Hacked - Malvertising
Episode Date: April 28, 2020Jordan Bloemen & Scott Francis Winder discuss how to turn popups into paydays with malicious online advertising. If you like the show and want to make sure we can keep making it, please subscribe and ...if you can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsors: Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Internet security has found 20 unwanted files on your computer.
Congratulations. You are a winner.
Today only, special offer. Critical Firefox update.
You are randomly selected to participate in this short survey.
So you all remember Yahoo in 2013, right?
Seven years ago, Yahoo is getting about 7 billion monthly visitors.
They're generating around a billion bucks a quarter.
Times are good.
And they're generating most of that revenue off of advertising.
the basic economic driver on which most of the modern internet is built.
With the exception of a handful of subscription services, Yahoo, like everyone else, are, and importantly were, selling the eyeballs of their visitors to advertisers.
One of the ad networks serving ads on Yahoo and a slew of other AOL-owned media properties at the time was called a Rubicon network.
Generally speak, if I want to run an ad on the internet, I don't go directly to Yahoo,
or the New York Times or whatever site I want to run ads on,
I go to an advertising network.
There are hundreds of not thousands, and their job is to serve as middlemen
between advertisers and websites.
I pay Rubicon, I give them my ad,
they serve the ad to Yahoo, who runs it for their audience.
Yahoo gets paid out, Rubicon takes a cut,
my ad reaches its audience.
This is the basic economic model that props up the Internet today.
and in September 2013, it failed spectacular.
You see, Rubicon and OpenX and a bunch of these advertising networks,
partner with something called demand-side platforms or DSPs,
essentially services that let anyone buying ads bid across multiple platforms via one interface.
The DSP serves the ad to the winning network, the network serves it to the site.
Pretty simple.
Until.
One DSP starts serving ads on the front page of Yahoo and the Atlantic and AOL that delivered malware,
specifically a piece of ransomware called CryptoWall, which locks up a person's files unless they pay a ransom in Bitcoin.
All in, Yahoo alone exposed about 3 million folks a day to this malware.
And while we don't know exactly how many were infected total,
Best estimates say that the people behind the scam were generating about 25,000 bucks a day doing it.
Since 2007, people have been figuring out how to use online ads to scam, extort, spy, and grift people online.
This last week, a crew of cybercriminals found a new, pretty simple way to get around the walls that ad networks have built up to prevent what people call malvertising.
which makes this as good a time as any to dive into the history, the tricks, and the techniques of turning pop-ups into paydays.
This is malvertising.
Here, on hacked.
So back in 2007, we bump into what is the earliest instance that I can find of this term, this kind of corny term, malvertising.
It's a post on a website called the Internet Storm Center.
And the poster, a guy named William Salusky, writes,
malvertising, malicious advertising,
is a reasonably fresh take on an online criminal methodology
that appears focused on the installation of unwanted or outright malicious software
to the use of internet advertising media networks.
Which brings up the question, what is an ad?
Not in like a philosophical sense, but all the ads we see online,
If I want to run one, what is it that I'm making?
Well, I think there's an evolution there where I think the original online ads were just like a JPEG.
You know, you bought content or you bought ad properties off of the actual website itself.
There wasn't really ad networks.
You gave them leaderboard images and they just put them and embedded them on their website.
Then kind of as the industry evolved, you got into ad distribution networks and content networks.
works and, you know, automated platforms that deliver these ads in, et cetera.
Now we're at the, we went to a flash-based ad system where, you know, you could deliver
SWIFF files, which were essentially animations or movies that played on websites.
And now I think with the kind of the death of flash, we're seeing a increase in HTML5 animations,
which are essentially full mini-webages that just get embedded into the web page.
They're on top rate advertising networks and display ad networks.
You'd have a really hard time sliding in some malicious code, but they do take JavaScript,
and JavaScript is the language that does a client side.
A lot of client side exploits on the web are done through JavaScript.
I want to allude back to something that Scott said.
The death of flash.
The death of flash.
