Category: Malvertising

Malvertisers are boosting their Malware and Phishing scams

In Q4 of this year cybercriminals were making the news headlines. Angling Direct's domain, website and social media accounts were compromised by hackers, redirecting users to an adult website; Electronics retailer MediaMarkt got hit by ransomware that demanded $240 million dollars after stopping its online shopping service in Belgium and the Netherlands. In Q3 AdSecure also saw some big spikes in user security violations as bad actors launched their Summer attacks. Malware detections increased by 1285.19% with the majority concentrated in July and August. Phishing detections also increased by 413.97%. Adware, Browser Locker and Scareware also increased 15.74%, 8.65% and 4.82% respectively, and now, in Q4 detections for these user security violations are still high. To demonstrate some tactics used by Cybercriminals, here are two examples of Malware and Phishing campaigns, both recently detected and stopped by AdSecure:

#1 Malware attack in Turkey

Cybercriminals used Discord's Content Delivery Network to host malicious payloads. Discord is a popular VoIP, instant messaging and digital distribution platform used by approximately 140 million people.

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers.

However, many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by bad actors who create channels with the sole purpose of delivering these malicious files.

Malvertisers use infected campaigns to target online gamers, luring them into downloading fake versions of popular online games that actually contain malware. The image below is the landing page of one of these malware campaigns detected by AdSecure on 3 November 2021. As you can see the text is in English, only the month November (Karim) is in Turkish. Additionally note that egyptian gamers is spelt incorrectly.

This campaign triggered an apk file that downloaded automatically to the user's desktop or mobile device. When we checked the auto-downloaded file we discovered that the file was detected as Trojan/Malware by 15 security vendors.

The files are often renamed as Gaming software or Google PlayStore games to trick end users, and the file stored on Discord's CDN used the link in the following format: https://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}

How did AdSecure detect the malware?

AdSecure’s Ad Discovery tool works by first detecting and then analysing all ads it encounters on web or mobile site pages, engaging with the ads as a user would, performing analysis both on the main site page, and by clicking on each ad — be it a banner, native, popup, popunder, etc — to detect any malicious activity a user might encounter in the redirection paths of this campaign and on any landing page the end users could be sent to. Once the violation was detected, AdSecure notified the client in real-time so the client's compliance teams could identify the campaign and ban the fraudulent advertiser from their ad network to prevent the bad actor from infecting more end users.

#2 Phishing scams using fake Lucky Draws

Phishing is often considered as the easiest way for financial gain for Cybercriminals. One method is through fake Lucky Draws from well known social media platforms. To show an example, AdSecure detected the following scam on an entertainment website in the United Arab Emirates in September. The ad showed up as a popunder.

The scammers used the Whatsapp logo and fake likes and comments on this landing page to fool end users into believing the lucky draw was legitimate. However, once the user spun the wheel to win a prize, they were asked to give away their personal information and credit card details to receive a prize. The victims only realized that they had been scammed after being informed by their banks about unauthorised transactions. The scammers also changed the URL 2 days later, to promote an adult dating offer. The landing page showed pornographic images which is illegal in United Arab Emirates.

How did AdSecure detect the phishing scam?
The client used AdSecure's API integration giving them a full malvertising and ad quality control system including the detection of adult content. Once the violation was detected, AdSecure's API integration allowed the client to reject, suspend or further monitor the ads, redirection paths and landing pages in real-time, giving the client full control over their ad supply chain. The ability to be able to use AdSecure’s Ad Classification tool enabled the client to detect that the malicious URL was displaying adult content, so it could be quickly removed from their ad supply chain, without which, it could have caused the website severe legal problems in their country as well as potentially for end users that viewed the pornographic landing page.

Conclusion

Cybercriminals use more sophisticated methods to lure unsuspecting end users into parting with personal and financial information via malware and phishing and other user security violations. With the ever increasing time that internet users spend online on a range of different devices, it is more important than ever to defend and protect end users against malvertisers. Publishers and ad networks have a duty to serve clean advertising and keep their end users safe. That is why it is essential that publishers and ad networks have a 360 degree ad security and ad quality solution like AdSecure as their first line of defense against cybercriminals.

Why Real-Time Blocking isn't enough

Real-Time Blocking on it's own is not enough protection against Malvertising, we explain why you need a comprehensive, multi-staged approach for full protection.

5 Things That Motivate Malvertisers and how we stop them!

We expose how cyber criminals can inject malvertising into your ad supply chain and how AdSecure stops it for you.

