Threat actors love SSL
"Criminal responsibility in malvertising incidents is apparent," Taylor told The Register, "but this theoretical liability is something quite different from practically laying your hands on the criminal."
Jérôme Segura stated that, due to the increasing use of the transport layer security (TLS) or secure sockets layer (SSL) protocol and browser fingerprinting, criminal actors can be very difficult to track. Segura described SSL as "the perfect way to hide malicious ads" explaining that "SSL means only the domain name is visible, taking away the full ad call parameters."
Those parameters were vital to discovering the recent Casino malvertising campaign. A blog was posted last week detailing that campaign, which preyed on users visiting dodgy websites "offering anything from torrents of copyrighted movies, live streams of the latest flicks, or pirated software."
As the publishers hit by this campaign were "likely to turn a blind eye on ‘advertising issues’," as well as the visitors to those sites "knowing they were consuming illegal content ... there was little reason for anybody to report any incident."
In fact, each of these malvertising attacks taken on its own does not stand out, but realizing that they were all connected gives us the bigger picture in how large of an operation this was.
The ad networks were almost all registered via Domains By Proxy LLC, meaning no information was available about the registrant but they were all through GoDaddy and on the same ASN: AS15169. This made us believe that they were actually all related to one another.
Details normally blocked by SSL allowed the researchers to recognise that these incidents were produced by a single malvertising campaign.
Mouseover to see difference with SSL. Images © Malwarebytes 2015.
A campaign hitting pornography sites earlier this year utilised SSL. It was only through correlating "similar patterns in the infrastructure, such as the use of free cloud-based platforms providing Secure Sockets Layer (SSL)" that the campaign was detected.
Segura noted that it has "observed the Microsoft Azure and RedHat cloud platforms and now are seeing IBM's Bluemix being leveraged by threat actors who enjoy the free HTTPS encryption that it provides them in the delivery of malicious code."
Yep, porno sites are MORE GAME about working with security professionals
The porno campaign attempted to evade detection through several checks "embedded within the ad to verify that the user is genuine and is running Internet Explorer." It used the XMLDOM vulnerability (CVE-2013-7331) "to fingerprint the victim's system for particular security software, virtualization (Virtual Machines) and the Fiddler web debugger."
These efforts ensure that only real users will get to see the exploit kit landing page therefore excluding honeypots and security researchers alike.
Segura noted that those checks "which used to be done at the exploit kit landing page level" were instead being effected "at the traffic redirection/malvertising stage most likely to avoid unnecessary attention and wasted traffic."
Where the difficulty of chasing down criminals precludes the mitigation of the attack vector from the head down, so to speak, malvertising's threat to revenue to those companies with enough clout to work at sustaining it has led to excellence from a sector not known for its aversion to seediness.
"Many top adult sites (which have millions of visits) are actually less likely to be hit by malvertising than mainstream sites," Segura told us. "They are actually responsive and willing to work with us to tackle the problem."
[W]hen it comes to the big brands, we can understand why they take security seriously. Any website receiving hundreds of millions of visits faces some tough technological and security challenges.
So I think security is part of the overall infrastructure that is baked in to ensure the sites can handle the volume and give the best user experience. Things like load times are extremely important both from the actual video content but also the adverts themselves.
"The reason is simple," said Segura: "If the page takes too long to load or worse, if the ads are malicious, visitors will switch to a different adult site therefore taking ad revenue away from the current publisher."
"Malvertising hits all of our bottom line," Kleczynski told a room full of cybersecurity journalists during his recent tour of the UK and Ireland. Perhaps it is just as well that it does. ®