563% increase in browser locker detection uncovers a new digital threat: Push Lockers

It should come as no surprise to anyone involved in the digital advertising ecosystem that fraudsters are always looking for new methods to target users with sophisticated digital attacks. As soon as innovative new ways of engaging with users are developed, cyber criminals aren't far behind with a method for exploiting these innovations, particularly when there's money to be made. Now, as push notification ads grow in popularity, a new threat to user security that capitalises on the push notification flow itself has arrived: push lockers.

Upon identifying these push notification specific lockers, between February and March AdSecure saw a 563% increase in the detection of browser locker attacks, and at the time of writing this article, we have protected our partners from more than 20 unique push lockers in under 24 hours.

What is a push notification ad?

Push notification ads are simple clickable messages, accompanied by a small image, that are delivered to desktop browsers or mobile devices, but only once a user has consented to receiving them. This is a key point, as the users have agreed to see the ads, leaving the perception that they are less intrusive than traditional formats, and develop a higher level of engagement from the user.

Push notifications work by displaying an initial permission request — managed by the browser —  when a user is visiting a site for the first time. Once the user agrees to receive these push notifications, they will receive them based on the frequency set out by the publisher. Should a user opt not to see push notifications, the browser logs this choice as well, and they won't be asked to subscribe to them again.

What is a push locker?

The push notification format, while relatively new, is growing in popularity within the online marketplace for all the reasons mentioned previously: users have to opt-in to see them at all, and with that consent comes a higher rate of engagement. Brands using push notifications are seeing increased click through rates, and just as marketers are seeing the clear benefits the format provides, cyber criminals are becoming wise to the potential for driving malicious campaigns straight to users screens. What has developed out of these sinister intentions is a new form of browser locker specifically designed around the natural behaviour of a push ad.

How do push lockers work?

When you make the choice to opt-in, or out, of receiving push notifications on a particular site, the browser manages the request and saves the choice. However, it's the way the browser saves this choice — either by domain, or subdomain — that can expose the user to trouble. What happens if you opt out, but the website redirects you automatically to another subdomain? Can you guess what's coming? This allows the user to be prompted again to accept the push notification. So naturally, you decline this new request, and then you're sent to yet another subdomain and asked again, and again, and again. Suddenly you are trapped in an endless looping push notification nightmare, and escape can only be had by giving in and "consenting" to receive the push notification.

Incredibly annoying, right? But this is tame compared to what other push lockers are capable of.

What type of push lockers has AdSecure encountered?

Since first discovering this new form of attack, our development team went on the hunt, uncovering various types of push lockers. In one particularly sophisticated case, users clicking somewhere on the page other than the buttons to allow or block the push would cause the browser to switch to full screen mode, preventing the user from doing anything else until they accepted the push notification, which in turn leads them to a scam offer, or the forced download of malware, or similar security threat. In a separate case, we encountered a push locker that kept users locked on the consent page until they accepted the push, all the while quietly mining cryptocurrencies in the background. Those who opted in were then redirected to a new offer page which also launched the cryptocurrency miner, leaving the user with no safe option to take.

When this type of push locker is implemented on a mobile browser, the entire device is rendered useless for the owner, again until they are forced to consent. In all cases, the looping push notification locks the user into an action they absolutely do not want to take, and puts them at severe risk of exposure to exploit flaws or other security breaches.

What is the solution?

The relative speed at which push lockers have appeared on the scene has caught some ad verification providers off guard. They either weren't aware of the problem quickly enough, or they aren't using the modern technology needed to detect push lockers with any degree of consistency and precision.

Push lockers are sophisticated and pernicious, and in order to catch them early and often, the scanning technology being used needs to be based on the most modern browser technology available. This is one of the reasons AdSecure — with a crawler powered by Chrome — was the first ad verification provider to uncover these looping push notifications, and continues to be the only provider catching them at high frequency, and a strong level of precision.