5 things Ad Platforms need to know about Bad Ads

Ad Platforms don’t take enough action to eliminate malvertising before it ends up on a Publisher’s site, here are 5 things that Ad Platforms need to know about bad ads.

How do you deliver high ad quality?

How to build the right strategy against threats, poor user experience issues and get insights into ad performance to ensure you show high quality ads.

A Problem for Publishers - The high cost of fighting malvertising ineffectively

Some publishers are employing an expensive non-technical solution to try to stop malvertisers: Hedging.

Inside AdSecure: How Ad Discovery works

Find out more about our new Ad Discovery feature with this explanation and video tutorial.

Crisis Opportunity: How malvertisers are taking advantage of the COVID-19 pandemic

AdSecure exposes how malvertisers exploit users during the COVID-19 pandemic.

AdSecure releases its 2019 Security Violations Report

AdSecure analysed more than 1 million ad campaigns across multiple regions, devices, and browsers for partners between 1st January to 31st December 2019.

Ad security predictions 2020

Looking at what will be big in 2020, Bryan Taylor, Sales Manager at AdSecure shares his top four ad tech predictions and how bad actors could manipulate them.

AdSecure’s Security Violations Report for Q2 2019 reveals increases in Adware and Scareware attacks

In our Q2 violations report cyber criminals ramped up their attacks for Spring, AdSecure observed a major increase in detections for Adware and Scareware violations compared to Q1.

AdSecure releases first security violations report for Q1 2019

AdSecure, the innovative digital security company that works with ad platforms and publishers to ensure a secure engaging online advertising experience for users, has released their security violations report for Q1 2019. AdSecure’s always online solution uses a crawler built around modern browser technology, analysing ad creatives to detect malicious threats, non-compliance and ad quality issues in real-time.

For this report AdSecure analysed more than 200,000 ad campaigns across multiple regions, devices, and browsers for our partners between 1st January to 31st March. These findings provide insights into cyber-criminal behaviour during Q1: Where they were most prolific, how they delivered their attacks, their malicious weapons of choice, and what AdSecure’s detections revealed in order to stop and protect end users from malicious ads.

Top 10 GEOs with security violations

The percentages represent the 100% total of these top 10 GEOs. They are generally considered to be part of the tier 1 countries group, with the sometimes exception of Argentina. AdSecure’s product manager Mat Derval commented, “Affluent populations are prime targets for cyber criminals. These richer populations are more likely to buy fake security or fake repair software when being redirected to tech support scams as well as being targeted by malware distribution attacks such as the Emotet banking trojan.”

Top 5 GEOs violation breakdown

Drilling down further into the data, AdSecure performed a detailed analysis of the top 5 in order to rank the percentage of detected violations targeted at each country. We can see that Browser locker was by far the biggest violation from a volume perspective, with the only exception being Canada, where it came second to Malware attacks at 50%. Around a quarter of violations were Malware attacks in the USA & Belgium and Scareware being the second most detected violation in France, Argentina, and the USA.

Browser lockers - the biggest current threat

With the prevalence of Browser locker detections in 8 out of the top 10 GEOs, AdSecure looked globally at which browsers cyber criminals used to target their Browser locker activity on desktop and mobile.

With 70% of detections coming from Google Chrome, Mat Derval commented, “To a cybercriminal it is all about volume and Google Chrome is indisputably the most popular browser. The criminal doesn’t know how long he can get away with the attacks, therefore the life cycle of the attack could be short, so by targeting the world’s biggest browser he can maximise the revenue of the malicious campaign by exposing it to as many end users as possible.”

In conclusion Mat Derval explained, “The biggest threat in Q1 2019 was clearly Browser lockers, including Push lockers, a new variation on this threat, distributed by bad actors who exploit a flaw in the push notifications opt-in process. AdSecure was able to detect a massive amount of those attacks because our crawler is powered by modern browser technology, which is crucial in order to catch the latest versions or mutations of threats. We detected this new trend at the end of Q4 2018, and we were able to release a major update to our crawler at the beginning of Q1 2019 to protect our clients and partners.”

