This document discusses strategic malvertising techniques. It begins with an introduction to malvertising and an overview of how ad-based malware works. It then discusses targeting methods like using open source intelligence and big data analytics to precisely target ads. The document outlines one individual's one-week experiment conducting malvertising campaigns on Facebook. It found the ad review process was ineffective and the campaigns successfully reached the targeted locations and demographics. The document concludes by arguing large, well-funded campaigns could have significant impact and questions whether ad agencies adequately protect users.

1. Malvertizing
Like a PRO
A JUMP INTO THE NEWEST ATTACK VECTOR
TAKING IT TO THE NEXT LEVEL

2. Introduction
• Pen-Tester with Veris Group
• Previous ARMY
• How to find me:
• @Killswitch_GUI
• CyberSyndicates.com

3. Warning!
What I'm not:
 A SME in Malware or Reverse Engineering
 Part of a Cyber Crime ring performing this everyday
 What this is:
 My take on Ad based malware
 My journey on how I would execute it
 Pure speculation of what's open source
 What we will cover
 Ad Based Malware
 Touch of OSINT
 My Campaign Methods and Failure
ALL DATA Collected using Open Source methods

4. Overview
 Forming an attack based on Strategic
Malvertising using targeting principles
 What is Malvertising
 What's Malvertising vs Strategic Malvertising
 What makes this so important ( What don't I
already know)
 Potential methods it can be used to conduct social
engineering
 How to target specific completely unknown, specific
individuals within a demographic group?
 How effective it is and is it worth the resources required?

5. Current Malware Trends
 Phishing still effective
 Major increase in Ad Delivery - 350%
 Secondary and Trusted C2 being used (Covert C2)
 Duke / Cloud Duke Toolsets
 Twitter / OneDrive / Cloud Storage
 Web Exploit Kits from years ago still working
 C2 is becoming difficult to detect
 Out of Band Communications
 Implied Trust (WE WILL COVER THIS)
 Notable Cases :
 APT 29: HAMERTOSS
 Flash Zero Day Ad Based

6. Talking money
 Delivering malware to generate AD
traffic
 Text / HTML AD’s
 Video AD’$
 Delivering Randsomware
 Crypto
 Legit Business
 cost publishers more than $21.8 billion in 2015 in
lost revenue

7. Impacting Legit Business

8. What is Malvertizing?
 It is the use and abuse of Ad services for
attackers to deliver malicious content, using
ad service providers vast network of
audience. They can leverage this legitimate
function to distribute their malware.
 Many forms of malware based ad-ware
attacks exist
 Compromised Ad-Companies
 Impersonation of legitimate companies
 Malware being hosted in AD’s
 Legitimate Targeted campaigns

9. Core Fundamentals
 Major players
 Google
 Facebook*
 Microsoft
 Main Types of Delivery methods
 Social media marketing
 Sponsored search
 Compensation methods
 CPM (cost per mille)
 CPE (cost per engagement)
 CPC (cost per click)
 CPV (cost per view)

10. Core Fundamentals Cont.
 Ease of deployment (availability)
 The targeting platform Is already built
 Benefits of Web Ad’s:
 Cost – There is a reason why AD profits are
in the Billions
 Measurable – Powerful analytics and cross
platform support is built
 Targeted?

11. Big Data Analytics
 Analytical engines at your finger tips
 Broad – Zip code
 Specific – Job title
 Extremely Accurate
 Most Ad-Delivery systems display
potential reach
 Target research methods
 We give our data away for free..

12. Malvertizing in the Wild
 AD injection:
 Exploitation of routers and redirecting DNS
 Attacker can simply redirect normal AD traffic
query's and place their AD in play
 This has been used to replace Google analytics JS code and
ADs
 Passive Collection of AD data
 capabilities of Ad / Tracking
 This data can be sold or used for other Intelligence
Collection Campaign's
 Canadian ISP was caught MITM in 2014 stealing
data from HTTP AD traffic

13. Malvertizing in the Wild
 Exploit within AD traffic:
 Using obfuscated flash exploits attacks are
able to launch exploits from legit AD’s
 Exploit AD Companies:
 Campaign is put in motion after gaining
access to AD serving organization
 Redirects traffic to Exploit Kit
 Drop Exploit Kit of choice: Angler etc.
 Begins Click Fraud activity

14. Malvertizing in the Wild
AD Fraud Exploit Kits:
Increasing dramatically!
Powelike’s: later versions sported
Ad-Clicking Component
Kovter:
 Evolved from stand alone to fully deployable
with other exploit kits like Angler, Nuclear Pack
 Allows for even Flash based Video Ads to be
played for high ROI

