
Hackers strike defense companies through real-time ad bidding - r0h1n
http://www.computerworld.com/article/2834927/hackers-strike-defense-companies-through-real-time-ad-bidding.html
======
btown
Here's the whitepaper in question:

[http://www.invincea.com/wp-content/uploads/2014/10/Micro-
Tar...](http://www.invincea.com/wp-content/uploads/2014/10/Micro-Targeted-
Malvertising-WP-FINAL-10-18-14.pdf)

> Most of the attacks featured here were not detected by standard Anti-Virus
> because the malware hashes constantly change.

> Web proxy blocking updates, even in real time, will not stop new
> malvertising landing pages that appear and disappear within minutes.

> Intelligence feeds from the premier intelligence providers, based on
> hostname, IP, URL or domain will not be able to block malicious malvertisers
> quickly enough.

> ... opting out merely places a blocking cookie in your browser. This means
> that ad providers will not target or retarget based on cookies. But as shown
> above, the new targeted advertising is via IP intelligence.

It seems like these are extremely difficult to mitigate without heuristic-
based antivirus systems. And even if the bidding engines were to scrape them,
malicious ad servers could simply serve benign content to all but the targeted
IPs.

That said, it's very possible that patterns would emerge in this type of
targeted advertising that could be marked as fraudulent using machine learning
(for instance, if a brand new ad server were to suddenly start requesting IP
targeting). I'm sure the talented people at the larger ad-exchange-software
companies like AppNexus will figure something out - or they already have!

~~~
meowface
Actually, there are several ways to detect such attacks. I work in network
security and incident response, and I immediately recognized the URLs in the
infection chain from Figure 3 and Figure 20 in the whitepaper. They're using
the Sweet Orange exploit kit, which has been around for a while and is not
that hard to detect if you have any appliance screening HTTP requests and
responses. Example URL patterns: [http://malware-traffic-
analysis.net/2014/10/06/index2.html](http://malware-traffic-
analysis.net/2014/10/06/index2.html)

Also, despite Invincea's claims to the contrary, good intelligence feeds and
in some cases just proxy domain categorization are often fast enough to catch
these for most organizations, at least in cases where the attack isn't
specifically targeted at a single organization. This is on top of multiple
layers of defense that any decent company should have, many of which could
catch numerous indicators (domain patterns, URI paths, Javascript) tied to
these exploit kits.

The bidder has to prop up and supply the exploit kits themselves, and most of
the time it's Sweet Orange, Nuclear, Rig, or Angler. But these are all
"commodity" exploit kits and aren't even remotely custom made like they have
been in some APT attacks. APTs may also go the ad bidding route and provide
their own handcrafted exploit kits, but they may not want to go through a
middleman like this and set up a corporate front.

The only unnerving part is the ability to choose a specific target subnet. If
the ad networks or second-tier middlemen of "spreaders" / "distributors" are
promising clients exclusive access to a certain group of servers or even an
entire ad network for a length of time, and if the client uses a specifically
created new domain and maybe even a fresh IP, then that means no one may know
about the compromised server/network until it's too late and several people
from the targeted organization visit it.

I don't know for sure since Invincea did not investigate more into the human
aspect of this, but I suspect for this to be profitable there's probably a lot
of "overselling" going on, and the bidders interfacing with the ad networks
themselves are serving multiple customers' campaigns (or their own campaigns)
on the same servers and ad networks, which makes it more difficult to
successfully pull off targeted drivebys or "watering holes" as they will get
detected and evicted.

>I'm sure the talented people at the larger ad-exchange-software companies
like AppNexus will figure something out - or they already have!

AppNexus has been a major offender here for a long time. They've had numerous
incidents of malicious ads over the years. I know because I've seen them
myself when investigating malware incidents (e.g. adnxs.com as the Referer in
an exploit kit chain). You can also see adnxs.com in Figure 21 of the
whitepaper. I certainly hope they start caring more about security and
establish a more stringent ad reviewal process.