The key takeaways: using data to fight cyber-crime effectively

Follow the money, threat actors certainly do. Much like criminals flock toward the high spending we see within the programmatic and mobile ad marketplaces, targeting affluent nations where digital marketing budgets flow at an astounding pace (digital ad revenues surpassed $100 Billion in the US in 2018) is a no-brainer for a fraudster looking to make the most of an attack. Frequent, diligent scanning and analysis of your campaigns running within these affluent regions will help to greatly eliminate the most dangerous threats lurking within your ad inventory.
Everyone loves Google Chrome, including malvertisers. With Chrome being the dominant browser, the likelihood of an attack targeting Chrome users increases dramatically. When looking at how best to distribute the monitoring resources at your disposal, focusing on campaigns frequently viewed on Chrome is a great practice for mitigating attacks.
Modern threats require a modern solution. AdSecure was the first provider to identify the push locker mutation of the browser locker attack thanks to the modern tech powering our crawler. Working with modern solutions is key to uncovering every new threat before it can infect your ad delivery.
Analyse your campaigns, a lot. Attacks can infect the redirection path at any time during an active campaigns lifecycle, meaning that a creative you scanned right at launch can go from clean to dirty several days after launch. The best way to stay one step ahead is to scan the creatives for threats regularly, using a comprehensive approach that aims to keep threats out pre-flight, and once your campaign is up in the air.

Going Forward

This security violations report is the first of what will be an ongoing, quarterly analysis on the always evolving world of digital risk. In future we will compare current quarterly data with past reports to take a look at how digital ad attacks change over time, where improvements can be found Q on Q, and what new threats are rising in popularity. We look forward to providing both our partners, and all stakeholders within the digital advertising ecosystem, with insights that will help them build a safer digital world. For everyone.

About AdSecure

AdSecure provides constant detection and notification of security, compliance & quality issues within the digital ad supply chain.

563% increase in browser locker detection uncovers a new digital threat: Push Lockers

It should come as no surprise to anyone involved in the digital advertising ecosystem that fraudsters are always looking for new methods to target users with sophisticated digital attacks. As soon as innovative new ways of engaging with users are developed, cyber criminals aren’t far behind with a method for exploiting these innovations, particularly when there’s money to be made. Now, as push notification ads grow in popularity, a new threat to user security that capitalises on the push notification flow itself has arrived: push lockers.

Upon identifying these push notification specific lockers, between February and March AdSecure saw a 563% increase in the detection of browser locker attacks, and at the time of writing this article, we have protected our partners from more than 20 unique push lockers in under 24 hours.

What is a push notification ad?

Push notification ads are simple clickable messages, accompanied by a small image, that are delivered to desktop browsers or mobile devices, but only once a user has consented to receiving them. This is a key point, as the users have agreed to see the ads, leaving the perception that they are less intrusive than traditional formats, and develop a higher level of engagement from the user.

Push notifications work by displaying an initial permission request — managed by the browser — when a user is visiting a site for the first time. Once the user agrees to receive these push notifications, they will receive them based on the frequency set out by the publisher. Should a user opt not to see push notifications, the browser logs this choice as well, and they won’t be asked to subscribe to them again.

What is a push locker?

The push notification format, while relatively new, is growing in popularity within the online marketplace for all the reasons mentioned previously: users have to opt-in to see them at all, and with that consent comes a higher rate of engagement. Brands using push notifications are seeing increased click through rates, and just as marketers are seeing the clear benefits the format provides, cyber criminals are becoming wise to the potential for driving malicious campaigns straight to users screens. What has developed out of these sinister intentions is a new form of browser locker specifically designed around the natural behaviour of a push ad.

How do push lockers work?

When you make the choice to opt-in, or out, of receiving push notifications on a particular site, the browser manages the request and saves the choice. However, it’s the way the browser saves this choice — either by domain, or subdomain — that can expose the user to trouble. What happens if you opt out, but the website redirects you automatically to another subdomain? Can you guess what’s coming? This allows the user to be prompted again to accept the push notification. So naturally, you decline this new request, and then you’re sent to yet another subdomain and asked again, and again, and again. Suddenly you are trapped in an endless looping push notification nightmare, and escape can only be had by giving in and “consenting” to receive the push notification.

Incredibly annoying, right? But this is tame compared to what other push lockers are capable of.

What type of push lockers has AdSecure encountered?

Since first discovering this new form of attack, our development team went on the hunt, uncovering various types of push lockers. In one particularly sophisticated case, users clicking somewhere on the page other than the buttons to allow or block the push would cause the browser to switch to full screen mode, preventing the user from doing anything else until they accepted the push notification, which in turn leads them to a scam offer, or the forced download of malware, or similar security threat. In a separate case, we encountered a push locker that kept users locked on the consent page until they accepted the push, all the while quietly mining cryptocurrencies in the background. Those who opted in were then redirected to a new offer page which also launched the cryptocurrency miner, leaving the user with no safe option to take.

