Malicious advertising, also known as malvertising, has become the best method to distribute malware on a global scale with surgical precision. Simply put, malvertising is a means to expose innocent users visiting legitimate websites to malware via a rogue advert.
Leveraging the extensive user profiling available to advertisers, cybercriminals are able to target their victims like never before in attacks that are both cost effective and difficult to pinpoint.
One of the newest techniques being used is fingerprinting, a way to check potential victims’ computers with snippets of code injected directly into the ad banner. This code can quickly rule out non-viable targets, such as honeypots set up by malware researchers or security companies performing ad check validation. Fingerprinting joins a growing arsenal of tactics developed by cybercriminals to avoid discovery by security researchers.
This research provides a unique insight into malvertisers’ thought processes, showing how they remain one step ahead while the ad industry tries to avoid playing Whack-a-Mole.
- Hundreds of goo.gl URLs used in malicious redirections
- Over 100 fake advertiser domains
- Dozens of ad networks abused, including top ones
- Use of SSL to encrypt ad call URL and content
- Targeted towards genuine residential IP addresses only
- Booby-trapped GIF images hiding code with on-the-fly encoding
- Fake advertiser profiles and deceiving websites
- 42% of infections happened in the U.S.
- Cost: only 19 cents for each 1000 impressions (CPM)
This research is a result of the combined efforts of Malwarebytes and GeoEdge. We focused on attacks that took place throughout 2015 and led to the distribution of malware via the Angler exploit kit.