Malvertising — recent developments on tactics and techniques
Combined attacks from different threat actors
Performing Malvertising attacks has already become an established technique in the modus operandi of several cyber crime rings. This kind of threat seems to be particularly fit for attacking the media industry, especially high profile newspapers and magazines which have a large number of readers. But others industries are also frequently targeted by the same means. On December 14th, Jérôme Segura from the Malwarebytes blog has written an article1 on another Malvertising attack, this time an elaborate cyber offensive against customers of Comcast, one of the largest Internet providers in the US.
What draws attention from this specific campaign is that it starts with a malicious advertisement (loaded from Google AdWords) which tries to compromise web browsers through Nuclear Exploit Kit, as it is usually made on typical Malvertising attacks. Although Malwarebytes stated they did not collect the malware payload used in this specific campaign, they suppose computers compromised by Nuclear would likely be infected with CryptoWall ransomware or one of its variants. The attack, however, does not end here. It continues attempting to compromise potential victims with another malicious artefact — a Phishing website disguised as a Comcast portal displays a warning that claims suspicious activity was detected from the user’s IP address and that a Spyware may have caused a ‘security breach’. The warning instructs the victim not to turn off or restart the computer and to call a toll-free phone number, what configures a classical Tech Support scam.
According to Malwarebytes, this is the first attack they have spotted which combines Malvertising, an Exploit Kit, a Phishing page and a Tech Support scam. The article also reports evidence that links the initial ad used in the Malvertising attack to the Tech Support scam Phishing page.
Although Malwarebytes stated this was the first attack of a kind they have identified, they also listed another stories about ‘similar’ attacks previously spotted. One of these is a blog post2 from Symantec, published in December 1st, which describes that Tech Support scammers may have enhanced their arsenal by using an Exploit Kit to drop ransomware into victims’ computers. Malwarebytes also remembered about an article3 they have written around 1 year before that describes a Scam page containing a link to an Exploit Kit, but they highlighted that this might have been a simple Scam website that got hacked by a third party which installed the Exploit Kit herself.
It is interesting to observe that one attack scenario is not inconsistent with the other, as different cyber crime rings may use different approaches: one group can trigger Phishing or phone scam operations in the same time they try to infect the victim’s computers to further collect financial data; another group may in turn want to ‘outsource’ its victims and get a ‘double pay’, redirecting the same users in parallel to Exploit Kit operators and also to Tech Support scammers, as supposed in the Malwarebytes latest article. In addition, the scam performed against Comcast users may as well have been used just to prevent the victims from shutting down their computers while the ransomware was being installed and executed to search for users’ files which will be encrypted and ‘hijacked’. One way or another, these attacks suggest an ongoing trend where Exploit Kits and scams may be triggered together to ‘add value’ to cyber crime operations.
This is clearly not a surprise. As its also happens in other forms of cyber threats, such as denial of service attacks and traditional malware infections, criminals are constantly developing and evolving their techniques and operations, always aiming to improve profitability and/or to bypass new security products and mechanisms. Enhancements in Malvertising attacks were recently described in earlier articles, for instance in the PageFair: new malvertising attacks via anti-ad blocking providers blog story. Further improvements in Malvertising TTPs (Tactics, Techniques, and Procedures) are not expected to cease, on the contrary, they will probably happen more often than ever.
As a last minute update to this article, another Malvertising campaign4 was disclosed by Malwarebytes on January 7th, 2016. This time, the attack was made on the PopAds advertising network — which uses pop-under ads — and launches the Magnitude Exploit Kit to try to compromise users’ computers and then install the ransomware CryptoWall. Note: A pop-under is a new browser window similar to a pop-up, but the former is hidden under the active window in order not to draw the user’s attention immediately. It is typically not seen until the main window is closed, what also makes it harder to spot which specific website opened it.
According to Malwarebytes, this campaign started around January 1st and its ads were mainly inserted on adult and video streaming websites. The use of pop-under ads technology is not new, but illustrates another example of a Malvertising campaign using different advertising networks and techniques to reach, compromise and infect users’ computers.
At last, we reinforce Jérôme Segura’s opinion5 that despite all the efforts that some advertisement companies are already doing, they should make it harder and costlier for the cybercriminals to buy their services. Malvertising is incredibly cheap for them, costing a mere few cents to display an ad to a thousand people. On the users’ side, it is very important to keep systems updated as fast as possible, since most of the Exploit Kits used on typical Malvertising campaigns do not rely on ‘0-day’ vulnerabilities (i.e. previously unknown or without a patch available), usually working by exploiting well-known security flaws on web browsers and popular plugins, such as Adobe Flash Player, Java and others.