Advanced persistent threat groups are using malvertising in order to compromise the networks of their adversaries in what appears to be an example of high-level, nation-state attackers borrowing tactics from the typically less sophisticated cybercriminal arsenals. Attackers are also borrowing from the corporate marketing world by leveraging a form of high-speed advertisement placement known as “real-time ad-bidding.”
In a report made public today, the Virginia-based security firm Invincea says it has discovered a state-sponsored APT campaign, dubbed “Operation DeathClick.” They claim that they blocked the attacks and were therefore not able to determine much in the way of attribution, but the attack itself is novel in the way it deployed a new and aggressive form of malvertising.
Invincea claims this isn’t your standard, criminal variety of malvertising. Traditional malvertising is indiscriminate. Criminals compromise an online advertising network and use the network’s ads to redirect as many users as possible to third party sites containing exploit kits and malware. In certain greyer cases the ad networks act unscrupulously themselves.
Operation DeathClick’s brand of malvertising is precise, targeting victims based on a long list of characteristics, including user-agent strings like versions of Flash, operating system, java and browser; cookie-based, content-related interests; and geography- and corporate-based IP address ranges in order to target specific industries, companies and individuals.
In addition, the attackers are relying on real-time ad-bidding, which is a sort of mechanized process for buying ad placement, similar to high-frequency trading in the finance world. Buyers essentially bid among themselves to land short-term ad placements on sites that are receiving high click through rates in real-time. The goal is to get an ad placed on a site that is under a heavy traffic load at the time.
Invincea calls this “micro-targeted malvertising,” and, in fact, Operation DeathClick is merely the example in a white paper they released today, “Micro-Targeted Malvertising via Real-Time Ad Bidding.”
“The threat actors redirect their ads for just minutes at a time and then abandon their exploit kit pages forever,” Invincea explains. “This means that list-based threat intelligence feeds are rendered ineffective. The domains used do not appear in any proxy blacklist, and the malware droppers delivered by the exploit pages always employ different signatures, evading traditional network and endpoint detection technology.”
To further cloak their activities, many attackers will serve perfectly innocuous advertisements most of the time.
Part of the problem with malvertising, Invincea explains, is that ad delivery networks are not incentivized to curtail malicious activity because they profit from it. Without cooperation from the companies enabling this sort of fraud, Invincea complains, attacks will continue.
The threat of this new sort of malvertising isn’t limited to cyberespionage either. Invincea warns it can be deployed by oppressive regimes to monitor activist behavior.
Some of the sites visited by defense contractor employees containing ads that redirect to malware included the fantasy football site Fleaflicker[dot]com, the online poker site Gpokr[dot]com and the webmail provider Earthlink. There are a number of companies out there involved in real-time ad-bidding. Invincea lists Pubmatic, DoubleClick.net, First-Impression.com, Neustar.biz and Zeda. Invincea also goes out of its way to point out the less reputable real-time bidding service BNMLA.com, which is also known as Engage:BDR.
Invincia says defense industrial base customers witnessed micro-targeted malvertising at a rate six times that of comparable private sector companies with similar defense-in-depth capabilities.