When this type of push locker is implemented on a mobile browser, the entire device is rendered useless for the owner, again until they are forced to consent. In all cases, the looping push notification locks the user into an action they absolutely do not want to take, and puts them at severe risk of exposure to exploit flaws or other security breaches.

What is the solution?

The relative speed at which push lockers have appeared on the scene has caught some ad verification providers off guard. They either weren’t aware of the problem quickly enough, or they aren’t using the modern technology needed to detect push lockers with any degree of consistency and precision.

Push lockers are sophisticated and pernicious, and in order to catch them early and often, the scanning technology being used needs to be based on the most modern browser technology available. This is one of the reasons AdSecure — with a crawler powered by Chrome — was the first ad verification provider to uncover these looping push notifications, and continues to be the only provider catching them at high frequency, and a strong level of precision.

As more publishers and ad platforms begin to work with the push notification ad format, push locker attacks will spread across the digital ads landscape. Make sure your partners are working with an ad verification provider that has the resources and the knowledge needed to track down push lockers and keep them from hurting digital users.

AdSecure empowers ad platforms & publishers to take back control of their ad quality by providing constant detection & notification for ad security, compliance, and quality issues within the digital ad supply chain.

To learn more about how AdSecure is driving a safer digital world for everyone, contact us today.

AdSecure adds the detection of the auto-redirect to it’s arsenal

25 July 2018. AdSecure, the ad verification tool used by ad networks, ad operations teams and publishers, today announced that it has added the detection of the auto-redirect to it’s arsenal. The auto-redirect is considered to be an annoying format and is also widely used by cybercriminals for distributing malicious advertising.

Once a user is exposed to an auto-redirects, the format takes over his browser redirects him to another website page, this all happens with no interaction by the user. One example of how auto-redirects are delivered to the user is through a malicious banner ad. Even if the banner is only displayed and the user has not clicked on the banner it will still redirect the visitor to another webpage. The banner usually contains a JavaScript and the redirected webpage is then used as a vehicle for some form of affiliate fraud or malware. Some auto-redirect scams go as far as hijacking the browser back button or even trapping the user with a pop-up notification to prevent him from returning to the original site he was viewing.

This intrusive technique affects desktop, mobile and tablet. Mobiles are particularly affected by auto-redirects on both Android and iOS.

AdSecure’s Product Manager Mat Derval commented, “These malicious auto-redirect ads used to only affect junk websites, but recently auto-redirects have been placed on reputable websites including The New York Times amongst others. AdSecure’s team and our technology has enabled us to quickly develop and get to market the software needed to detect this malicious ad format. Ad platforms and publishers that use AdSecure’s all in one malware detection package benefit from keeping their users safe from being exposed to malicious ad formats.”

If you would like to find out more about incorporating AdSecure into your business, please visit our contact page for more information.

For further press information contact:

press@adsecure.com

Malvertising and Ransomware

Six questions about ransomware and malvertising with AdSecure’s Product Manager Mathieu Derval.

What role does phishing play in ransomware attacks?

Phishing is probably one of the most popular social engineering types of attack. The objective is to trick someone into clicking on a link contained within a message that looks like it comes from a well-known/genuine company (often including a copycat logo) and then the user is tricked either stole sensitive information (login, password or other) through a fake online form which seems to be legit, or in other cases, download infected files that executes as soon as the user open it, encrypting their data and asking for a ransom.

From an ad verification solution point of view, phishing is indeed an important vector of ransomware spreading. Malvertising campaigns are crafted by cybercriminals to lure victims to click on ads or links in websites that will redirect them to other websites hosting exploit kits designed to use vulnerabilities in web browsers or plugins on the visitor’s computers to install and execute ransomware.

How serious a threat is ransomware?

Apart from traditional spam distribution, ad networks and publishers may often act unwittingly as intermediaries, targeting thousands or even millions of potential victims. The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed upon them. A script hidden in an infected ad will run in the background and look for vulnerabilities on the user’s computer so it can quietly download and execute a malicious application such as ransomware.

What are the best ways to prevent a ransomware attack?

– Do not open any emails from untrusted sources.

– Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.

– Keep your plugins updated and disable or uninstall the ones you don’t frequently use, including java.

– Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.

– Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.

– When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.