That blog post from 2007 that I quoted a few minutes back,
the one with the first instance I could find a...
the term malvertising describes the most common attack vector for these hacks at the time as being,
quote, a result of the client rendering Adobe Flash files.
Basically, malvertising attacks were born by people exploiting Flash.
Now, that's not what killed Flash.
What killed Flash was an open letter written by Steve Jobs in 2010 saying that they weren't going to be
supporting it anymore.
But Flash is a good way into what Scott kind of described to me as the top scariest
tier of malvertising attacks.
Attacks that strike at vulnerabilities in your browser and your computer.
Let's imagine that we had to sit back and get afraid.
We would put all of the different types of malvertising into categories.
And let's assume like DefCon 1, the top one,
is like an ad that's delivered to you when you visit a website,
but that ad itself actually also delivers malware
at the exact same time on your computer without,
you doing anything.
So let's
just hypothetically
use Flash as an example
of what one of those attacks might look like.
Yeah, so just think about it like this.
Flash delivers
essentially a piece of software.
So the Swift file that Flash exports,
the movie has code in it.
So the person who makes
that movie can embed stuff in the code.
So naturally people found ways
to exploit that. In HTML5,
the ad is actually a small web page
and you can put code in it,
JavaScript and other things,
so you can naturally figure out ways to exploit that.
Such as?
Well, it depends.
And it depends on how much cleansing and checking
is going on at the display network side.
So obviously, you know,
Google Display Network knows that people
will be looking to exploit these ads
so they take a lot of precautions
to make sure that they're not exploitable.
But when you get into wild third-party ad networks,
the kind of things that you'd find on like streaming movie sites
and all of the websites that you claim you never go to, but always go to,
those probably are not scrutinized.
So, you know, those force-click ads that you have to click through
to get to watch whatever 1986 movie you're excited to watch,
they could be chalkful of, you know, bad code.
you know, artificial websites, clones, things like that.
So that's level one.
And I call it Scott's hierarchy of malvertising.
Malvertising attacks that rely on, and this is important,
vulnerabilities that are already in your browser or on your computer.
And as Scott explained to me,
it really comes back to that pre-existing vulnerability.
I think in today's world,
you'd really need, with the death of kind of flash as an ad platform,
in today's world, you'd really need
to have a known exploit.
You'd have to have a zero date or something
that you could exploit to force and execute
a piece of malware onto a viewer's computer.
Often after I've been doing some internet browsing
in places where I probably shouldn't be,
my downloads folders often got three or four executables in it.
And that's just kind of how that works.
Which brings us to level two.
adds the download files you do not want.
I think level two is probably an ad that does something similar,
but instead of delivering the malware and exploiting something on your computer to have it installed,
just actually delivers the executable or the malware code to your computer.
So it hasn't been run yet, but it's been deployed to you.
So any kind of accidental click, any kind of automatic open, anything like that will trigger it.
An ad on the internet is made up of two parts.
There's what you see and where it goes.
There's an ad with a bunch of sneakers that takes you to a sneaker store if you click on it.
But there's this other kind of ad.
An ad for sneakers that doesn't take you to a sneaker store.
It takes you somewhere else.
If you imagine like the two principal parts of an ad are the thing that's displayed to you,
and the destination when it's been clicked on.
I think that's basic two things that are in all ads on the internet.
You know, showing something to the user
and if they click on it, taking them somewhere,
where you take them is very independent.
So, you know, I might show an ad for,
and if it's on a CD ad network,
I might show an ad for hackedpodcast.com.
When you click on that ad,
it might take you somewhere very differently.
At which point you take them to the executable,
file that downloads the malware.
And if it's a force-click add, i.e. something that's an overlay on top of a video I'm
trying to watch and I have to click it to remove it, all of a sudden I'm downloading multiple
executable files. If I had always run clicked on my dot EXEs for downloads, boom.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late, an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agenetic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora agent SOC.
