Hacker News new | past | comments | ask | show | jobs | submit login
Hackers strike defense companies through real-time ad bidding (computerworld.com)
111 points by r0h1n on Oct 19, 2014 | hide | past | favorite | 41 comments



Here's the whitepaper in question:

http://www.invincea.com/wp-content/uploads/2014/10/Micro-Tar...

> Most of the attacks featured here were not detected by standard Anti-Virus because the malware hashes constantly change.

> Web proxy blocking updates, even in real time, will not stop new malvertising landing pages that appear and disappear within minutes.

> Intelligence feeds from the premier intelligence providers, based on hostname, IP, URL or domain will not be able to block malicious malvertisers quickly enough.

> ... opting out merely places a blocking cookie in your browser. This means that ad providers will not target or retarget based on cookies. But as shown above, the new targeted advertising is via IP intelligence.

It seems like these are extremely difficult to mitigate without heuristic-based antivirus systems. And even if the bidding engines were to scrape them, malicious ad servers could simply serve benign content to all but the targeted IPs.

That said, it's very possible that patterns would emerge in this type of targeted advertising that could be marked as fraudulent using machine learning (for instance, if a brand new ad server were to suddenly start requesting IP targeting). I'm sure the talented people at the larger ad-exchange-software companies like AppNexus will figure something out - or they already have!


Actually, there are several ways to detect such attacks. I work in network security and incident response, and I immediately recognized the URLs in the infection chain from Figure 3 and Figure 20 in the whitepaper. They're using the Sweet Orange exploit kit, which has been around for a while and is not that hard to detect if you have any appliance screening HTTP requests and responses. Example URL patterns: http://malware-traffic-analysis.net/2014/10/06/index2.html

Also, despite Invincea's claims to the contrary, good intelligence feeds and in some cases just proxy domain categorization are often fast enough to catch these for most organizations, at least in cases where the attack isn't specifically targeted at a single organization. This is on top of multiple layers of defense that any decent company should have, many of which could catch numerous indicators (domain patterns, URI paths, Javascript) tied to these exploit kits.

The bidder has to prop up and supply the exploit kits themselves, and most of the time it's Sweet Orange, Nuclear, Rig, or Angler. But these are all "commodity" exploit kits and aren't even remotely custom made like they have been in some APT attacks. APTs may also go the ad bidding route and provide their own handcrafted exploit kits, but they may not want to go through a middleman like this and set up a corporate front.

The only unnerving part is the ability to choose a specific target subnet. If the ad networks or second-tier middlemen of "spreaders" / "distributors" are promising clients exclusive access to a certain group of servers or even an entire ad network for a length of time, and if the client uses a specifically created new domain and maybe even a fresh IP, then that means no one may know about the compromised server/network until it's too late and several people from the targeted organization visit it.

I don't know for sure since Invincea did not investigate more into the human aspect of this, but I suspect for this to be profitable there's probably a lot of "overselling" going on, and the bidders interfacing with the ad networks themselves are serving multiple customers' campaigns (or their own campaigns) on the same servers and ad networks, which makes it more difficult to successfully pull off targeted drivebys or "watering holes" as they will get detected and evicted.

>I'm sure the talented people at the larger ad-exchange-software companies like AppNexus will figure something out - or they already have!

AppNexus has been a major offender here for a long time. They've had numerous incidents of malicious ads over the years. I know because I've seen them myself when investigating malware incidents (e.g. adnxs.com as the Referer in an exploit kit chain). You can also see adnxs.com in Figure 21 of the whitepaper. I certainly hope they start caring more about security and establish a more stringent ad reviewal process.


Also, just a follow up: many organizations in my industry are actually completely blocking most major ad networks (including AppNexus and DoubleClick) at their proxies due to all the issues caused by malvertising. My organization is currently looking into it. Malvertising is a much more serious problem than people think, though I think this article and whitepaper is slightly FUD.


Seems a little short-sighted. I mean, shouldn't you be copying that traffic into something sandboxed to search for potentially new and interesting attacks?


There is also a webinar available: http://www.invincea.com/2014/10/webinar-targeted-malvertisin...