As more publishers and ad platforms begin to work with the push notification ad format, push locker attacks will spread across the digital ads landscape. Make sure your partners are working with an ad verification provider that has the resources and the knowledge needed to track down push lockers and keep them from hurting digital users.

AdSecure empowers ad platforms & publishers to take back control of their ad quality by providing constant detection & notification for ad security, compliance, and quality issues within the digital ad supply chain.

To learn more about how AdSecure is driving a safer digital world for everyone, contact us today.

AdSecure adds the detection of the auto-redirect to it's arsenal

25 July 2018. AdSecure, the ad verification tool used by ad networks, ad operations teams and publishers, today announced that it has added the detection of the auto-redirect to it's arsenal. The auto-redirect is considered to be an annoying format and is also widely used by cybercriminals for distributing malicious advertising.

Once a user is exposed to an auto-redirects, the format takes over his browser redirects him to another website page, this all happens with no interaction by the user. One example of how auto-redirects are delivered to the user is through a malicious banner ad. Even if the banner is only displayed and the user has not clicked on the banner it will still redirect the visitor to another webpage. The banner usually contains a JavaScript and the redirected webpage is then used as a vehicle for some form of affiliate fraud or malware. Some auto-redirect scams go as far as hijacking the browser back button or even trapping the user with a pop-up notification to prevent him from returning to the original site he was viewing.

This intrusive technique affects desktop, mobile and tablet. Mobiles are particularly affected by auto-redirects on both Android and iOS.

AdSecure's Product Manager Mat Derval commented, "These malicious auto-redirect ads used to only affect junk websites, but recently auto-redirects have been placed on reputable websites including The New York Times amongst others. AdSecure's team and our technology has enabled us to quickly develop and get to market the software needed to detect this malicious ad format. Ad platforms and publishers that use AdSecure's all in one malware detection package benefit from keeping their users safe from being exposed to malicious ad formats."

If you would like to find out more about incorporating AdSecure into your business, please visit our contact page for more information.

For further press information contact:

press@adsecure.com

Malvertising and Ransomware

Six questions about ransomware and malvertising with AdSecure's Product Manager Mathieu Derval.

What role does phishing play in ransomware attacks?

Phishing is probably one of the most popular social engineering types of attack.  The objective is to trick someone into clicking on a link contained within a message that looks like it comes from a well-known/genuine company (often including a copycat logo) and then the user is tricked either stole sensitive information (login, password or other) through a fake online form which seems to be legit, or in other cases, download infected files that executes as soon as the user open it, encrypting their data and asking for a ransom.

From an ad verification solution point of view, phishing is indeed an important vector of ransomware spreading. Malvertising campaigns are crafted by cybercriminals to lure victims to click on ads or links in websites that will redirect them to other websites hosting exploit kits designed to use vulnerabilities in web browsers or plugins on the visitor's computers to install and execute ransomware.

How serious a threat is ransomware?

Apart from traditional spam distribution, ad networks and publishers may often act unwittingly as intermediaries, targeting thousands or even millions of potential victims. The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed upon them. A script hidden in an infected ad will run in the background and look for vulnerabilities on the user's computer so it can quietly download and execute a malicious application such as ransomware.

What are the best ways to prevent a ransomware attack?

– Do not open any emails from untrusted sources.

– Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.

– Keep your plugins updated and disable or uninstall the ones you don't frequently use, including java.

– Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.

– Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.

– When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.

– Ad platforms and publishers have to constantly monitor their ads thanks to ad verification tool, especially after the campaigns are live since attackers can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

How can an active ransomware attack be contained?

For the ad platforms, the challenge lies into being capable of detecting and identifying the malicious campaign while it is active (which usually varies between a few hours and a couple of days so that criminals can try to ensure that it remains undetected). For this reason ad platforms need to monitor and scan the offers running on their network continuously to be able to stop the propagation as soon as possible.

Does it ever make sense to pay a ransom?

