Uncovering Micro-Targeted Malvertising Against US Defense Industrial Base

WEBINAROCTOBER 16, 2014

PATRICK BELCHER, DIRECTOR OF SECURITY ANALYTICS, INVINCEA, INC.

Patrick Belcher, CISSP, CISM

2

• Analysis Team manager at Riptech, absorbed by Symantec in 2004. • Helped stand up the US-CERT for the DHS • Lead Cyber Security Analyst for FDIC • RSA/NetWitness• Cyber analysis and numerous Federal

agencies including the State Department and Department of Defense

• Performed incident response and analysis for several fortune 50 companies.

• Invincea- Director of Security and Malware Analytics

Agenda

Thanks for Attending this Webinar! Today we will discuss:

• Operation DeathClick: Attacks Against the US Defense Industrial Base

• How Advanced Adversaries are Using Micro-Targeting techniques via Malvertising to Target Your Enterprise

• How Real Time Bidding Works

• How do malvertisers choose targets?

• How do malvertisers setup their malware delivery?

• How to Protect your organization against Targeted Malvertising

Operation DeathClick

• Invincea discovered a concerted campaign against US Defense companies

• Operation DeathClick represents a blending of traditional cyber-crime techniques (malvertising) with APT targeting and objectives

• Expect campaign will soon be used to target other sectors: financial, Federal, manufacturing, healthcare, etc.

• Leverages advertising networks on ad-supported web sites to compromise specific company networks

• The TTPs involved in DeathClick evade almost all network-based and traditional endpoint controls. There is no patch for this TTP.

Micro-Targeting: How Targeted Can it Be?

You can push targeted ads to:• A Region• A City• A Neighborhood• Type of shopper• Gender-specific Ads• Industry Vertical• Specific Corporation• Captive Audience/Wireless

Tower• Specific peoples’ Mobile

platform• Any combination of the

AboveA couple of scenarios….• Activism• Product Placement• Special Audience• Network intrusion

Targeting the US Defense Industrial Base: Dawn.com

DAWN.COM

Targeting the US Defense Industrial Base: PsychCentral.com

PSYCHCENTRAL.COM

Targeting the US Defense Industrial Base: FleaFlicker.com

FLEAFLICKER.COM

Targeting the US Defense Industrial Base: GPokr.com

GPOKR.COM

Targeting the US Defense Industrial Base: EarthLink

EARTHLINK.COM

Traditional Web Advertising

• Ads were once sold in bulk. Advertisers paid by the number of viewer impressions delivered.

• Advertisers paid more money if the ad is clicked.

• Actual Ad content is hosted elsewhere.

• Advertisers chose which sites to deliver ad content.

Drawbacks:• Indiscriminate• Costly• No great ROI• Easily Abused

Now Ads are Targeted

Ironic targeted ad by Ad Targeting Company. This ad is a result of my research into ad bidding.(cookie based)

This ad delivery targeted me based on my IP address location in Orlando, FL(GEO-IP based)

How Does Ad Targeting Work?

Big Data!• Ad Slots Provide the Real

Estate, Typically Doubleclick

• Other Ad Services and Intelligence Services Enhance Targeting

Neustar, Facebook, Twitter, Pubmatic and Others Sell IP intelligence to Ad Networks.

Ad Networks now sell targeted ads for Advertisers

RTB is Now Standard

Ad placement has evolved. Ad networks now run based on Real-Time Ad Bidding.Backend Auction happens in millisecondsLess expensive than bulk impression buys

Targeted Advertising Too Creepy?

Who knows more about you? Ad networks or the NSA?

Now Malvertisers Have the Power of RTB Targeting and they are coming after YOU!

Evading Traditional Defenses

The ability to select a target for compromise and the ease of the execution via RTB malvertising is known as “micro-targeting via malvertising.”

