Malvertisers are boosting their Malware and Phishing scams

Malvertising and Phishing protection

In Q4 of this year cybercriminals were making the news headlines. Angling Direct's domain, website and social media accounts were compromised by hackers, redirecting users to an adult website; Electronics retailer MediaMarkt got hit by ransomware that demanded $240 million dollars after stopping its online shopping service in Belgium and the Netherlands. In Q3 AdSecure also saw some big spikes in user security violations as bad actors launched their Summer attacks. Malware detections increased by 1285.19% with the majority concentrated in July and August. Phishing detections also increased by 413.97%. Adware, Browser Locker and Scareware also increased 15.74%, 8.65% and 4.82% respectively, and now, in Q4 detections for these user security violations are still high. To demonstrate some tactics used by Cybercriminals, here are two examples of Malware and Phishing campaigns, both recently detected and stopped by AdSecure:

#1 Malware attack in Turkey

Cybercriminals used Discord's Content Delivery Network to host malicious payloads. Discord is a popular VoIP, instant messaging and digital distribution platform used by approximately 140 million people.

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord's Content Delivery Network (CDN) servers. 

However, many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by bad actors who create channels with the sole purpose of delivering these malicious files.

Malvertisers use infected campaigns to target online gamers, luring them into downloading fake versions of popular online games that actually contain malware. The image below is the landing page of one of these malware campaigns detected by AdSecure on 3 November 2021. As you can see the text is in English, only the month November (Karim) is in Turkish. Additionally note that egyptian gamers is spelt incorrectly.

Malware and Phishing protection

This campaign triggered an apk file that downloaded automatically to the user's desktop or mobile device. When we checked the auto-downloaded file we discovered that the file was detected as Trojan/Malware by 15 security vendors. 

Malware and Phishing protection

The files are often renamed as Gaming software or Google PlayStore games to trick end users, and the file stored on Discord's CDN used the link in the following format: https://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}

How did AdSecure detect the malware?

AdSecure’s Ad Discovery tool works by first detecting and then analysing all ads it encounters on web or mobile site pages, engaging with the ads as a user would, performing analysis both on the main site page, and by clicking on each ad — be it a banner, native, popup, popunder, etc — to detect any malicious activity a user might encounter in the redirection paths of this campaign and on any landing page the end users could be sent to. Once the violation was detected, AdSecure notified the client in real-time so the client's compliance teams could identify the campaign and ban the fraudulent advertiser from their ad network to prevent the bad actor from infecting more end users.

#2 Phishing scams using fake Lucky Draws

Phishing is often considered as the easiest way for financial gain for Cybercriminals. One method is through fake Lucky Draws from well known social media platforms. To show an example, AdSecure detected the following scam on an entertainment website in the United Arab Emirates in September. The ad showed up as a popunder. 

Malware and Phishing protection

The scammers used the Whatsapp logo and fake likes and comments on this landing page to fool end users into believing the lucky draw was legitimate. However, once the user spun the wheel to win a prize, they were asked to give away their personal information and credit card details to receive a prize. The victims only realized that they had been scammed after being informed by their banks about unauthorised transactions. The scammers also changed the URL 2 days later, to promote an adult dating offer. The landing page showed pornographic images which is illegal in United Arab Emirates.

How did AdSecure detect the phishing scam?
The client used AdSecure's API integration giving them a full malvertising and ad quality control system including the detection of adult content. Once the violation was detected, AdSecure's API integration allowed the client to reject, suspend or further monitor the ads, redirection paths and landing pages in real-time, giving the client full control over their ad supply chain. The ability to be able to use AdSecure’s Ad Classification tool enabled the client to detect that the malicious URL was displaying adult content, so it could be quickly removed from their ad supply chain, without which, it could have caused the website severe legal problems in their country as well as potentially for end users that viewed the pornographic landing page.

Conclusion

Cybercriminals use more sophisticated methods to lure unsuspecting end users into parting with personal and financial information via malware and phishing and other user security violations. With the ever increasing time that internet users spend online on a range of different devices, it is more important than ever to defend and protect end users against malvertisers. Publishers and ad networks have a duty to serve clean advertising and keep their end users safe. That is why it is essential that publishers and ad networks have a 360 degree ad security and ad quality solution like AdSecure as their first line of defense against cybercriminals.

