A massive malicious advertising campaign has resurfaced on major publishing websites, including Yahoo and MSN, just a few months after researchers thought they'd nipped it in the bud.
See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB
Analysts say the fresh attacks come from a group dubbed AdGholas, which uses extremely effective technical tricks to deliver malware to computers through advertisements, referred to as malvertising. The group's last campaign, shut down in July, exposed as many as 1 million computers a day to malware.
Malvertising has proven to be one of the most effective ways to infect large numbers of computers. Malicious ads are seeded into ad networks, and if viewed, they can automatically trigger an attack that can deliver banking Trojans and ransomware. Users are unaware they've been infected.
While the ad industry has realized that the infiltration of their networks by cybercriminals poses a threat, it's struggling to get a handle on the problems. That's because of the complex way ads are distributed - and the carefully tested methods hackers use to defeat security controls.
It's possible to block attack campaigns launched by AdGholas in the short-term, says Jerome Segura, the lead malware intelligence analyst at Malwarebytes. But the group capitalizes on distinct security weaknesses in the online advertising industry and will likely continue to be successful with new ones, he argues.
"It is one of the most advanced malvertising attacks that I've ever witnessed," Segura says.
Attack Chain
The latest campaign by AdGholas involved distributing advertisements promoting a purported privacy tool called Browser Defense and another screen-capture application called Broxu, according to Eset, which published a blog post.
Even if a user doesn't click on the advertisement, the ad probes for an information leakage vulnerability in Internet Explorer. If present, exploiting that vulnerability allows for the collection of key information about a computer, such as if security tools are running, if anti-virus software is installed or if the computer is actually a virtual machine. Cybercriminals then use that information to determine whether they want to proceed with an attack.
It's common for malware to stop running if it suspects that it's being observed by security researchers, which could extend the longevity of a campaign. But Segura says AdGholas gathers much more detailed information from machines than other attackers, including a computer's time zone, whether certain video drivers are installed and the computer's performance specs. The checks are performed multiple times to ensure the right victim is chosen, he says.
"These kind of things are absolutely insane from our point of view," Segura says. "That level of detail is just very, very advanced. The group is very paranoid."
AdGholas' ads are particularly difficult to detect because they contain encrypted malicious JavaScript that's hidden in images. Hiding code in images is known as steganography. The group's attacks in July were believed to be the first time steganography has been employed for malvertising, according to the security company Proofpoint. It estimated that more than 1 million computers per day were exposed to the group's bad ads.
After a victim is picked, the browser is directed to a landing page that hosts an exploit kit called Astrum, which is not widely used but has been around for a few years, Segura says. The exploit kit then tries to exploit vulnerabilities in Adobe Systems' Flash Player.
Bait And Switch
Because of the extensive vetting AdGholas performs on targeted computers, Segura says he had trouble triggering an attack in order to study it. He ended up using a home computer with only Wireshark installed, which AdGholas couldn't detect. Eventually, he was able to observe a full attack.
He notified Yahoo around Nov. 27. But just two days later, the malicious advertisements appeared once again. AdGholas had merely changed the domain that it used for the attacks, and the domain was actually on the IP address.
"If they're not seeing it, we're in serious trouble here," Segura says. "These attacks are happening, and nobody is really aware of them."
In its latest round of attacks, AdGholas avoided targeting computers in the U.S., instead hitting devices in Canada, the U.K., Australia, Spain, Italy and Switzerland, according to Segura's blog post.
Despite efforts to scan ads for malicious code, ad networks are still getting beat by groups such as AdGholas. The group actually creates two versions of advertisements, supplying a "clean" one for scanning by the ad networks but then only delivering the harmful one to carefully selected victims who aren't likely security researchers, Segura says.
The switch is often missed, which has led to suggestions that networks shouldn't redistribute ads that are hosted on other parties' servers. Ad networks are entwined in technical relationships that are extremely complex, which means a failure in quality control by one network could mean that malvertisements make their way onto major websites, exposing large numbers of computers to attacks.
The security issues have long been recognized. The online ad industry has taken note, however, and acknowledged it's a threat to business. But as structured now, the industry is focused on speed rather than security, Segura says (see Online Ad Industry Threatened by Security Issues).
"As long as these things continue to exist, you're going to have problems," Segura says. "For the most part, a lot of legitimate advertising is using those practices. It's tough to cut off an arm if you know that only the tip of the finger is the bad part."