15. Blue Team / Defenders
 So why should I care?
 Online attack surface has greatly reduced
 Phishing is still Hot!
 Circumventing millions in security: email / Phishing
 With that comes every vendor in the sector with:
 Sandbox appliances
 Content Filtering
 Spam Filters
 Delivery method is trusted:
 Do you block Twitter / Facebook / Google?
 Reputable sites?
 AD Delivery / C2 Chanel all on one platform
 Good luck finding that

16. Systematic problem
 Why it isn’t a Script Kiddy solution
 Why it has to be funded..
 It takes money to make money
 ROI - It makes more money than put
in?
 Implied Trust of many Ad-Agency’s
and sites using their services

17. My take on AD Delivery

18. My Methodology / Target
Selection
Demographic
Nomination
Target
Selection
SE/OSINT
Research
Campaign
Development
Reputation
Development
Deployment

19. Digging into Targeting

20. Calculating Reach
 Reach is an important factor of
targeting
 Gives you a metric to calculate potential
demographic
 Need to judge a organizations size /
Facility Activity / increases or presence?
 Employees
 Geographical location
 Important concept for OSINT
 Will I even have impact?

21. Recon / Sampling reach

22. Selecting a Sample Cont.

23. OSINT
 Open Source Intelligence Collection
Applications
 Used in many types of operations
 Penetration Testing
 Physical Assessments
 Targeting
 Levels:
 Physical - Things we can touch and see
 Logical - Things over the wire
 Individual- Persona Layer / Exploiting the nature of Humans

24. Questions that Need to
Asked
 What time frame will be effective?
 Work Hours:
 After Hours:
 What System will I be targeting to
reach my target audience
 Mobile Platform:
 We may even be able to target exact OS 
 Desktop OS
 Laptop Users traveling?
 May not be patched for a short period of time

25. Need to deliver based on
schedule? No Prob!

26. Exploit only works on XP or
exact OS, on IE ? No Prob!

27. Mobile Exploit? Certain
Mobile OS? By Brand?

28. Exact mobile brand? Exact
Model!?
 Yea this is scary granularity!

29. Power of Big Data Targeting
 Small Meta-Data that is data…
 WIGLE
 WIGLE + compromised Host = Potential Geographical
location
 Orientate an attacker
 Can be done with so many methods…
 Query registry for past locations
 Ability to build a timeline (Forensic Capability)
 Social-Mention
 HONEY BADGER – Tim Tomes

30. Power of OSINT
 ICWATCH:
 https://transparencytoolkit.org
 https://github.com/transparencytoolkit

31. Don’t Suggest that but..

32. Think Nation State?
 “Hacking Team” - Beat a dead horse
anyone?
 De Anonomonyzing Location based on
WLAN interface
 Un-Cloaking physical Locations

33. Offensive Targeting
 Imagine a world where you could deploy
your malware only to people:
 Making 100k+
 Work for: “fill in agency here”?
 More advanced campaigns being
deployed?
 Crime
 Collection
 Could support the IC effort of many
countries
 Getting into deep water..

34. Traditional Targeting
 Phishing Campaigns –Social Engineering for
*clicks* 

35. Phishing
 Very Common / Known
 Methodology
 Very successful on engagements
 This Same principle is how I created AD’s
 Changing surface / Constraint of phishing
 Lack ability to pin point demographics
 The days of dumping every user in directory using ( * ) may be
gone
 Training increased / Trust has decreased in email
 TONS OF APPLIANCES protecting email!
 SPF Records / Correctly configured Mail servers verifying
multiple fields of mail

36. Combined with a touch of SE
 Same principles as
Phishing Move
over
 Trending Results
using Facebook
 Selecting SE topic
 Using topic

37. That SEO thing
 Another Great SE technique to get a
campaign off the ground
 Another important aspect to SE or Any
Targeting.
 You wouldn't’t launch a Phishing Campaign saying
your Marketing coming from it-support.net
 Using SEO Tools to build (BUY):
 Instant Reputation
 Instant Legitimacy
 I attempted this but sadly during testing
FB cracked down!

38. What this means
 I can now target at a:
 Physical Layer
 Logical Layer
 I can correlate targets Using Demographics
 Location
 Jobs / workplace / salary etc.

39. One Week Campaign

40. Setup
 Domain Name (Something Reliable)
 VPS (Hosting) / Apache Vhost’s / Static
Content
 Analytics (Google-Analytics)
 Ad Campaign (Facebook)
 $20 a campaign
 A good idea to SE

41. SE AD Targets
 Augusta, GA – Broad Target AD
 Any one in 25mi Range
 Augusta, GA – Targeted Demographic AD
 Any one in 25mi Range
 Employer Specific
 Time Range
 AD Types:
 Web-Site clicks
 Post Promotion

42. Setup Analytics

43. Building a Relevant Page
 Targets: Augusta, GA
 Target Demographic: Cyber / Location
Based

44. Building AD #1 – Broad
Target
 Select Control  :
 How do I get them to take notice?
 Tag-Line : Needed to be something Impactful
 Deceiving: Had to be Believable but wont deliver
100% truth.
 Enticing Image: Most important Aspect, everyone
loves images

45. Build out Clone Site
 Used Httrack for cloning of legit Data..
FB has too catch this!

46. Build out Config
 Left these for testing their “Review”
 Put in some Meta Tags for Picture
Population
 Removed all the original Google
Tracking JS so we don’t pop up under
their account.

