A Case Study in Malvertisement

Size: px

Start display at page:

Download "A Case Study in Malvertisement"

Marcus Newton
8 years ago
Views:

1 A Case Study in Malvertisement The Shadowserver Foundation Kayne Naughton

2 Drive-By Infections Been around for a long time now Criminals answer to personal firewalls Much bigger attack surface PDFs Java Flash Browsers Media formats (Quicktime/Realplayer/WMV)

3 Why bother? Rogue Antivirus is big money Image courtesy of SecureWorks (2008)

4 Ad companies get wise What s New? Criminals get smarter too

5 Welcome to Ad Lingo! CPI Cost per Impression ( per view ) CPM Cost per Thousand impressions IO Insertion Order (a purchase) ROS Run of Site, the ad appears on any page (ROC is Category) IAB - Interactive Advertising Bureau, an industry body

6 to Sales The Setup We want to place an IAB * standard banner ad campaign for an Australia / New Zealand client Advertising related domain, not free webmail, professional language and terminology

7 The Hook We have $15000 Australian to spend per month We re after a 4-5 day test run (over 900,000 impressions) Haggle over pricing Happy to pay in advance for this of course Art in advance to make sure it s appropriate

8 Strangeness We want it 1/48 frequency capped Site: we can do it 1 out of every 7 impressions for each unique viewer No 1/48 frequency please Site: What do you mean by 1/48? show it to one unique user every 48 hours (HUH?)

9 Strangeness (cont) Site: Our software doesn t work that way, we can give you a low frequency per user Yeah, ok, fine. We re sending money via a wire transfer service Site: We haven t received payment yet It might take 8-10 days Site: Oh, here it is, we ll start the campaign

10 Ad runs Everybody is happy It s all good

11 The Switch Customers start phoning, what is My Security Shield? It says I have a virus after I visited your site

12 The Switch (cont)

13 The Tech Hosted in the USA at a large dedicated hosting facility Sent traffic to 3 different IPs for iframe inclusion Sent users to the site they pretended to represent right after the infection Sent any hits without a referrer to Mediaplex (a big, legitimate agency) to cloud the issue.

14 The Impersonated Where did this traffic come from?

15 The Impersonated (cont) Media reports bring it to their attention Go back over old hit graphs Compare campaign timings with spikes More badness has been afoot Configure load balancers to send bad traffic users to a you might have been conned page. New campaign that comes in yields 2000 bad hits in a day (unknown how many infected or where from).

16 Media outcry Cheeky Devils Campaign pulled, consumers warned Loss of Confidence We were really happy with the campaign, can we renew?

17 Truly International US Servers serving the malware UK host sent Ukrainian DNS UK/Czech money service used AU/NZ victims

18 What have we learnt? They speak the language of advertising, and speak it well Impeccable Business English used Advanced fraud and malware Persistent Running counter-intel to prolong campaigns

19 What else? Other case studies show them trying to swap out flash files at the last second for malicious files Only caught due to previous suspicious activity Unknown agency with a big client Minor layout issues were strange Files too big and they claimed other, stricter sites were OK with it. Indicated they were happy to provide link tracking using any of the three major tracker companies (who would split their business like this?)

20 What else? (cont.) This case was amateur by many standards and targeted a single site. Ad agencies are plagued by these guys Companies with professionally designed websites invented just to act as references A bank acted as a referee (a fake phone numbers provided but the site was a real bank)

21 Google Fox Yahoo New York Times News.com.au Almost everyone You re not alone

22 Big Numbers Courtesy of Avast 2010

23 The way forward Further investigation of clients Independently verifying all credentials Wider awareness Law Enforcement

24 Questions? 2011/3/4 The Shadowserver 24

25 Shadowserver! /3/4 The Shadowserver Foundation 25

white paper Malware Security and the Bottom Line

white paper Malware Security and the Bottom Line Malware Security Report: Protecting Your BusineSS, Customers, and the Bottom Line Contents 1 Malware is crawling onto web sites everywhere 1 What is Malware? 2 The anatomy of Malware attacks 3 The Malware