malvertizing like a pro
TRANSCRIPT
Malvertizing Like a PROA JUMP INTO THE NEWEST ATTACK VECTORTAKING IT TO THE NEXT LEVEL
Introduction
• Pen-Tester with Veris Group • Previous ARMY• How to find me:
• @Killswitch_GUI• CyberSyndicates.com
Warning!What I'm not:
A SME in Malware or Reverse Engineering Part of a Cyber Crime ring performing this everyday
What this is: My take on Ad based malware My journey on how I would execute it Pure speculation of what's open source
What we will cover Ad Based Malware Touch of OSINT My Campaign Methods and Failure
ALL DATA Collected using Open Source methods
Overview Forming an attack based on
Strategic Malvertising using targeting principles What is Malvertising What's Malvertising vs Strategic Malvertising What makes this so important ( What don't I
already know) Potential methods it can be used to conduct social
engineering How to target specific completely unknown, specific
individuals within a demographic group? How effective it is and is it worth the resources
required?
Current Malware Trends Phishing still effective Major increase in Ad Delivery - 350% Secondary and Trusted C2 being used
(Covert C2) Duke / Cloud Duke Toolsets Twitter / OneDrive / Cloud Storage
Web Exploit Kits from years ago still working C2 is becoming difficult to detect
Out of Band Communications Implied Trust (WE WILL COVER THIS)
Notable Cases : APT 29: HAMERTOSS Flash Zero Day Ad Based
Talking money
Delivering malware to generate AD traffic Text / HTML AD’s Video AD’$
Delivering Randsomware Crypto
Legit Business cost publishers more than $21.8 billion in
2015 in lost revenue
Impacting Legit Business
What is Malvertizing? It is the use and abuse of Ad services
for attackers to deliver malicious content, using ad service providers vast network of audience. They can leverage this legitimate function to distribute their malware.
Many forms of malware based ad-ware attacks exist Compromised Ad-Companies Impersonation of legitimate companies Malware being hosted in AD’s Legitimate Targeted campaigns
Core Fundamentals Major players
Google Facebook* Microsoft
Main Types of Delivery methods Social media marketing Sponsored search
Compensation methods CPM (cost per mille) CPE (cost per engagement) CPC (cost per click) CPV (cost per view)
Core Fundamentals Cont. Ease of deployment (availability)
The targeting platform Is already built
Benefits of Web Ad’s: Cost – There is a reason why AD
profits are in the Billions Measurable – Powerful analytics and
cross platform support is built Targeted?
Big Data Analytics Analytical engines at your finger
tips Broad – Zip code Specific – Job title
Extremely Accurate Most Ad-Delivery systems display
potential reach Target research methods
We give our data away for free..
Malvertizing in the Wild AD injection:
Exploitation of routers and redirecting DNS Attacker can simply redirect normal AD
traffic query's and place their AD in play This has been used to replace Google analytics JS
code and ADs
Passive Collection of AD data capabilities of Ad / Tracking
This data can be sold or used for other Intelligence Collection Campaign's
Canadian ISP was caught MITM in 2014 stealing data from HTTP AD traffic
Malvertizing in the WildExploit within AD traffic:
Using obfuscated flash exploits attacks are able to launch exploits from legit AD’s
Exploit AD Companies: Campaign is put in motion after
gaining access to AD serving organization
Redirects traffic to Exploit Kit Drop Exploit Kit of choice: Angler etc.
Begins Click Fraud activity
Malvertizing in the Wild
AD Fraud Exploit Kits:Increasing dramatically!Powelike’s: later versions
sported Ad-Clicking Component Kovter:
Evolved from stand alone to fully deployable with other exploit kits like Angler, Nuclear Pack
Allows for even Flash based Video Ads to be played for high ROI
Blue Team / Defenders So why should I care?
Online attack surface has greatly reduced Phishing is still Hot! Circumventing millions in security: email /
Phishing With that comes every vendor in the sector with:
Sandbox appliances Content Filtering Spam Filters
Delivery method is trusted: Do you block Twitter / Facebook / Google? Reputable sites?