It's the first SCC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machines.
speed and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions. The automation frees
your concierge security team to focus on higher value strategy and proactive risk reductions
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding,
and what strategies can help you,
stay ahead of the next big breach. It's not fear-mongering. It's practical, actionable, intelligence
from experts in the trenches. Register now at arcticwolf.com slash hacked. In 2009, the New York
Times helped build a botnet. It's mid-September, and visitors to the New York Times are being
served advertisements telling them that their system is infected, trying to trick them into
installing rogue security software onto their computers. The software was actually hijacked
those computers into something called the Bahama Botnet, a big network of computers that the hacker
could control and wield like a blunt instrument online, attacking and taking down other sites.
What's interesting about this hack is it doesn't sound like the culprit went through a network.
They went straight to the source. New York Times spokeswoman Diane McNulty said,
quote, the culprit approached the newspaper as a national advertiser and had provided
apparently legitimate ads for weeks.
They called up the newspaper, ran a bunch of real ads for weeks,
and then swapped them out for scam ads.
In the first half of the show, we talked about the first two kinds of malvertising,
the kind where the hack runs the second the ad is even shown,
and the kind where a malicious file is delivered via drive-by download.
Which brings us to the third category.
Where the vulnerability isn't your browser or your computer,
It's you.
Well, I think that's something that you're familiar with.
And we talk about social engineering always as part of a hack and tricking somebody.
You know, I'm not going to lie, my mother and mother-in-law have both called me for the same problem.
And it's a large screen takeover saying Microsoft Corporation has detected malware on their computer.
And they need to call this 1-800 number, talk to this perfectly nice customer service person who then asked them to send them money.
and it's like, you know, that's not explicitly malware, but it's not not malware.
And I'm sure if you were to get roped into their scheme,
they would probably happily deliver an EXE with malware onto your computer at the same time.
So, you know, taking advantage of people's lack of knowledge or lack of comfort.
So we've got ads that exploit vulnerabilities in the browser, the computer, and the viewer.
But there is this whole other way, the thing that sparked us talking about this subject this week at all.
Since August 2019, hackers have been targeting ad networks running an old version of an open-sourced ad server called Revive.
Instead of using networks to run dodgy ads, they just hacked the whole network.
Yeah, this is like the real, this is the hackers' solution.
Like, this isn't just, this isn't the Russian malware solution.
This is like the Russian hackers' solution.
where it's like how can we exploit something that exists.
This is how can we take over and change something that exists to do what we wanted to.
Imagine all of the wild shit you could do if you tick over an ad network.
I think taking over an ad network and taking over actually physically taking over the servers
or I guess virtually taking over the servers would give you just tons of benefits
because you'd literally be able to go in, add your own insertions,
So, like, set up your own ads.
You'd be able to bypass and change any rules and restrictions on those ads.
You'd be able to target specific websites that you wanted those ads to show.
You'd have nobody and no systems doing any kind of sanity checks on your ads.
So they could be ads for, like, Oprah Winfrey's new book club and have nothing to do.
The destination and everything other part of them would have nothing to do with it because there's nobody literally reviewing or checking anything.
I don't know if anybody out there has done anything on like Facebook
and they have rigorous ad policies and they adhere them
and they have automated AI systems that verify and check things
and then they go if they fail AI checks they go to human verification
and it's like there's these you know massive tiers of things
that you'd have to bypass to like get malware onto like a Facebook ad
it'd be probably virtually impossible
but if you control the ad network
there's no checks.
You're literally in the back end system
inserting your own ads,
telling them where to go
and artificially saying
that you've purchased X amount of space.
So you'd be able to distribute them wide and far
without anybody really noticing until they noticed.
That seems like it would have a lot of utility
even outside of just trying to deliver malware.
If you suddenly had the ability to run unlimited ads,
like think about what you can do with an advertisement,
especially at volume.
Totally.
You can bend the will of democracies.
You can do all kinds of great crap.
Yeah, for sure, for sure.
I didn't take it political, but I see your point.
But I was thinking about, like, I could be the next, you know,
luggage mogul.
Oh, yeah.
Or like, whatever it is.