– Ad platforms and publishers have to constantly monitor their ads thanks to ad verification tool, especially after the campaigns are live since attackers can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

How can an active ransomware attack be contained?

For the ad platforms, the challenge lies into being capable of detecting and identifying the malicious campaign while it is active (which usually varies between a few hours and a couple of days so that criminals can try to ensure that it remains undetected). For this reason ad platforms need to monitor and scan the offers running on their network continuously to be able to stop the propagation as soon as possible.

Does it ever make sense to pay a ransom?

This criminal business model has proven to be very lucrative given the vast and varied potential of victims. Law enforcement officials discourage victims from paying ransoms, there is no guarantee whatsoever that your files will be accessible again after you pay the ransom. Yet, many will come down to pay those ransoms in the hope of getting their files back. This decision should be the last resort, in case all other alternatives failed (no offline backup available to recover the encrypted files or no free decryption tool available). As long as individuals and organizations will continue to pay ransoms, we can’t expect to see this criminal scheme to disappear.

How is ransomware likely to evolve over the next few years?

Even if during the last few months Crypto-Mining attacks have been center stage and that cybercriminals are increasingly embracing this new form of making money from the internet, Ransomware attacks will probably continue to increase and to evolve in the next years: the threat landscape will see more and more well organized and well-funded groups that will employ technical tools or software vulnerabilities, such as the exploit EternalBlue used with the Wannacry attack in may 2017, but also social engineering skills to access computer systems and network. At the same time, we can expect Ransomware-as-a-service to become more accessible cybercriminals will expand their target not only financial objectives, but also political and strategic interests, with intend to cause damages and not only extortion.

AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.

Malvertising campaign exploits users’ browsers to Mine Cryptocurrencies

The popularity of mining cryptocurrency within the browser is on the rise. In the last few weeks we came across many cases of this new trend, which consists in using a piece of javascript code to mine different cryptocurrencies directly through the visitor’s browser. Despite the perfomance drop of using this javascript mining approach you can bet that the attackers are able to generate substantial profits.

The JavaScript code is a modified version of MineCrunch, a notorious script which can be used to mine cryptocurrencies through the browser. MineCrunch was released back in 2014 and seems to be making a comeback. The crooks were mainly interested in Monero, Feathercoin and Litecoin, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware.

Rather than tricking users into downloading cryptocurrency mining malware, cybercriminals are buying traffic from ad networks and distributing malicious JavaScript instead of a traditional advertisement. This approach has a clear advantage as it is easier to reach a significant number of machines by “infecting” websites than it is by infecting user machines. Streaming and gaming websites have apparently been preferentially targeted, since end-users tend to spend more time on these sites and may be less likely to notice the increased activity on their computer resources, or will assume it’s caused by the game or video itself as opposed to cryptocurrency mining activity.

This new kind of malvertising attack points out once again the need for ad platforms and publishers to use ad verification tool to protect their network, reputation and visitors safety. AdSecure now offers the detection of crypto-mining activity. Contact us to see how we can help safeguard your network or sites against malvertising.

Malvertising explained

Malvertising, or malicious advertising, is the practice of using web advertisements to spread malware with little to no user interaction required. Cybercriminals use the same advertising strategies as legitimate ad companies, except that malvertisements will either try to download malware directly to visitors devices upon viewing, or send visitors to websites that distribute viruses, ransomware or other unwanted and malicious programs.

How malvertising works?

Rather than attempting to trick users into visiting a malicious website, attackers use the granular profiling functionality provided by ad networks to spread financial malware, data-stealing malware, ransomware and other cyber threats, or if applicable, ads that will trigger an automatic redirection to landing pages hosting exploit kits.

The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious related products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed there. A script obfuscated in an infected ad will run in the background and look for vulnerabilities on the user’s computer so it can quietly download and execute a malicious application such as ransomware.

One of the most frustrating aspects is to figure out how easy it is for attackers to bypass ad platforms’ safeguards either because of insufficient checks or more seriously because they can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

Who has this affected so far?

Unfortunately no publisher can be considered absolutely safe, you have probably heard of many cases recently, but here are a few examples of some of the most trusted websites online that have been affected: Forbes, MSN, Yahoo, The New York Times, BBC, Spotify… and the list continues to grow.

How do you protect yourself against malvertising?

Besides not clicking on questionable ads, here are some recommendations to help ensure you remain safe from threats distributed by malvertisements:

Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.
Keep your plugins updated and disable or uninstall the ones you don’t frequently use, including java.
Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.
Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.
When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.