Malvertising continues to increase in prominence and sophistication. One of the newest techniques being used is fingerprinting, a way to check potential victims’ computers with snippets of code injected directly into the ad banner.
According to a Malwarebytes report entitled Operation Fingerprint, exploit kit authors are using advanced “fingerprinting” to preselect and pursue specific victims without any user interaction. The code can quickly rule out non-viable targets, such as honeypots set up by malware researchers to detect malware, or security companies performing ad check validation.
The approach enables exploit kit authors to no longer wait for victims, so they can now actively chase targets while avoiding detection by researchers and anti-malware companies. And it’s cheap: it costs only 19 cents for each 1000 impressions (CPM).
“Malware authors no longer need to send users to an exploit kit web landing page to begin to identify victims’ software and vulnerabilities,” the firm explained. “They come to the victims in disguise, appearing as a legitimate advertiser on popular websites to pre-qualify or fingerprint a user before sending them to the exploit kit.”
Malwarebytes found that overall, hundreds of goo.gl URLs are being used in malicious fingerprinting redirections today, along with more than 100 fake advertiser domains and dozens of ad networks. About 42% of malvertising-related infections happened in the US in the last year.
The massive malvertising attack on adult site xHamster in April 2014 was one of the first to be seen using the technique; it was redirecting to an Angler EK landing page to perform fingerprint checks on the system. Most recently, the DoubleClick Open Referer campaign shows a more advanced fingerprinting effort: it uses booby-trapped GIF images hiding code, with on-the-fly encoding. It is now encoded with a special key, only provided once per IP address, and embedded in a JavaScript sequence. New fake advertiser domains are meanwhile created on a regular basis, many of them abusing CloudFlare or Let’s Encrypt, and employing proxies for domain registration.
“This represents the next step in malvertising attacks, where bogus advertisers are analyzing potential victims and either showing a benign ad or an ad laced with malicious code that ultimately redirects to an exploit kit,” Malwarebytes noted.
Photo © jijomathaidesigners