Within the last six months, Invincea has discovered and stopped highly targeted malvertising attacks against companies in the Defense industry as part of an active campaign we have dubbed Operation DeathClick.

1. Uncovering Micro-Targeted
Malvertising Against US Defense
Industrial Base
WEBINAR
OCTOBER 16, 2014
PATRICK BELCHER, DIRECTOR OF SECURITY
ANALYTICS, INVINCEA, INC.

2. Patrick Belcher, CISSP, CISM
2
• Analysis Team manager at Riptech, absorbed by
Symantec in 2004.
• Helped stand up the US-CERT for the DHS
• Lead Cyber Security Analyst for FDIC
• RSA/NetWitness
• Cyber analysis and numerous Federal
agencies including the State Department and
Department of Defense
• Performed incident response and analysis
for several fortune 50 companies.
• Invincea- Director of Security and Malware
Analytics

3. Agenda
Thanks for Attending this Webinar! Today we will discuss:
• Operation DeathClick: Attacks Against the US Defense Industrial
Base
• How Advanced Adversaries are Using Micro-Targeting techniques
via Malvertising to Target Your Enterprise
• How Real Time Bidding Works
• How do malvertisers choose targets?
• How do malvertisers setup their malware delivery?
• How to Protect your organization against Targeted Malvertising

4. Operation DeathClick
• Invincea discovered a concerted campaign
against US Defense companies
• Operation DeathClick represents a
blending of traditional cyber-crime
techniques (malvertising) with APT
targeting and objectives
• Expect campaign will soon be used to
target other sectors: financial, Federal,
manufacturing, healthcare, etc.
• Leverages advertising networks on ad-supported
web sites to compromise
specific company networks
• The TTPs involved in DeathClick evade
almost all network-based and traditional
endpoint controls. There is no patch for
this TTP.

5. Micro-Targeting: How Targeted
Can it Be?
You can push targeted ads to:
• A Region
• A City
• A Neighborhood
• Type of shopper
• Gender-specific Ads
• Industry Vertical
• Specific Corporation
• Captive Audience/Wireless Tower
• Specific peoples’ Mobile platform
• Any combination of the Above
A couple of scenarios….
• Activism
• Product Placement
• Special Audience
• Network intrusion

7. Targeting the US Defense
Industrial Base: Dawn.com
DAWN.COM

8. Targeting the US Defense
Industrial Base:
PsychCentral.com
PSYCHCENTRAL.COM

9. Targeting the US Defense
Industrial Base:
FleaFlicker.com
FLEAFLICKER.COM

10. Targeting the US Defense
Industrial Base: GPokr.com
GPOKR.COM

11. Targeting the US Defense
Industrial Base: EarthLink
EARTHLINK.COM

12. Traditional Web Advertising
• Ads were once sold in bulk.
Advertisers paid by the number
of viewer impressions
delivered.
• Advertisers paid more money if
the ad is clicked.
• Actual Ad content is hosted
elsewhere.
• Advertisers chose which sites
to deliver ad content.
Drawbacks:
• Indiscriminate
• Costly
• No great ROI
• Easily Abused

13. Now Ads are Targeted
Ironic targeted ad by Ad Targeting
Company. This ad is a result of my
research into ad bidding.
(cookie based)
This ad delivery targeted me based on my IP
address location in Orlando, FL
(GEO-IP based)

14. How Does Ad Targeting Work?
Big Data!
• Ad Slots Provide the Real
Estate, Typically
Doubleclick
• Other Ad Services and
Intelligence Services
Enhance Targeting
Neustar, Facebook, Twitter, Pubmatic and Others Sell IP intelligence to Ad
Networks.
Ad Networks now sell targeted ads for Advertisers

15. RTB is Now Standard
Ad placement has evolved. Ad networks now run
based on Real-Time Ad Bidding.
Backend Auction happens in milliseconds
Less expensive than bulk impression buys

16. Targeted Advertising Too
Creepy?
Who knows more about you? Ad networks or the NSA?
Now Malvertisers Have the Power of RTB Targeting and they are coming after
YOU!

