Malvertising continues to increase in prominence and sophistication. One of the newest techniques being used is fingerprinting, a way to check potential victims’ computers with snippets of code injected directly into the ad banner.
According to a Malwarebytes report entitled Operation Fingerprint, exploit kit authors are using advanced “fingerprinting” to preselect and pursue specific victims without any user interaction. The code can quickly rule out non-viable targets, such as honeypots set up by malware researchers to detect malware, or security companies performing ad check validation.
The approach enables exploit kit authors to no longer wait for victims, so they can now actively chase targets while avoiding detection by researchers and anti-malware companies. And it’s cheap: it costs only 19 cents for each 1000 impressions (CPM).
“Malware authors no longer need to send users to an exploit kit web landing page to begin to identify victims’ software and vulnerabilities,” the firm explained. “They come to the victims in disguise, appearing as a legitimate advertiser on popular websites to pre-qualify or fingerprint a user before sending them to the exploit kit.”
Malwarebytes found that overall, hundreds of goo.gl URLs are being used in malicious fingerprinting redirections today, along with more than 100 fake advertiser domains and dozens of ad networks. About 42% of malvertising-related infections happened in the US in the last year.
“This represents the next step in malvertising attacks, where bogus advertisers are analyzing potential victims and either showing a benign ad or an ad laced with malicious code that ultimately redirects to an exploit kit,” Malwarebytes noted.
Photo © jijomathaidesigners