gets weird. There's a real time bidding system that'll
basically go back and forth between the publisher, the exchange, and that will figure out whose ad gets displayed. Now, this is the problem. Now, let's say you're a very reputable website, and let's say you want to make sure that the ads you show are non-intrusive ads, maybe make sure they're not for anything questionable or morally or ethically sketchy. Right. You just want it to be like maybe an insurance company.
Right.
Or something.
Right.
Right.
Something middle of the road.
Yeah.
The problem is with this system, that becomes difficult.
Right.
You may sign up for something like that.
You may think you're getting something like that.
But then at the end of the day, the reality is you get an ad that certainly may look like that.
is you get an ad that certainly may look like that,
but in the very bottom corner of the ad is a hidden redirection link
that basically hits a series of sites
that all do a very sophisticated system of checking
to make sure you're not a security researcher
that will end up directing you to a site
that's either hosting malware
or even potentially exploiting your browser
to install malware directly.
Hmm. All right.
Well, let's back up and walk through this
just really, really step by step
because there's a lot of nuance here to how it works.
When you say that this bidding process happens,
I mean, this is happening in a fraction of a second, right?
Absolutely.
It's all automated.
And it's based on the information they've gathered about me?
Yes.
So have you ever been surfing a website and all of a sudden it pops up and says,
hey, are you interested in computer security?
Go take a class at the local university and become an expert.
And you're like, what the hell?
Every day, Craig.
Every day.
Yeah.
That's how that kind of thing happens, right?
Your browser is tracking what you're looking at and providing that information to advertisers
so that they can target you with ads.
Now, to make it even more insidious, I'm sure all of you have some sort of ad blocker or
let's hope.
And you probably noticed a little button in there saying allow non-intrusive ads.
So there's actually a specification on advertisements that basically are, I forget the exact wording, but
effectively, you know, ads you want to allow and they have a unique identifier and you have to
provide that identifier before your ad and that will allow it to walk through your ad blocker.
And I imagine that advertisers being good upstanding online citizens totally respect that
tag. Well, the interesting part is the malware that we found actually is using one
of the, they're called ad block keys in order to bypass that type of detection. So the malware is
taking advantage of that to bypass ad blockers to still compromise the host. I had to give you an
idea of how we found this one. What kind of got us back into this search is we were looking at a
piece of sporting
good equipment i can't remember exactly what it was it was it was going to be made and then the
company basically realized that it was too far of an out there idea and it wasn't going to be
feasible and so they killed the project and shut down the website well when you have something out
there that's like a you know cutting edge piece of technology combined with sports you know people
may go click and so what happened was the advertisers picked up the domain and they parked it and parked
all their ads on it. And so what was happening was anytime anybody Googled this or looked it up,
you would hit the site, you'd see the ad block key, it would bypass your, you know, blocking system.
And then if and only if you were using Safari, so this affected Mac users specifically,
it would serve up what we call a potentially unwanted program.
And it's a very nice way of saying garbage software, right?
Okay.
And in this particular case... That's quite a euphemism, yeah.
Right.
Well, in this particular case, it actually took it the extra mile and it was just flat out malware.
But you didn't know that right away.
It was actually completely unnecessarily sophisticated. It would serve you up an individually encrypted payload. That individually encrypted
payload would have its guts double encrypted using that same individual private key. When
you extracted that, it would actually look like a, I think it was a fake flash update
at the time. And that would actually install this piece of OSX malware, which would basically
intercept the web browser and shoot ads all over the screen and do all kinds of other uncool stuff.
Now, this is partially a result of the way that the ecosystem has developed for placing ads on websites, right? Because, I mean, it's impractical for, you know, if I'm the website for
my local newspaper or my regional newspaper, or even I suppose the New York Times or the Washington
Post, it's impractical for me to be manually placing these ads myself. That doesn't give me
the returns that I'd get if I turn it over to someone else. Absolutely. Unfortunately, we've
looked at a lot. We've looked at large advertisement
sites. We've looked at small ad providers. We have not found any ad provider that is 100%
clean of malware. Even the really, really good ones, they still occasionally serve up malware.