AD Delivery / C2 Chanel all on one platform Good luck finding that
Systematic problem
Why it isn’t a Script Kiddy solution Why it has to be funded..
It takes money to make money ROI - It makes more money than
put in? Implied Trust of many Ad-Agency’s
and sites using their services
My take on AD Delivery
My Methodology / Target Selection
DemographicNomination
TargetSelection
SE/OSINTResearch
Campaign Development
Reputation Development
Deployment
Digging into Targeting
Calculating Reach Reach is an important factor of
targeting Gives you a metric to calculate potential
demographic Need to judge a organizations size /
Facility Activity / increases or presence? Employees Geographical location
Important concept for OSINT Will I even have impact?
Recon / Sampling reach
Selecting a Sample Cont.
OSINT Open Source Intelligence Collection
Applications Used in many types of operations
Penetration Testing Physical Assessments Targeting
Levels: Physical - Things we can touch and see Logical - Things over the wire Individual- Persona Layer / Exploiting the nature of
Humans
Questions that Need to Asked
What time frame will be effective? Work Hours: After Hours:
What System will I be targeting to reach my target audience Mobile Platform:
We may even be able to target exact OS Desktop OS Laptop Users traveling?
May not be patched for a short period of time
Need to deliver based on schedule? No Prob!
Exploit only works on XP or exact OS, on IE ? No Prob!
Mobile Exploit? Certain Mobile OS? By Brand?
Exact mobile brand? Exact Model!?
Yea this is scary granularity!
Power of Big Data Targeting
Small Meta-Data that is data… WIGLE
WIGLE + compromised Host = Potential Geographical location
Orientate an attacker Can be done with so many methods…
Query registry for past locations Ability to build a timeline (Forensic Capability)
Social-Mention HONEY BADGER – Tim Tomes
Power of OSINT ICWATCH:
https://transparencytoolkit.org https://github.com/transparencytoolkit
Don’t Suggest that but..
Think Nation State? “Hacking Team” - Beat a dead
horse anyone? De Anonomonyzing Location
based on WLAN interface Un-Cloaking physical Locations
Offensive Targeting Imagine a world where you could
deploy your malware only to people: Making 100k+ Work for: “fill in agency here”?
More advanced campaigns being deployed? Crime Collection
Could support the IC effort of many countries Getting into deep water..
Traditional Targeting Phishing Campaigns –Social Engineering
for *clicks*
Phishing Very Common / Known
Methodology Very successful on engagements
This Same principle is how I created AD’s Changing surface / Constraint of phishing
Lack ability to pin point demographics The days of dumping every user in directory using ( * )
may be gone Training increased / Trust has decreased in email TONS OF APPLIANCES protecting email! SPF Records / Correctly configured Mail servers verifying
multiple fields of mail
Combined with a touch of SE
Same principles as Phishing Move over
Trending Results using Facebook Selecting SE topic Using topic
That SEO thing Another Great SE technique to get a
campaign off the ground Another important aspect to SE or Any
Targeting. You wouldn't’t launch a Phishing Campaign saying
your Marketing coming from it-support.net Using SEO Tools to build (BUY):
Instant Reputation Instant Legitimacy
I attempted this but sadly during testing FB cracked down!
What this means
I can now target at a: Physical Layer Logical Layer
I can correlate targets Using Demographics Location Jobs / workplace / salary etc.
One Week Campaign
Setup
Domain Name (Something Reliable)
VPS (Hosting) / Apache Vhost’s / Static Content
Analytics (Google-Analytics) Ad Campaign (Facebook)
$20 a campaign A good idea to SE
SE AD Targets
Augusta, GA – Broad Target AD Any one in 25mi Range
Augusta, GA – Targeted Demographic AD Any one in 25mi Range Employer Specific Time Range
AD Types: Web-Site clicks Post Promotion
Setup Analytics
Building a Relevant Page Targets: Augusta, GA Target Demographic: Cyber /
Location Based
Building AD #1 – Broad Target
Select Control :
How do I get them to take notice? Tag-Line : Needed to be something Impactful Deceiving: Had to be Believable but wont
deliver 100% truth. Enticing Image: Most important Aspect,
everyone loves images
Build out Clone Site Used Httrack for cloning of legit
Data.. FB has too catch this!