Without Advanced host protection, this attack is over 95% successful!• Avoids Proxy blacklists• Avoids AV detection• Bypasses most advanced malware interception• See the Invincea Snipertising Whitepaper for full details

Operation DeathClick (Case Study Available)Large Defense and Aerospace contractors targeted by RTB for penetrationMalvertising delivered via:• Pakistani News Outlet• Fantasy Football Site• Webmail Ads• Any advertising supported site

Attacks bypassed superior defense in depth controls including web proxies were stopped by Invincea

Exploited: TheBlaze.com

12 Ads on Homepage!Pubmatic redirects to GumGumDrops Kryptik- changing hashes

Exploited: ShootersForum

Shootersforum:Openx RTB bid redirects to in.ua free host; drops exploit kit that pops Silverlight

Exploited: Trade2win.com

Trade2win.com:Oxygenmedia ad bid redirects to German ad provider, drops bundler malware.

Exploited: Answers.com

Answers.com:Clickbait articles drop KryptikHashes constantly changeMalware delivered from compromised Polish government sites.

How Hard is it to do Targeted Malvertising?

From SiteScout: You got cash, you can create your own landing pages and begin bidding.

What Much does a Targeted Malvertisement Bid cost?

Log File from Winning bid against Cox IP Address to drop Trojan:

http://delivery.firstimpression.com/delivery?action=serve&ssp_id=3&ssp_wsid=2191400908&dssp_id=100&domain_id=2191400908&ad_id=748271&margin=0.4&cid=155380&bn=sj14&ip_addr=24.234.123.133&ua=1540937276&top_level_id=24.234.123.133&second_level_id=1540937276&page=thanhniennews.com&retargeted=null&height=90&width=728&idfa=null&android_id=null&android_ad_id=null&bid_price=0.654&count_notify=1&win_price=$AAABSMPg1dmFEPqXEZe5_CYviub3uOlabldGew

65 cents!

Funding a Micro-Targeted Malvertising Campaign

• Click Fraud funds the operation. Logs show fake Chrome installed in Java cache to click on ad banners.

• Kyle and Stan malvertising uses bundled malware and referral abuse to generate cash.

• Chrome and bundled programs evade AV detection.

• Bundled programs spy on endpoints to improve ad targeting.

Where Malvertisers Host Exploit Landing Pages

• Compromised WordPress Blogs• Unconfigured Apache hosts• Cloud-based NGINX subdirectories• Government and News pages in Poland• Free Hosting sites such as ua.in

To avoid proxy blacklisting, landing pages are unique and only online for minutes.

To avoid AV or hash detection, exploits employ unique names and hashes

Landing exploit kits currently focused on cash generation, but can easily be converted to exfiltration or banking kits.

Protect Yourself from Malvertising

• Deploy Invincea on EndPoints

Or• Disallow external web

re-direction.• Demand change in the

ad network business• OptOut

Only 636 Targeting Ad Companies to opt out from! http://www.rubiconproject.com/privacy/consumer-online-profile-and-opt-out/http://preferences-mgr.truste.com/http://www.ghosteryenterprise.com/global-opt-out/

Invincea Threat Protection

• Contain all web-based attacks in secure virtual containers• Collect threat forensics on attack• Protect against known, unknown, and 0-day threats without

requiring signatures

Free Invincea Research Edition

Each detection shown in this presentation is available for online viewing in the Invincea Research Edition Portal.

Sign up for the Research Edition and get a free licensed copy of Invincea FreeSpace Research Edition. Click without fear.

Special Thanks and Resources

Invincea Whitepaper on Real Time Ad Bidding

Invincea Case Study: RTB Targeting Defense Industry

Threatpost Kyle and Stan Analysis http://threatpost.com/kyle-and-stan-malvertising-network-nine-times-bigger-than-first-reported/108435

Q&A Session

Invincea Research Edition: www.invincea.com/research-edition

Webinar Recording + Slide deck:

Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

Thank you!

Invincea @Invincea Patrick Belcher @BelchSpeak