A recent HN discussion brought up the application virtualization tech Invencia offers, including some of its drawbacks:

https://news.ycombinator.com/item?id=8428453


Yes, centralized web content filter work better with these. As only centralized or aggregated requests could can detect these pattern. Proxies through request where the request and response in analyzed in a proxy server works better. I think spyware or malaware data might not be encrypted.


This is only a problem because ad-serving companies don't vet their customers. Make ad companies legally and financially responsible when they serve malware ads, and the free market will then stop the problem.

The bad actor here is DoubleClick, which is part of Google. Google is famously known for being squishy-soft on advertiser vetting. They had to pay $500,000,000 to the U.S. Department of Justice for knowingly hosting ads for steroids and other drugs. (The FBI caught Google in a sting operation. http://www.wired.com/2013/05/google-pharma-whitaker-sting/ "“I want to be the largest steroids dealer in the US,” Whitaker told the Google rep.")


The other problem is what little vetting the ad platforms do is easy to circumvent when they allow advertisers to host their own content. A few years ago the New York Times was serving out malware because they approved an ad and later the advertiser swapped it for an exploit.

http://bits.blogs.nytimes.com/2009/09/14/times-site-was-vict...


I love how they spin it to being the victim here.


> This is only a problem because ad-serving companies don't vet their customers. Make ad companies legally and financially responsible when they serve malware ads, and the free market will then stop the problem.

No. Then you will destroy those companies in the US and everyone will use foreign-run companies not so bound.


You think people in the US are going to switch from Google and Facebook to Baidu and Tencent?


Once your policy goes into effect and Google/Facebook either collapse or get out the ad network business entirely?

Yeah. I think that publishers will look abroad for networks who can pay out.


I think the parent comment's point was that site owners will switch to other ad networks if the other networks pay better rates due to the types of content they host that Googlebook won't.


And if that occurs, eventually Google and Facebook will wind up running someone else's ads. Because that will pay better.


I don't mean site owners paying for ads, I mean site owners displaying ads.


I seem to have missed the memo claiming poor old Google/Facebook are entirely reliant on malware ad business to stay barely afloat. Could you please point me to a believable source that says this.


I'm not claiming that, though that's what the MPAA believes.

Really, I think the costs and liabilities of what was proposed would do it all on their own. It would substantially increase costs for advertisers and decrease payouts for publishers. Once an ad network does that, it's going to start bleeding from both ends.

At which point some operation in who-knows-where can do better for everyone.


The point of the article should be that cyber criminals can now target a particular IP or range of IP through ads by install malware at "safe sites" that the target might browse. So any and everyone is at risk if there's someone after you.


Not only that, the criminals can show different content depending on the originating IP range, presenting harmless stuff to people not directly targeted.


Even better, they can bid based on the IP address range and only pay for the suckers they target. Why go to the trouble of making a harmless ad when you'll never need to show it?


Adsense and other networks have been used for this kind of thing for a long time. I consulted for a company a few years ago that was losing ~$100K/mo through a similar technique. They happened to use Adsense on their pages, and also had an affiliate program. Rogue affiliates would display an ad through Adsense targeted only to their site, and use a flash banner that surreptitiously loaded their affiliate cookie for the site onto the user's browser after they were already there. The site would then dutifully pay commission on all of these sales, even though the affiliate had nothing to do with getting the user there. I helped identify and plug this gaping hole in their profits.

Ad networks really need to take more responsibility to monitor both landing pages and the ads themselves more carefully. Enabling drive-by malware installs, affiliate fraud, and all other manner of schemes - even unwittingly - is bad for everyone involved.


Did that $100K/mth wipe out their entire monthly AdSense revenue? If you sell enough stuff that you can lose $100K/m in affiliate fees, it seems to me that display advertising revenue would be a drop in that bucket...


Wow, whoever would've thought that serving 3rd party JavaScript with no sandboxing or review or anything would be bad for browser security. I'm utterly shocked.


This doesn't rely on ad networks serving 3rd party JavaScript from advertisers. This is ad networks allowing advertisers to target ads down to the level that only those browsing from certain companies see them. It still relies on the user to actually click on those ads, at which point they're taken to a page under the attacker's control.


flash malware can auto-redirect or do all sorts of other thngs if the IP address matches. also don't forget, they can buy a small range but invoke the new behavior for an even smaller range. so sandboxing won't help either.