 

AdSecure releases first security violations report for Q1 2019

AdSecure, the innovative digital security company that works with ad platforms and publishers to ensure a secure engaging online advertising experience for users, has released their security violations report for Q1 2019. AdSecure’s always online solution uses a crawler built around modern browser technology, analysing ad creatives to detect malicious threats, non-compliance and ad quality issues in real-time.

For this report AdSecure analysed more than 200,000 ad campaigns across multiple regions, devices, and browsers for our partners between 1st January to 31st March. These findings provide insights into cyber-criminal behaviour during Q1: Where they were most prolific, how they delivered their attacks, their malicious weapons of choice, and what AdSecure’s detections revealed in order to stop and protect end users from malicious ads.

Top 10 GEOs with security violations

The percentages represent the 100% total of these top 10 GEOs. They are generally considered to be part of the tier 1 countries group, with the sometimes exception of Argentina. AdSecure’s product manager Mat Derval commented, “Affluent populations are prime targets for cyber criminals. These richer populations are more likely to buy fake security or fake repair software when being redirected to tech support scams as well as being targeted by malware distribution attacks such as the Emotet banking trojan.”

Top 5 GEOs violation breakdown

Drilling down further into the data, AdSecure performed a detailed analysis of the top 5 in order to rank the percentage of detected violations targeted at each country. We can see that Browser locker was by far the biggest violation from a volume perspective, with the only exception being Canada, where it came second to Malware attacks at 50%. Around a quarter of violations were Malware attacks in the USA & Belgium and Scareware being the second most detected violation in France, Argentina, and the USA.  

Browser lockers - the biggest current threat

With the prevalence of Browser locker detections in 8 out of the top 10 GEOs, AdSecure looked globally at which browsers cyber criminals used to target their Browser locker activity on desktop and mobile.

With 70% of detections coming from Google Chrome, Mat Derval commented, “To a cybercriminal it is all about volume and Google Chrome is indisputably the most popular browser. The criminal doesn’t know how long he can get away with the attacks, therefore the life cycle of the attack could be short, so by targeting the world’s biggest browser he can maximise the revenue of the malicious campaign by exposing it to as many end users as possible.”

In conclusion Mat Derval explained, “The biggest threat in Q1 2019 was clearly Browser lockers, including Push lockers, a new variation on this threat,  distributed by bad actors who exploit a flaw in the push notifications opt-in process. AdSecure was able to detect a massive amount of those attacks because our crawler is powered by modern browser technology, which is crucial in order to catch the latest versions or mutations of threats. We detected this new trend at the end of Q4 2018, and we were able to release a major update to our crawler at the beginning of Q1 2019 to protect our clients and partners.”

The key takeaways: using data to fight cyber-crime effectively

  • Follow the money, threat actors certainly do. Much like criminals flock toward the high spending we see within the programmatic and mobile ad marketplaces, targeting affluent nations where digital marketing budgets flow at an astounding pace (digital ad revenues surpassed $100 Billion in the US in 2018) is a no-brainer for a fraudster looking to make the most of an attack. Frequent, diligent scanning and analysis of your campaigns running within these affluent regions will help to greatly eliminate the most dangerous threats lurking within your ad inventory.
  • Everyone loves Google Chrome, including malvertisers. With Chrome being the dominant browser, the likelihood of an attack targeting Chrome users increases dramatically. When looking at how best to distribute the monitoring resources at your disposal, focusing on campaigns frequently viewed on Chrome is a great practice for mitigating attacks.
  • Modern threats require a modern solution. AdSecure was the first provider to identify the push locker mutation of the browser locker attack thanks to the modern tech powering our crawler. Working with modern solutions is key to uncovering every new threat before it can infect your ad delivery.
  • Analyse your campaigns, a lot. Attacks can infect the redirection path at any time during an active campaigns lifecycle, meaning that a creative you scanned right at launch can go from clean to dirty several days after launch. The best way to stay one step ahead is to scan the creatives for threats regularly, using a comprehensive approach that aims to keep threats out pre-flight, and once your campaign is up in the air.

Going Forward

This security violations report is the first of what will be an ongoing, quarterly analysis on the always evolving world of digital risk. In future we will compare current quarterly data with past reports to take a look at how digital ad attacks change over time, where improvements can be found Q on Q, and what new threats are rising in popularity. We look forward to providing both our partners, and all stakeholders within the digital advertising ecosystem, with insights that will help them build a safer digital world. For everyone.

 

About AdSecure

AdSecure provides constant detection and notification of security, compliance & quality issues within the digital ad supply chain.