~~~
meowface
Also, just a follow up: many organizations in my industry are actually
completely blocking most major ad networks (including AppNexus and
DoubleClick) at their proxies due to all the issues caused by malvertising. My
organization is currently looking into it. Malvertising is a much more serious
problem than people think, though I think this article and whitepaper is
slightly FUD.

~~~
Kalium
Seems a little short-sighted. I mean, shouldn't you be copying that traffic
into something sandboxed to search for potentially new and interesting
attacks?

------
Animats
This is only a problem because ad-serving companies don't vet their customers.
Make ad companies legally and financially responsible when they serve malware
ads, and the free market will then stop the problem.

The bad actor here is DoubleClick, which is part of Google. Google is famously
known for being squishy-soft on advertiser vetting. They had to pay
$500,000,000 to the U.S. Department of Justice for knowingly hosting ads for
steroids and other drugs. (The FBI caught Google in a sting operation.
[http://www.wired.com/2013/05/google-pharma-whitaker-
sting/](http://www.wired.com/2013/05/google-pharma-whitaker-sting/) "“I want
to be the largest steroids dealer in the US,” Whitaker told the Google rep.")

~~~
Kalium
> This is only a problem because ad-serving companies don't vet their
> customers. Make ad companies legally and financially responsible when they
> serve malware ads, and the free market will then stop the problem.

No. Then you will destroy those companies in the US and everyone will use
foreign-run companies not so bound.

~~~
Animats
You think people in the US are going to switch from Google and Facebook to
Baidu and Tencent?

~~~
nitrogen
I think the parent comment's point was that site owners will switch to other
ad networks if the other networks pay better rates due to the types of content
they host that Googlebook won't.

~~~
Kalium
And if that occurs, eventually Google and Facebook will wind up running
someone else's ads. Because that will pay better.

~~~
nitrogen
I don't mean site owners _paying_ for ads, I mean site owners _displaying_
ads.

------
segmondy
The point of the article should be that cyber criminals can now target a
particular IP or range of IP through ads by install malware at "safe sites"
that the target might browse. So any and everyone is at risk if there's
someone after you.

~~~
iwwr
Not only that, the criminals can show different content depending on the
originating IP range, presenting harmless stuff to people not directly
targeted.

~~~
dmethvin
Even better, they can bid based on the IP address range and only pay for the
suckers they target. Why go to the trouble of making a harmless ad when you'll
never need to show it?

------
downandout
Adsense and other networks have been used for this kind of thing for a long
time. I consulted for a company a few years ago that was losing ~$100K/mo
through a similar technique. They happened to use Adsense on their pages, and
also had an affiliate program. Rogue affiliates would display an ad through
Adsense targeted only to their site, and use a flash banner that
surreptitiously loaded their affiliate cookie for the site onto the user's
browser after they were already there. The site would then dutifully pay
commission on all of these sales, even though the affiliate had nothing to do
with getting the user there. I helped identify and plug this gaping hole in
their profits.

Ad networks really need to take more responsibility to monitor both landing
pages and the ads themselves more carefully. Enabling drive-by malware
installs, affiliate fraud, and all other manner of schemes - even unwittingly
- is bad for everyone involved.

~~~
frandroid
Did that $100K/mth wipe out their entire monthly AdSense revenue? If you sell
enough stuff that you can lose $100K/m in affiliate fees, it seems to me that
display advertising revenue would be a drop in that bucket...

------
Pxtl
Wow, whoever would've thought that serving 3rd party JavaScript with no
sandboxing or review or anything would be bad for browser security. I'm
utterly shocked.