A lot of the time we have these systems set up. I think probably the most well-known one would be
our Threat Grid system where people can go submit links right and submit malicious links right so
that's the kind of system that you can automatically run these in sometimes because the way they work
like let's say you go to a site you go through a series of redirections and then you end up
getting compromised well you may take the last website and send it to your friend and say hey
is this malware well what will happen is the website will look at that and will check the referral link and the referral link won't be
what it's supposed to be. And so then the website won't serve you the malware. And so what you have
to do is find that original page, the source page with the ad link on there. And keep in mind,
as we just discussed, because ads aren't predictable and because they rotate,
you might have to hit it a hundred times, a thousand times, 10,000 times before you get that magical compromised ad.
So automated systems really help find these. And because of the way that they're designed,
it can be very frustrating to try and track these down manually, particularly if you got
compromised and weren't capturing traffic. So walk me through the various ways that websites
and the people who run them are monetizing these ads.
Well, the main one is they just do it through an ad exchange, right?
You have a large website, you can go to an ad exchange,
and basically, you know, you'll have ads pop up on your site,
and for each ad, you'll get a, I don't know,
one trillionth of a penny.
I'm not sure what the conversion rate is exactly.
So you sign a deal with this site and you say, in exchange for space on my site, I'm turning over the control of placing ads to you.
And these are the list of things that I am requesting.
You're not going to put any ads for things that I find objectionable on my site.
Well, I think that kind of tuning probably really depends on the provider, but at a high level, yes.
Right.
Okay.
You basically pick an ad provider, you set it up on your site, and then hopefully it all goes well.
But from what we've seen, and, you know, I don't want to knock the ad providers entirely because a lot of this, I don't want to say it's not their fault, but it's basically someone abusing the system,
right? You know, an ad provider has, you know, what, millions of ads a day they serve on a
variety of sites. Of that million, how are you supposed to find the one one-tenth of one percent
that has a link hidden in there that goes through a series of, say, 30 websites that redirect,
that then may serve up malware if your browser responds with
the right things to the malvertising site so it can be very difficult unfortunately that's why i
think most security conscious people have opted to just block ads because there's not really a
bulletproof solution here yeah and that's a big stick i that's a, it's sort of an on or off. It's,
it can be frustrating, I find, because it's not that I don't want to support the websites that
I read through allowing them to put ads in front of me, but it's all this other stuff,
all this tracking and all of the possibility for malware. I feel like it's, it's not proportional.
Absolutely. And it's unfortunate now because more and more news sites are saying,
if you don't turn on ads, we're not going to allow you to view our site.
And so there's a lot of different ways to deal with it.
One of the most effective is doing it through your DNS system.
So if you have something like OpenDNS, right,
you can go take all your ad servers and say, I don't want those to work.
And that will fix a lot of the problem. But even then that can cause you issues. So there's not really a
great way to do it. That's why it's usually not on by default. You know, if you go to work,
chances are they're not blocking ads because they want the web pages to work so that you can do your
job. But at home, on the other hand, I run a very aggressive ad blocking system, you know,
because I don't trust my children.
That's all right.
I can relate to that.
You know, and I know that if they do need to do something on a website and it's not working because of the restrictions I put in place, I'll happily go fix it.
Now, unfortunately, that doesn't really scale to the enterprise environment.
And that's where it gets very difficult. And that's why, from an enterprise perspective, I think you've really got to rely on that layered defense, right?
Maybe run some sort of ad blocker, block the really bad stuff.
Run some DNS security, block the known bad domains, and do what you can to block as much of it as possible while not impacting known good sites.
Well, let's walk through this together. On the research that you published here,
you have an example of a malvertising campaign and you sort of take us through step by step
to what's going on, how it works and how they get away with doing what they're doing. Can we
do that together? So this was the one where we had the sports website that basically the company had abandoned. My boss went there and said it was down.
And I went there and I was like, well, it doesn't appear to be down. Oh, look, it's offering me a
flash update. I'm reasonably certain that's not cool. So we started taking it apart. And that
was the one that had the encoded blob inside of it, right? And so we started decrypting it and taking it apart. And it turned out it was a really well
known piece of OSX malware, basically a piece of, I don't want to say just adware because that
doesn't do it justice. I'm drawing a blank on the family name. But basically, it would install
itself into the system so that it would intercept calls to the browser and inject ads in the
background. I think it's really important for people to realize that 10 years ago, OSX didn't have
this type of problem.
Right.
Well, these days, OSX is as popular as Windows.
Hmm.
Right?
So all the problems that we have with Windows are going to be in OSX.
When you say as popular, you mean popular with users, not necessarily with the bad guys
yet, but they're heading in that direction.
I want to say they're already headed in that direction.
Okay, they've arrived.
Yes.
They've established a beachhead.