 

The increasing threat of cryptocurrency miners [Part 1]

Cryptojacking, the practice of exploiting computer’s processing power to mine cryptocurrencies without the owner’s consent or knowledge, appears to be the new Eldorado for cybercriminals after its popularity exploded last autumn.

The idea of in-browser mining started in the early days of Bitcoin, in May 2011 to be precise, when an innovative service known as BitcoinPlus.com was launched. At that time mining Bitcoin was still cheap and easy. This service integration was very similar to the Coinhive one, currently the most popular library since its launch in September 2017; It consisted in a piece of javascript code that site owners would embed into their pages to make visitors mine for them, in exchange of a small percentage fee for using that service. As Bitcoin became more and more popular worldwide, it became harder and harder to mine for cryptocurrencies on home-grade hardware. With the arrival and democratization of ASIC chips in 2013, the era when you could mine Bitcoin on personal computers came to an end. Yet, with the introduction of alternative coins like Monero in 2014 (which purportedly offers increased privacy by obfuscating the participants in a transaction, as well as the amounts), the idea of mining on regular laptops and desktop computers was revived.

Fast forward to 2017, the cryptocurrency industry has changed drastically: the diversity of altcoins available (more than 1,000), the total market capitalization skyrocketed to more than $150 billion, and the revival of in-browser mining through services like Coinhive, JSEcoin, Cryptoloot and similar copycats have certainly provoked cybercriminal interest.

From the original idea of providing a monetization alternative to regular display ads for webmasters, to the usage we see today, we will review in this post a few examples of deceitful and malicious implementation that have been uncovered during the last few months:

Coinhive & co:

As mentioned above, one of the most popular tools among cryptojackers is a javascript library called Coinhive, that can start mining the cryptocurrency Monero when a webpage has loaded. Many websites, like The Pirate Bay for example, quickly incorporated it to generate additional revenue, but without asking users’ permission. In December, AdGuard released a study were they exposed four of the most popular streaming and video-conversion websites (Openload, Streamango.com, Rapidvideo.com, OnlineVideoConverter.com). According to SimilarWeb, these four sites register 992 million visits monthly, which could generate monthly earnings of more than $320,000 and this without user consent or awareness.

Soon enough, hackers found ways to inject such scripts into high-traffic websites like Showtime, the LA Times, Polifact and even Youtube (by hijacking advertisements from the DoubleClick platform) and they started mining cryptocurrencies for themselves without the publishers’ or  users’’ knowledge or consent. Nevertheless, publishers were not the only ones getting hacked; at the end of October, an unknown hacker managed to hijack Coinhive’s CloudFlare account which allowed him to modify its DNS servers and replace Coinhive’s official JavaScript code embedded into thousands of websites with a malicious version.

WordPress:

It comes as no surprise, that WordPress websites would be among the platforms to become a victim of cryptojacking. According to security researcher Troy Mursch from Bad Packets Report, there were around 30,000 WordPress sites infected with cryptomining scripts in November 2017, this number has been steadily growing to reach more that 50,000 in March 2018. This figure includes WordPress websites, where mining scripts are quietly running in the background, for some the integration would have been done by the publisher himself, the rest are either compromised or have been hijacked by plugins, such as “Animated Weather Widget by weatherfor.us” that sneakily inject mining script to generate money by extorting users’ computer resources, and this is, needless to say, without the publishers’ knowledge.

Browser extensions:

Cryptojacking is not limited to websites, browser extensions have also been caught mining cryptocurrency on thousands of computers. For example “Archive Poster,” a browser extension designed to help Tumblr users perform various tasks remained on the Chrome Web Store for days while silently cryptojacking an unknown portion of their 100,000+ users. After multiple user reports, followed by multiple media covering the issue, the extension was removed.

Public Wi-Fi:

In another example, which took place in December at a Buenos Aires Starbucks, a customer using the public wi-fi discovered that someone had manipulated the wi-fi system, delaying the connection in order to mine Monero with shoppers’ devices. CoffeeMiner uses a man-in-the-middle (MITM) attack to hijack users connecting to wi-fi hotspots and injected mining code into all HTML pages requested by those users.

We’ll cover in the second part of this blog post, some more cases describing how cryptojacking has quickly become a favorite revenue stream for cybercriminals.

AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.