Build out Config Left these for testing their
“Review”
Put in some Meta Tags for Picture Population
Removed all the original Google Tracking JS so we don’t pop up under their account.
Ad #1 Videos are very successful
marketing tools Can be easy wins
AD #1 – Not so fast
They actually enforce some polices I found out :/
AD #1 Cont.
AD #1 Setup
AD #1 Optimization
AD #1 Optimization cont.
AD 2# Setup
http://chronicle.augusta.com/news/business/2014-02-27/cyber-general-touts-benefits-fort-gordon-growth
AD #2 – Targeted Demographics
Selected Topic / Control: Certain location “Fort Gordon”
Target: How do I get them to take notice?
Tag-Line : Home Values “I may have some inside knowledge”
Hint: Its about what a ton of people talk about in this area.
Deceiving: Large Increase coming! Target Details Matter for Accuracy:
Life Style Devices / Platform Work hours
Website? Lets test that review process:
Submit a simple WordPress page with a embedded video. Than remove for the duration of the test
Host a simple index.html with JS for GA Questions that should be asked
and how the relate to malware: Will they detect this major change? Can some one even report a shady link? How long will it stay up?
AD #2 Demographics
AD #2 Configurations / AD Placement
AD #1 Analytics
Drilling Down on Geo GA makes Geographic analytics streamlined and
Accurate down to the city 25 mi range on Augusta, GA seems pretty
accurate!
Service Providers Makes tracking specific targets quite helpful Tracking user agents in GA is simple
AD #2 Analytics - Web Clicks
Geographic Stats
(not set)
Am I really Hitting my Target?
Geographically its easy to say “YES” Accurate GEOIP API services by google
What about Demographic: Harder to determine true accuracy Service Providers can be a major Identifier if they
use a certain ISP or have their own! Page Interaction can be a HUGE
identifier Likes Comments
Am I really Hitting my Target? (not set)
Found 95 sessions of 273 to be (not Set) as the ISP…
Could this be proper filtering / Ammonization? Take the time and verify your results
Also always resolve domain name! This data was reassuring that I was on the right
track
Am I really Hitting my Target cont.
Facebook Likes / Comments: Helps performs post analysis of
the target audience All 8x likes where affiliated with
my target audience.
Putting it in Context One guy with limited funds and some time Conducted 2 Ad campaigns
Each campaign took 6 hours from OSINT to Delivery Each campaign ran one week at $20 each Campaign 1 had 143 engagements, 2k reach Campaign 2 had 219 engagements, 3k reach
Calculation: Well funded group with 10k budget for a campaign and 160
hours. On avg .09 cents per unique engagement
Potential = 26 unique AD’s , 111,111 Engagements, and 1.5M Reach!
I would consider this extremely effective mean of a targeted campaign.
Major Findings Review process is a joke:
Couldn’t detect a clearly cloned website by static HTML source
The cloned website still had complete favicon / logos / static source of the cloned website
Do they even scan for malware? Continued monitoring
Set up a page and immediately removed it and replaced with a simple index.html page with JS
Ran for one week and didn't’t raise one flag? I can simply submit an ad and host malware 10 mins
latter?
Are Ad-Agency’s protecting us
Google Moving to Encrypted Ads June 30th Only Protects Ad injection at the network
layer (Compromised Routers) Facebook
RiskIQ - monitoring advertising pages to protect users from malicious ads
Interesting collegial research on detecting cloned pages
Getting The Most out a Campaign Tip’s
Proper recon is crucial Proper SE campaign must be
relevant with your target. Holistic view of an ad:
How do I view ad’s as a user? What do I click on and what do I not? Videos / Posts / News
CPC Compensation
Twitter How I Hate you Rule one: Don’t buy bots and get
caught in the Sec industry
@jaredcatkinson
Lessons Learned
Twitter is a news source not so much of a social source. Although they have just as powerful analytic
engines when it comes to AD delivery Scary Easy to run a simple yet
targeted campaign with relatively accurate results
• Big shout out to:• @Slacker007 – keelyn roberts• @Hashtagcyber – Matt Domko