47. Ad #1
 Videos are very successful marketing
tools
 Can be easy wins

48. AD #1 – Not so fast
 They actually enforce some polices I
found out :/

49. AD #1 Cont.

50. AD #1 Setup

51. AD #1 Optimization

52. AD #1 Optimization cont.

53. AD 2# Setup
http://chronicle.augusta.com/news/business/2014-02-27/cyber-general-touts-
benefits-fort-gordon-growth

54. AD #2 – Targeted
Demographics
 Selected Topic / Control:
 Certain location “Fort Gordon”
 Target:
 How do I get them to take notice?
 Tag-Line : Home Values “I may have some inside
knowledge”
 Hint: Its about what a ton of people talk about in this area.
 Deceiving: Large Increase coming!
 Target Details Matter for Accuracy:
 Life Style
 Devices / Platform
 Work hours

56. Website?
 Lets test that review process:
 Submit a simple WordPress page with a embedded
video. Than remove for the duration of the test
 Host a simple index.html with JS for GA
 Questions that should be asked and
how the relate to malware:
 Will they detect this major change?
 Can some one even report a shady link?
 How long will it stay up?

57. AD #2 Demographics

58. AD #2 Configurations / AD
Placement

59. AD #1 Analytics

60. Drilling Down on Geo
 GA makes Geographic analytics streamlined and
Accurate down to the city
 25 mi range on Augusta, GA seems pretty accurate!

61. Service Providers
 Makes tracking specific targets quite helpful
 Tracking user agents in GA is simple

62. AD #2 Analytics - Web Clicks

63. Geographic Stats

64. (not set)

65. Am I really Hitting my
Target?
 Geographically its easy to say “YES”
 Accurate GEOIP API services by google
 What about Demographic:
 Harder to determine true accuracy
 Service Providers can be a major Identifier if they
use a certain ISP or have their own!
 Page Interaction can be a HUGE
identifier
 Likes
 Comments

66. Am I really Hitting my
Target? (not set)
 Found 95 sessions of 273 to be (not Set) as the ISP…
 Could this be proper filtering / Ammonization?
 Take the time and verify your results
 Also always resolve domain name!
 This data was reassuring that I was on the right track

67. Am I really Hitting
my Target cont.
 Facebook Likes / Comments:
 Helps performs post analysis of the
target audience
 All 8x likes where affiliated with my
target audience.

68. Putting it in Context
 One guy with limited funds and some time
 Conducted 2 Ad campaigns
 Each campaign took 6 hours from OSINT to Delivery
 Each campaign ran one week at $20 each
 Campaign 1 had 143 engagements, 2k reach
 Campaign 2 had 219 engagements, 3k reach
 Calculation:
 Well funded group with 10k budget for a campaign and 160
hours.
 On avg .09 cents per unique engagement
 Potential = 26 unique AD’s , 111,111
Engagements, and 1.5M Reach!
 I would consider this extremely effective mean of
a targeted campaign.

69. Major Findings
 Review process is a joke:
 Couldn’t detect a clearly cloned website by static
HTML source
 The cloned website still had complete favicon /
logos / static source of the cloned website
 Do they even scan for malware?
 Continued monitoring
 Set up a page and immediately removed it and
replaced with a simple index.html page with JS
 Ran for one week and didn't’t raise one flag?
 I can simply submit an ad and host malware 10 mins latter?

70. Are Ad-Agency’s protecting
us
 Google
 Moving to Encrypted Ads June 30th
 Only Protects Ad injection at the network layer
(Compromised Routers)
 Facebook
 RiskIQ - monitoring advertising pages to protect
users from malicious ads
 Interesting collegial research on
detecting cloned pages

71. Getting The Most out a
Campaign Tip’s
 Proper recon is crucial
 Proper SE campaign must be relevant
with your target.
 Holistic view of an ad:
 How do I view ad’s as a user?
 What do I click on and what do I not?
 Videos / Posts / News
 CPC Compensation

73. Twitter How I Hate you
 Rule one: Don’t buy bots and get
caught in the Sec industry
 @jaredcatkinson

74. Lessons Learned
 Twitter is a news source not so much of a
social source.
 Although they have just as powerful analytic engines
when it comes to AD delivery
 Scary Easy to run a simple yet targeted
campaign with relatively accurate results
• Big shout out to:
• @Slacker007 – keelyn roberts
• @Hashtagcyber – Matt Domko