I think they've established a beachhead, and we're not really good at seeing it because most Mac users don't have any sort of antivirus.
Yeah, and I know Apple does a really great job of looking for malicious DMGs,
And I know Apple does a really great job of looking for malicious DMGs.
But one of the very first things that this malware does is it went in and disabled the system that looks for signed binaries.
And so by doing things like that, it basically allows it to take full advantage of the system.
And so if you look at the blog, you'll notice there's a chart, a sequence of one to nine.
And so this is the redirection system that I mentioned. And so I wanted to be very clear to anyone looking at the blog, while this particular chain only had a
sequence of nine different sites that it kind of ground through in order to get to the actual
malware, as I was knocking these down, right, as Matt was knocking these down, we would watch it
change. So it was a redundant system. I want to say we ended up blocking
probably dozens to hundreds of different redirection stops. We ended up scripting it
and automating it because it was very clear that the system that was being used was not one that
was basically made by a human. It was something that somebody scripted up to design. And so
it was enormous. And so that's really what blew me away was that for this adware, right, and it's adware with quotes because I would qualify it as malware, but it's a piece of malware designed to show ads, basically had an enormous redirection system that we previously really had only seen with things like malvertising in order to distribute this software.
And they're making money how?
distribute this software. And they're making money how? So historically, when we see things like this, they make money through the ads. They make money by installing third-party software.
One of the very first things we looked at from a cross-platform malware perspective was one called
Kyle and Stan. And the reason it reminds me of this when you bring that up is it would actually pass the dollar value encoded back to
the server. And so if the malware installed somebody's piece of malware, well, that would
get called back as like you owe them a dime or a penny or whatever. So they do get paid by the
software. They do get paid by the ad generally. And so that's really how these situations work.
And think about it when we're comparing ransomware and crypto mining, right?
Well, if they had installed typical malware, maybe they would have gotten some accounts.
Maybe that would be worth a little bit of money.
However, much like crypto mining, if instead you're injecting ads into the system constantly
and have a very small yet very consistent revenue stream, if you can do that on a large
enough scale and if you can do that regular enough, well, number one, it's not high enough profile for
most law enforcement to bother with. Number two, are there really any significant damages? You're
just injecting ads and making the user experience unpleasant, but you're not damaging data. You're
not damaging the computer. And number three, chances are the user's not going to fix it,
and you're going to continue to have income for a while. So, you know, I think there's advantages
to this and I think that's why bad guys are looking at it. And I think that's why we kind
of wanted to put these two out there together to show people the problem with some of these
potentially unwanted programs. And that kind of gets us to the last part I wanted to talk about
today. And it's not necessarily to do directly with the blog post, but it's one of the things that I see constantly. People advertise
apps and app stores, you know, like, hey, would you like a free VPN? Or hey, would you like free
antivirus done on the wire? And, you know, if you see that, you should run in terror.
And, you know, if you see that, you should run in terror.
There is no free VPN, right?
You're taking your secure traffic and you're just giving it to some guy in some other country or some girl in some other country. And maybe she has nefarious ideas for it.
You really don't know.
So I think when it comes down to programs like that or programs like this or fake flash updates, users need to be terrified.
They need to realize that that's a bad idea. No one offers that for free.
So in terms of defending against this malicious advertising from an enterprise level, like you
mentioned before, you know, defense in depth, what sort of tips do you have? Do you have any
specific tips? Well, I think the main
one is to make sure that you're using a DNS provider that provides some level of security,
right? And there's lots of good free ones out there, right? Personally, I love OpenDNS because
we own it and I get telemetry from it if people use it. Come on, guys, use it. But, you know,
Google provides it. There's some other ones out there and they provide varying degrees of security. You know, I think that's one good layer. You know,
another layer is making sure you have some sort of security client on the endpoint. Right. And
that could be antivirus. That can be something more advanced like AMP. It's just got to be
something that you have in that endpoint in case something silly happens. You click the wrong thing
and the file comes across. You need something to intercept it and fix it. Right. And I think, you know, the third thing is obvious,
right? Patch. You know, you never know when you might be directed to a malicious site.
So patch, you know, and if you can't patch, maybe the built-in browser will install a secondary one
you can patch and use that for your primary browsing. You know, I think we've all been
through this experience, particularly
on our mobile devices, where you're minding your own business, browsing from site to site, you visit
a legitimate site and suddenly your device gets taken over with that message that says,
congratulations, you're today's, you know, 500th visitor. You're going to get a free iPhone or a free iPad or a free car or something.