~~~
mintplant
This doesn't rely on ad networks serving 3rd party JavaScript from
advertisers. This is ad networks allowing advertisers to target ads down to
the level that only those browsing from certain companies see them. It still
relies on the user to actually click on those ads, at which point they're
taken to a page under the attacker's control.

~~~
moresunny
flash malware can auto-redirect or do all sorts of other thngs if the IP
address matches. also don't forget, they can buy a small range but invoke the
new behavior for an even smaller range. so sandboxing won't help either.

------
aslewofmice
Programmatic media buying in an open exchange model is vulnerable to this kind
of attack vector, and the number of malvertisers is growing day by day. The ad
industry needs to be quicker at adopting the private marketplace model in
order to mandate a bit more transparency between the buyer and seller.

The OP article was a bit alarmist with the hackers singling out defense
contractors. I think the real intent of the hackers/malvertisers is this:

> _Invincea recently saw a malvertiser win a bid and delivered a Java exploit.
> This exploit copied a fully functional version of Chrome into the Java cache
> directory, and that version of Chrome launched in the background and
> proceeded to visit websites and click on specific ad banners. It is presumed
> that these ad banners paid revenue via referral bonuses to the malvertiser.
> By paying 65 cents to install a background web browser that does nothing but
> click fraud, the malvertiser is able to reap hundreds if not thousands of
> dollars in advertising referral income. It is a pretty good return on
> investment, which in turn allows the malvertiser to fund his micro-targeted
> malvertising attack campaign._

Just like Email several years ago, there's just too much accessibility and
money out there for spammers and malvertisers to not jump to Display.

------
nkozyra
It's amazing how open and exploitable ads on the internet remain, being one of
the biggest sources of malware since the dawn of the WWW.

All of the major problems - spam, HTTP/HTTPS security, speed of protocols -
have at least been met with myriad solutions. That we're still relying on
Flash, JS and Silverlight, etc. for serving ads is nonsensical. Sandboxed
iframes are a nice bandage, but it isn't a solution, particularly because it
doesn't cover the most vulnerable anyway.

Someone has to be interested in creating a more secure standard that applies
some quality standardization as well as security sandboxing.

------
brainsqueezer
Amazing that they are getting access to RTB platforms. As an small company we
are trying to get access (for proper purposes). Any idea of what RTB platform
are they using or any open to small companies?

~~~
brandnewlow
Not so amazing. We have dozens of creeps sign up with us at Perfect Audience
every day. It's a constant battle to block them out.

------
moresunny
the solution is simple. stop enabling flash or javascript ads with real time
bidding. i cannot imagine how to secure flash ads because the flash can invoke
logic from outside the program.

------
hyperpape
I hope that any security conscious employer has the sense to mandate Adblock
(the paranoid ones should prohibit recreational internet use, but that's going
to piss people off).

------
EGreg
And this is an example of what I am worried about. Our systems are mostly
based on assumptions of inneficiency by an attacker or exploiter. With
computers, these assumptions will no longer be correct. If this happens
exponentially, it will subvert almost all society's systems and make us not
trust anything.

~~~
beagle3
> make us not trust anything.

It should make us not trust that which should not be trusted.

And that's a good thing.

~~~
EGreg
How do you figure that is a good thing?

Most of the things we rely on today aren't fullproof. When it gets to the
point that you wouldn't be able to trust your closest friends, you consider
this situation better?

~~~
beagle3
Trust is a statistical gamble.

You already cannot trust emails or text messages from your closest friends
because they are easy to spoof. And it is better when everyone is aware of
that, I think.

Whether you can (or cannot) trust your friend wasn't changed by technology, in
my opinion. What you generally cannot trust is that info you confidentially
told them was not eavesdropped. You never could, but statistically it was good
enough. Now, statistically it isn't good enough, and therefore you shouldn't.

~~~
EGreg
You think you can trust your friends until governments and corporations hack
human motivations and leverage the trust for short term gains until the
connections are subverted. It's one of those externalities that are still
undertapped and we all know how much organizations look to exploit
externalities.

Consider this: [http://www.cl.cam.ac.uk/techreports/UCAM-CL-
TR-754.pdf](http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf)

and this:
[https://www.techdirt.com/articles/20140224/17054826340/new-s...](https://www.techdirt.com/articles/20140224/17054826340/new-
snowden-doc-reveals-how-gchqnsa-use-internet-to-manipulate-deceive-destroy-
reputations.shtml)

it's been done before with the KGB in USSR where your closest friend could
also be a tattle-tale for the party, but that's just a tiny bit of what one
could achieve with computers these days

~~~
beagle3
Please don't put words in my mouth. All I said is that recent events make no
change in how much you can (or cannot) trust your friends, despite your
original apocalyptic comment about all trust now being subverted.

Governments and corporations have always engaged in social engineering.
Facebook has been extremely successful at getting everyone to spy on
themselves and their friends since 2004. MySpace and Friendster were less
successful and earlier. The only thing that is new is the rate and scale of
success.

~~~
EGreg
Right - I just meant that things could start accelerating exponentially and
our systems may not be ready for that.

------
olegious
As if big publishers needed more reasons to sell premium inventory to trusted
advertisers via direct channels (or at the very least private marketplaces).

------
joeyspn
Well, I guess one solution could be as simple as forcing employees to
install/use NoScript...