Don’t let your users be held to ransom by ransomware.

ansomware targets businesses, government institutions, public services such as hospitals, council offices and of course people at home. Home computers are perhaps the easiest way for cyber-criminals to carry out attacks as your average Joe doesn’t have a cyber-security department protecting him like businesses and organisations do. Many individuals at home think that an anti virus programme will protect them. This is simply not the case. As we have mentioned in previous blog posts, cyber-criminals sometimes distribute malware via online ads and landing pages, so if you are an ad network or a publisher, we recommend that you protect your users with a product such as AdSecure. Not only will you be helping to keep ransomware at bay, you will also be protecting users from being exposed to ransomware and keep that valuable trust from clients and website visitors because they will be protected from attack.

So let’s have a closer look at the history of ransomware, why ransomware creators and distributors find home users easy targets and what happens when a user is infected.

Ransomware history

The very first ransomware emerged way back in 1989. Named the AIDS Trojan, it spread via floppy disks and each victim was asked to send $189 ransom to a post office box in Panama. Of course nowadays ransomware is much more sophisticated and the growth of crypto-currencies has ensured ransomware is a much more attractive proposition to cyber criminals.

Types of ransomware

There are two types of ransomware: Locker ransomware, this locks the victim out of the operating system, which makes it impossible for them to access their desktop, apps and files. In this case the files are not encrypted, but the attackers ask for a ransom to unlock the infected computer. The second is Encrypting ransomware, which uses advanced encryption algorithms. It blocks system files and then demands payment in exchange for a key that can decrypt the blocked content.

Home users are easy targets and here’s why…

  • They rarely create, or don’t do data backups.
  • They don’t always keep their software up to date.
  • They think that it can’t happen to them.
  • They have little or no cyber security awareness/education, meaning that they can easily be persuaded to click on almost anything.
  • They are much less likely to purchase cyber security solutions with most home users still relying on antivirus software, but this can be ineffective because ransomware uses evasion techniques so it is undetected by traditional antivirus software.
  • And of course the sheer volume of home internet users can allow cyber-criminals to build up huge scale in order to exploit potential victims

The infection – stage 1

What generally happens when a user unknowingly infects his computer from a malicious website or link that he clicks on? The infection delivers a security exploit to create a backdoor on the victim’s computer using vulnerable software on their system. Once the victim has unwittingly clicked on a link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC. The downloader uses a list of domains or C&C servers controlled by cyber criminals to place the ransomware program on the system. The contacted C&C server responds by sending back the requested data. The infected PC can be turned into a botnet, so that the cyber criminals can grow their infrastructure and carry out future attacks, and it can spread to other PCs connected to a local network, which causes further damage.

The infection – stage 2

It then uses unbreakable encryption, which means a victim cannot decrypt the files using the various decryption tools available from cyber security researchers. It has the ability to encrypt many different kinds of files on a victim’s PC including photos, videos, documents, audio files, etc. It encrypts data stored in cloud accounts such as Google Drive and Dropbox that are synced on the PC. It can also encrypt data on other computers connected to a local network. It scrambles file names, so the victim has no idea which data is affected. This is done in order to confuse and coerce victims into paying the ransom. It can also extract data from the infected PC such as usernames, passwords, email addresses, etc. which it then sends to the server controlled by the cyber criminals.

The infection – stage 3

It then displays an image/message that tells the victim that their data has been encrypted and that they have to pay to get their data back. It can also include geographical targeting, so that the ransom note is translated into the victim’s language, increasing the chances for the ransom to be paid. Payment is usually requested in Bitcoins, because crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies. Generally there is a set time period to pay and missing the deadline means the ransom will increase, but it can also mean that the data will be destroyed and lost forever.

As you can see this can be a shocking experience for your average Joe at home and with 638 million ransomware attacks in 2016, it is inevitable that the number of ransomware attacks will only increase.

Ransomware news: Android app that allows hackers to create ransomware without any code

The days of needing the coding skills of an accomplished hacker to build malware are over, at least if news from Symantec is true. The antivirus and cybersecurity company recently reported the existence of a Trojan Development Kit (TDK) that allows anyone to create Android ransomware—no coding skills required.

This latest TDK, can be found on hacking forums and even in social media advertisements in China. All the cyber criminal has to do is download the APK and install it and they’re ready to build ransomware. The process itself is simple: Just specify a ransom message, an unlock key, the ransomware’s app icon, mathematical operations to randomize the code and an animation to be shown on the infected Android device.