And obviously that's frustrating. Can you give us some insights? First of all,
what is likely to have happened when we experienced that?
Well, a lot of times that's just an ad, right? And that ad may link you to a site trying to get
your personal information or to even install malicious software or potentially unmodded program. I think that's
very, very common. The one that I worry more about is when I go to a site that looks legitimate,
the page pulls up and then all of a sudden I'm being redirected through dozens of sites,
right? That will never happen from a benign perspective. It just doesn't.
And can you use, when that, when that red When that redirection, that bouncing from site to site happens, can you see that happening?
Is that happening in plain view?
Yes. Usually you can see it happening.
You'll notice your URL is changing very, very rapidly.
And you'll notice that it's usually got some sense of randomness in it, like at the back of the URL or something.
And you'll wonder, why am I going to the site? Well, the reality is you're going to a site that the attacker
doesn't want people to know about. And they know that if you do end up in the last site,
the site with the landing page, and it gets blocked, well, they have a redirection chain
of a dozen sites to get there. They can simply point that last link or one of the other links
to somewhere else and still compromise users. From the website that's hosting the ads, from their point of view, is there
anything that they're doing on their end to try to prevent this sort of stuff? Are they doing any
analyzing or filtering of their own? I don't want to say they're not, because I know there's a lot
of attempts to do something good. What I can say, I haven't seen anything super effective.
Okay.
Right. Now you've got to remember from their perspective, they may not even see what's
happening, right? You basically go to their site, you see their ad, and then you get linked off to
another site from a, you know, a hidden frame or a link hidden somewhere in the ad. They're not
really going to see that. So they're not even going to necessarily know what happened, which
is why it's
so difficult to be put in a position where you're hosting a site with ads, because if you are
compromising your user base, you may not notice. And at Talos, we have reached out hundreds of
times to these sites that unknowingly are hosting these ads. I mean, we're talking anything from
like a major news site to utilities and everything in between, you know, government sites.
Even some of the more sketchy businesses were more than happy to help so they don't compromise
their users.
Right.
But I think that's, you know, getting back to that thing about the pop-ups on the mobile
device, I think that's one of the really frustrating things about it is that for folks who want
to try to do the right thing and report this, to feel as though that's really not going to be
effective. There's really no good way to report this to someone who's really going to be in a
position to do anything about it. Well, I mean, you know, there's always the good folks at Cisco
Talos. Do you really want to open yourself up to all those emails, Craig? Well, so we have a system
in place. I suppose it is your job. Yeah, we actually have a system in place.
You can go to Cisco Talos and go to our reputation center.
It's the top of the page.
It's where you file disputes for sites that should be blocked or sites that are blocked that shouldn't be.
So by all means, if you have information, we'd love to have it.
Now, the reality is a lot of these sites, they get compromised.
It's not even necessarily an ad sometimes.
Sometimes they'll use an exploit and inject it into the main page of the site.
Those typically get cleaned up pretty quickly. So sometimes by the time we see it, it's already gone.
But luckily, due to our telemetry systems and our sandboxing and all our automatic stuff,
we do catch a lot of these very, very quickly.
Yeah, that's an interesting point. I mean, by their nature,
I suppose a lot of these campaigns are fleeting. It depends on how it's implanted, right? If it's on an
advertisement site, then it's going to be popping up randomly all over the internet, right? If on
the other hand, maybe the victim had a WordPress site for their recruiting portal, well, somebody
could, you know, use a WordPress exploit. There's like a new one, whatever, 138 days. They can use that to actually edit one of the pages and put it in there, in which case you'll see it until the person who owns the website notices it. We report a lot of website. And that's where you rely on either, you know, your endpoint security system, your DNS security system, or maybe even
something like Firepower in between to take care of that and mitigate it for you. And you know,
when some people say defense in depth, it's not a marketing term. I mean, that's what it means is
have overlapping security so that if one product doesn't see it, because maybe it's not an exploit
on the page, right? So that means Firepower is not going to block it maybe it's a domain known to be
associated with nefarious activity and so that means instead you know a dns security system like
umbrella is going to say oh you want to look up supermalware.com i'm not going to let you do that
you're making a mistake but right and so that extra layer can protect you.
Our thanks to Craig Williams from Cisco Talos for joining us.
The research is titled Malvertising, Online Advertising's Darker Side.
We'll have a link in the show notes. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
and compliant. Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.