This criminal business model has proven to be very lucrative given the vast and varied potential of victims. Law enforcement officials discourage victims from paying ransoms, there is no guarantee whatsoever that your files will be accessible again after you pay the ransom. Yet, many will come down to pay those ransoms in the hope of getting their files back. This decision should be the last resort, in case all other alternatives failed (no offline backup available to recover the encrypted files or no free decryption tool available). As long as individuals and organizations will continue to pay ransoms, we can't expect to see this criminal scheme to disappear.

How is ransomware likely to evolve over the next few years?

Even if during the last few months Crypto-Mining attacks have been center stage and that cybercriminals are increasingly embracing this new form of making money from the internet, Ransomware attacks will probably continue to increase and to evolve in the next years: the threat landscape will see more and more well organized and well-funded groups that will employ technical tools or software vulnerabilities, such as the exploit EternalBlue used with the Wannacry attack in may 2017, but also social engineering skills to access computer systems and network. At the same time, we can expect Ransomware-as-a-service to become more accessible cybercriminals will expand their target not only financial objectives, but also political and strategic interests, with intend to cause damages and not only extortion.

AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.

Malvertising campaign exploits users' browsers to Mine Cryptocurrencies

The popularity of mining cryptocurrency within the browser is on the rise. In the last few weeks we came across many cases of this new trend, which consists in using a piece of javascript code to mine different cryptocurrencies directly through the visitor's browser. Despite the perfomance drop of using this javascript mining approach you can bet that the attackers are able to generate substantial profits.

The JavaScript code is a modified version of MineCrunch, a notorious script which can be used to mine cryptocurrencies through the browser. MineCrunch was released back in 2014 and seems to be making a comeback. The crooks were mainly interested in Monero, Feathercoin and Litecoin, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware.

Rather than tricking users into downloading cryptocurrency mining malware, cybercriminals are buying traffic from ad networks and distributing malicious JavaScript instead of a traditional advertisement. This approach has a clear advantage as it is easier to reach a significant number of machines by "infecting" websites than it is by infecting user machines. Streaming and gaming websites have apparently been preferentially targeted, since end-users tend to spend more time on these sites and may be less likely to notice the increased activity on their computer resources, or will assume it's caused by the game or video itself as opposed to cryptocurrency mining activity.

This new kind of malvertising attack points out once again the need for ad platforms and publishers to use ad verification tool to protect their network, reputation and visitors safety. AdSecure now offers the detection of crypto-mining activity. Contact us to see how we can help safeguard your network or sites against malvertising.

What is Malvertising?

Malvertising explained

Malvertising, or malicious advertising, is the practice of using web advertisements to spread malware with little to no user interaction required. Cybercriminals use the same advertising strategies as legitimate ad companies, except that malvertisements will either try to download malware directly to visitors devices upon viewing, or send visitors to websites that distribute viruses, ransomware or other unwanted and malicious programs.

How malvertising works?

Rather than attempting to trick users into visiting a malicious website, attackers use the granular profiling functionality provided by ad networks to spread financial malware, data-stealing malware, ransomware and other cyber threats, or if applicable, ads that will trigger an automatic redirection to landing pages hosting exploit kits.

The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious related products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed there. A script obfuscated in an infected ad will run in the background and look for vulnerabilities on the user's computer so it can quietly download and execute a malicious application such as ransomware.

One of the most frustrating aspects is to figure out how easy it is for attackers to bypass ad platforms' safeguards either because of insufficient checks or more seriously because they can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

Who has this affected so far?

Unfortunately no publisher can be considered absolutely safe, you have probably heard of many cases recently, but here are a few examples of some of the most trusted websites online that have been affected: Forbes, MSN, Yahoo, The New York Times, BBC, Spotify… and the list continues to grow.

How do you protect yourself against malvertising?

Besides not clicking on questionable ads, here are some recommendations to help ensure you remain safe from threats distributed by malvertisements:

  • Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.
  • Keep your plugins updated and disable or uninstall the ones you don't frequently use, including java.
  • Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.
  • Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.
  • When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.