Injustice - Developers Among Us (SciFiDevCon 2024)
Christopher Furton - Cybersecurity Threat Brief: Malvertising and Watering Holes
1.
2. Evolution of technology leans to more and
more web-based usage
› HTML5 applications
› Software-as-a-Service
Business involvement in Social Media
› Increase reliance on Facebook, twitter, and other social
sites for customer interactions
› Brand development and growth for reasonable cost
It is all about the Web. And will continue
that way.
3. Malvertising (or malicious advertising)
uses legitimate advertising channels to
propagate malicious ads.
Victims may or may not have to click the
ads depending on the attack.
› Clicked ads can redirect victim to malicious
site
› Zero-day exploit (i.e., Adobe Flash) can
install malware without user action
4. Attacks are generally broad in nature
and typically use known vulnerabilities.
Attacks leverage wide distribution of ads
through legitimate ad networks to
increase likelihood of luring a victim.
According to ComScore1 data, 53 billion
ads contained malicious content or
redirected to malicious content.
5. Leverage rich content from Adobe Flash
Player, Reader, etc.
Can use iframe injection to trigger
background installations.
Pop-up and banner ads through ad
networks.
Clickjacking - tricking a victim into
clicking something other than what was
intended.
6. Patching – keep browsers (i.e., Firefox, IE, Chrome) up
to date. This ensures known vulnerabilities can’t be
exploited.
Vulnerability Management – implement a scanning
process for known vulnerabilities. Identify and
remediate.
Monitor outbound traffic – Whitelist if possible. Block
traffic to known bullet-proof hosts.
Use Ad blocking software. Ghostly or NoScript. (keep
in mind implications)
Train users to hover before clicking.
Configure X-Frame Options and employ anti-
clickjacking attributes.
7. Watering Holes – Compromised trusted
websites contain malware.
Trust relationships between sites are
exploited to push malware to user.
Often use zero-day vulnerabilities to
execute attack.
8. Attacks are generally narrow in nature
and typically use unknown vulnerabilities.
Attacks typically are targeted and
require significant intelligence resources.
Much more sophisticated than other
attacks. (i.e., smells like state-sponsored)
9. Leverages application layer protocols
including TLS/SSL and HTTP.
Often browser-specific due to unique
vulnerabilities.
Can exploit Application Programming
Interfaces (API) such as ActiveX
10. Very little can be done to specifically
mitigate watering hole attacks. However:
› Vulnerability Management will help patch holes
as soon as they are announced.
› Monitoring outbound traffic can help identify if
an exploit has been successful.
› Strong incident response to identify and react to
minimize damage.
› Network segmentation to minimize exposure
› Overall high security awareness in the
organization.
11. 1 - http://www.mintel.com/blog/technology-market-
news/malvertising-the-internets-billion-dollar-problem
2 - Cyveillance – a QinetiQ Company -
https://blog.cyveillance.com/when-good-sites-go-bad-malvertising-
and-watering-holes-
infographic/?utm_source=social&utm_medium=twitter&utm_conten
t=post%204&utm_campaign=MWH
Great Infographic: https://blog.cyveillance.com/wp-
content/uploads/Malvertise_info_6001.jpg
12. Christopher Furton is an Information Technology
Professional with over 12 years in the industry. He
attended The University of Michigan earning a B.S. in
Computer Science and completed a M.S. in
Information Management from Syracuse University in
2015. His career includes managing small to medium
size IT infrastructures, service desks, and IT operations.
Over the years, Christopher has specialized in Cyber
Security while working within the Department of the
Defense and the United States Marine Corps. His
research topics include vulnerability management,
cyber security governance, privacy, and cyber risk
management. He holds active IT Certifications
including the CISSP, CEH, ITIL Foundations, Security+CE
and Network+CE. He can be found on LinkedIn,
Google+, and Twitter @IT_Mgmt_Chris.
Additional information available on Christopher Furton's website at
http://christopher.furton.net.