Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malvertising Could Replace Exploit Kits: Researchers

In a paper presented on Thursday at the Virus Bulletin conference in Seattle, Bromium researchers analyzed malvertising attacks and the reasons for which they’ve become a preferred method of malware distribution for many cybercriminal groups.

In a paper presented on Thursday at the Virus Bulletin conference in Seattle, Bromium researchers analyzed malvertising attacks and the reasons for which they’ve become a preferred method of malware distribution for many cybercriminal groups.

Over the past months, there have been numerous reports from security companies on successful malvertising campaigns. Through malicious advertisements distributed via popular ad networks, cybercriminals reached the visitors of several high-profile websites such as Amazon, YouTube, Yahoo, Java.com, DeviantArt and many others.

“Drive-by download” is one of the most efficient malware distribution methods. In these operations, the attacker uses spam or compromised sites to redirect victims to a page hosting an exploit kit. The exploit kit then leverages vulnerabilities in the software running on the victim’s machine to serve malware.

Malvertising However, Bromium researchers Rahul Kashyap and Vadim Kotov have pointed out in their paper that using ad networks to redirect potential victims to the exploit kit is much more efficient because the attackers can reach millions of people with a minimum of effort.

In fact, the experts believe advertising networks could become the next primary attack vector as they might turn out to be even more efficient than exploit kits.

One important advantage of using ad networks for distributing malware is that the attacker can specify the targeted audience. For example, Google subsidiary DoubleClick, which was recently involved in a major malvertising operation, allows advertisers to select the users they are targeting based on parameters such as language, country, operating system, browser, device and search topics.

“Similar functionality is usually implemented in exploit kits, but in this case it is completely handled by the advertising network. Setting operating system to Windows XP and browser to Internet Explorer allows an attacker to use old exploits that are publicly available and proven effective. With this configuration they don’t need to worry about such defenses as ASLR, EMET etc,” Kashyap and Kotov explained in their paper. “Language and country parameters allow at attacker to focus on a specific geographical location. is handy if an attacker has a working scheme of monetizing stolen bank cards or victim personal data in a particular country.”

Malvertising usually goes hand in hand with exploit kits. However, because of the opportunities offered by Flash, cybercriminals could soon start launching attacks from the banner itself. The experts believe Flash banners are the most dangerous type of ads from a security standpoint. That’s because they’re highly prevalent, they’re not actually malicious so they’re more difficult to detect and block, and the ActionScript scripting language for Flash is powerful enough, the researchers said.

Malvertising attacks that leverage Flash banners are not uncommon. Bromium analyzed one such attack in February, and Malwarebytes observed a campaign back in June. The Flash banners either redirect users to a malicious page after they’re clicked, or they add a stealthy redirect to the page in the form of an iframe. However, experts believe the banners themselves could soon incorporate exploit kits.

Advertisement. Scroll to continue reading.

“The problem with attacking from the Flash banner directly is there are size constraints defined by the ad network and it is usually up to 200K. The banner must look normal and should not contain any suspicious elements such as a huge chunk of high entropy data. This constraint could be overcome though by deploying steganography and hiding malicious code in the image,” the researchers said.

While they haven’t seen any malicious banners that incorporate a fully functional exploit kit,  Kashyap and Kotov believe it could be done.

“From our investigation we conclude that ad networks could be leveraged to aid or even substitute for current exploit kits. Loose security policies, high prevalence and powerful scripting capabilities make it a viable tool for malware distribution,” the researchers concluded.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.