It seems to be every day some online company spins up
that makes the best version of something that we've had for a hundred years.
Your pastel millennial brand that sells like the finest socks you can possibly buy.
We should probably not knock.
them because they'll probably hopefully become advertisers in our podcast.
Which brings us to this ad for Billy's socks.
If you were to open up Google Chrome and go to the extensions storefront and you were to look
at the top charts for browser extensions, first off, you actually can't because Google doesn't
have top charts the way that the app store does. And I think I know why. But if you were to open
up Chrome, a browser made by Google, a company that made 70% of its $134 billion profit
off of advertising, you'll find that some of the most popular extensions for this browser
are little pieces of software called ad blockers.
And this discussion of malvertising begs the question, how do they work?
The basic explanation for how it works is essentially ads have a fingerprint,
and the ad blocker recognizes the fingerprint in the HTML code and hides it.
That's essentially the basic premise of how it works.
and if inside of that HTML code that it would have loaded as the ad was the malicious code,
that malicious code no longer gets loaded and executed locally on the client-side browser.
So that's essentially how it stops it.
So it is also how it stops the entire ad network and ad world online working,
which then doesn't allow your favorite video game review site to get paid for you to read their articles.
And actually there's a beautiful thing happening where it's like,
I don't think I've been to a quality, like I have an ad blocker, and I probably shouldn't.
And when I go to a lot of quality content sites, the New York Times, the Bloomberg's, the IGNs, they immediately see that I have an ad blocker.
So they've re-fingerprinted when a browser has an ad blocker, and then they prevent you from getting access to their code, unless you modify the code live.
But you don't have to do that.
So they've kind of rehacked the hack, you know?
And it seems to be more and more so only on legitimate sites.
I haven't been any illegitimate sites that are asking me to turn off my ad blocker.
So it seems to be kind of a positive social pressure and a plea for like,
hey, you don't pay for this content.
Please at least let us make a few sense from showing ads to you.
The longer you think about it, the weirder our relationship with ads starts to seem.
They're annoying and as we've learned potentially malicious,
and yet we don't have a great scalable alternative.
They pay for the stuff we like,
and yet you really couldn't be blamed
for having a piece of software
that explicitly blocks them from doing that.
We were talking about or we can talk about,
we haven't talked about, and we texted briefly about.
People's trust in an ad link
versus their trust in a link say that they get in an email.
I think we've all become so accustomed to getting spam
that we know,
fishing and stuff like this has become so routine in our lives that we don't click links in
email unless we trust them. I think people just inherently have a different trust for ads
and that's very exploitable. You know, it's taken us, what, 30 years to train people not to click
links in email and people still click them all the time. It's going to take us longer and it's going to
be a huge change for the ad, you know, world as advertising is mostly funneling online. Imagine if
people to stop trusting advertisements.
At very least, the media landscape would look completely different if we were paying for
stuff piecemeal.
Oh, 100%.
Like literally everything.
Like Twitch streaming to, you know, online media sites to, you know, the COVID-2019 post-Malone
Nirvana live stream that was out last weekend.
That literally was funded by ad dollars.
You could see ad placements of publicments of public.
products in the background, be it Bud Light or whatever the water sponsor was they had.
Like, there was literally obvious ad placements in that live stream.
That's like, you know, everything that's done on the internet has to get funded somehow.
And advertising seems to be the way to fund it.
Hey, everybody.
Thank you for listening.
A little update for you.
For the last two months, we've been doing weekly updates between our monthly episodes.
We asked you all for feedback about this, and a bunch of people reached out and expressed
excitement over us putting more time into the big monthly episodes.
Some folks rightly pointed out that the shorter the episodes got, the longer the ads felt.
And this episode's subject matter was, I'm sure, completely uninspired by that genuinely
helpful feedback.
So, we will be back with a news update in two weeks instead of one, with regular episodes
on the last Tuesday of the month with that.
The goal being we're going to put more time, more energy, more love into those big episodes.
Thank you all for listening.
And Scott and I are going to catch you here on the next episode of Hacked.