17. Evading Traditional Defenses
The ability to select a target for compromise and the ease of the execution
via RTB malvertising is known as “micro-targeting via malvertising.”
Without Advanced host protection, this attack is over 95% successful!
• Avoids Proxy blacklists
• Avoids AV detection
• Bypasses most advanced malware interception
• See the Invincea Snipertising Whitepaper for full details
Operation DeathClick (Case Study Available)
Large Defense and Aerospace contractors targeted by RTB for penetration
Malvertising delivered via:
• Pakistani News Outlet
• Fantasy Football Site
• Webmail Ads
• Any advertising supported site
Attacks bypassed superior defense in depth controls including web
proxies were stopped by Invincea

18. Exploited: TheBlaze.com
12 Ads on Homepage!
Pubmatic redirects to
GumGum
Drops Kryptik- changing
hashes

19. Exploited: ShootersForum
Shootersforum:
Openx RTB bid
redirects to in.ua free
host; drops exploit kit
that pops Silverlight

20. Exploited: Trade2win.com
Trade2win.com:
Oxygenmedia ad
bid redirects to
German ad
provider, drops
bundler malware.

21. Exploited: Answers.com
Answers.com:
Clickbait articles drop Kryptik
Hashes constantly change
Malware delivered from
compromised Polish
government sites.

22. How Hard is it to do Targeted
Malvertising?
From SiteScout: You got cash, you can create your own landing pages and
begin bidding.

23. What Much does a Targeted
Malvertisement Bid cost?
65 cents!
Log File from Winning bid against Cox IP Address to drop
Trojan:
http://delivery.firstimpression.com/delivery?action=serve&
ssp_id=3&ssp_wsid=2191400908&dssp_id=100&domain
_id=2191400908&ad_id=748271&margin=0.4&cid=15538
0&bn=sj14&ip_addr=24.234.123.133&ua=1540937276&to
p_level_id=24.234.123.133&second_level_id=154093727
6&page=thanhniennews.com&retargeted=null&height=90
&width=728&idfa=null&android_id=null&android_ad_id=n
ull&bid_price=0.654&count_notify=1&win_price=$AAABS
MPg1dmFEPqXEZe5_CYviub3uOlabldGew

24. Funding a Micro-Targeted
Malvertising Campaign
• Click Fraud funds the operation. Logs
show fake Chrome installed in Java
cache to click on ad banners.
• Kyle and Stan malvertising uses bundled
malware and referral abuse to generate
cash.
• Chrome and bundled programs evade AV
detection.
• Bundled programs spy on endpoints to
improve ad targeting.

25. Where Malvertisers Host
Exploit Landing Pages
• Compromised WordPress Blogs
• Unconfigured Apache hosts
• Cloud-based NGINX subdirectories
• Government and News pages in Poland
• Free Hosting sites such as ua.in
To avoid proxy blacklisting, landing pages are unique and only online for
minutes.
To avoid AV or hash detection, exploits employ unique names and hashes
Landing exploit kits currently focused on cash generation, but can easily
be converted to exfiltration or banking kits.

26. Protect Yourself from
Malvertising
• Deploy Invincea on
EndPoints
Or
• Disallow external web re-direction.
• Demand change in the ad
network business
• OptOut
Only 636 Targeting Ad
Companies to opt out from!
http://www.rubiconproject.com
/privacy/consumer-online-profile-
and-opt-out/
http://preferences-mgr.
truste.com/
http://www.ghosteryenterprise.

27. Invincea Threat Protection
• Contain all web-based attacks in secure virtual containers
• Collect threat forensics on attack
• Protect against known, unknown, and 0-day threats without requiring
signatures

28. Free Invincea Research
Edition
Each detection shown in this presentation is available for
online viewing in the Invincea Research Edition Portal.
Sign up for the Research Edition and get a free licensed
copy of Invincea FreeSpace Research Edition. Click
without fear.

29. Special Thanks and Resources
Invincea Whitepaper on Real Time Ad Bidding
Invincea Case Study: RTB Targeting Defense Industry
Threatpost Kyle and Stan Analysis http://threatpost.com/kyle-and-stan-malvertising-network-
nine-times-bigger-than-first-reported/108435

30. Q&A Session
Invincea Research Edition: www.invincea.com/research-edition
Webinar Recording + Slide deck:
Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

31. Thank you!
Invincea @Invincea
Patrick Belcher
@BelchSpeak