Programmatic media buying in an open exchange model is vulnerable to this kind of attack vector, and the number of malvertisers is growing day by day. The ad industry needs to be quicker at adopting the private marketplace model in order to mandate a bit more transparency between the buyer and seller.

The OP article was a bit alarmist with the hackers singling out defense contractors. I think the real intent of the hackers/malvertisers is this:

>Invincea recently saw a malvertiser win a bid and delivered a Java exploit. This exploit copied a fully functional version of Chrome into the Java cache directory, and that version of Chrome launched in the background and proceeded to visit websites and click on specific ad banners. It is presumed that these ad banners paid revenue via referral bonuses to the malvertiser. By paying 65 cents to install a background web browser that does nothing but click fraud, the malvertiser is able to reap hundreds if not thousands of dollars in advertising referral income. It is a pretty good return on investment, which in turn allows the malvertiser to fund his micro-targeted malvertising attack campaign.

Just like Email several years ago, there's just too much accessibility and money out there for spammers and malvertisers to not jump to Display.


It's amazing how open and exploitable ads on the internet remain, being one of the biggest sources of malware since the dawn of the WWW.

All of the major problems - spam, HTTP/HTTPS security, speed of protocols - have at least been met with myriad solutions. That we're still relying on Flash, JS and Silverlight, etc. for serving ads is nonsensical. Sandboxed iframes are a nice bandage, but it isn't a solution, particularly because it doesn't cover the most vulnerable anyway.

Someone has to be interested in creating a more secure standard that applies some quality standardization as well as security sandboxing.


Amazing that they are getting access to RTB platforms. As an small company we are trying to get access (for proper purposes). Any idea of what RTB platform are they using or any open to small companies?


Not so amazing. We have dozens of creeps sign up with us at Perfect Audience every day. It's a constant battle to block them out.


sitescout was mentioned


the solution is simple. stop enabling flash or javascript ads with real time bidding. i cannot imagine how to secure flash ads because the flash can invoke logic from outside the program.


I hope that any security conscious employer has the sense to mandate Adblock (the paranoid ones should prohibit recreational internet use, but that's going to piss people off).


And this is an example of what I am worried about. Our systems are mostly based on assumptions of inneficiency by an attacker or exploiter. With computers, these assumptions will no longer be correct. If this happens exponentially, it will subvert almost all society's systems and make us not trust anything.


> make us not trust anything.

It should make us not trust that which should not be trusted.

And that's a good thing.


How do you figure that is a good thing?

Most of the things we rely on today aren't fullproof. When it gets to the point that you wouldn't be able to trust your closest friends, you consider this situation better?


Trust is a statistical gamble.

You already cannot trust emails or text messages from your closest friends because they are easy to spoof. And it is better when everyone is aware of that, I think.

Whether you can (or cannot) trust your friend wasn't changed by technology, in my opinion. What you generally cannot trust is that info you confidentially told them was not eavesdropped. You never could, but statistically it was good enough. Now, statistically it isn't good enough, and therefore you shouldn't.


You think you can trust your friends until governments and corporations hack human motivations and leverage the trust for short term gains until the connections are subverted. It's one of those externalities that are still undertapped and we all know how much organizations look to exploit externalities.

Consider this: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf

and this: https://www.techdirt.com/articles/20140224/17054826340/new-s...

it's been done before with the KGB in USSR where your closest friend could also be a tattle-tale for the party, but that's just a tiny bit of what one could achieve with computers these days


Please don't put words in my mouth. All I said is that recent events make no change in how much you can (or cannot) trust your friends, despite your original apocalyptic comment about all trust now being subverted.

Governments and corporations have always engaged in social engineering. Facebook has been extremely successful at getting everyone to spy on themselves and their friends since 2004. MySpace and Friendster were less successful and earlier. The only thing that is new is the rate and scale of success.


Right - I just meant that things could start accelerating exponentially and our systems may not be ready for that.


As if big publishers needed more reasons to sell premium inventory to trusted advertisers via direct channels (or at the very least private marketplaces).


Well, I guess one solution could be as simple as forcing employees to install/use NoScript...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: