Just when you thought online phishing couldn’t get much worse between credential stealing, rogue browser extensions, and social media scams, a new attack technique has emerged in the wild. This latest threat involves malvertising, where a bad ad unknowingly auto downloads an HTML file to a user’s system. This occurs when the user browses to a web page that hosts these malicious files – no clicking required. If this technique continues to proliferate and becomes a trend, entire URL reputation and domain reputation engines could be toast.
Our security researchers recently uncovered a cunning tech support phishing scam on a fake Microsoft Windows site. Here’s how the tech support phishing con works: When a user visits the web page, an ad automatically downloads the HTML file onto the user’s system disk. Users are then taken to a fake tech support page which says:
Windows Support Alert – Your System Detected Some Unusual Activity: It might harm your computer data and track your financial information. Please report this activity to the Microsoft Security tollfree number below.
An unwitting user in this scheme does not even have to click on the ad because the browser has already auto downloaded and started flashing the downloaded file icon. As a result, the browser’s security tools will not catch it because most browsers put restrictions on executable files, but not on HTML code.
And that’s just one example. Malvertising recently made global headlines based on an attack by the notorious eGobbler gang that struck in early April, primarily focusing on the U.S. and European countries. The eGobbler gang has a history of launching attacks just prior to major holidays, in this case around Easter Sunday.
About half a billion Apple iOS users were hit by session-hijacking cybercriminals who exploited an unpatched flaw in the Chrome for iOS browser. Their approach allowed them to bypass sandboxing protections to hijack user sessions, specifically among users of iPhones and iPads. The hackers took advantage of an unpatched flaw in the Google Chrome for iOS browser which helped them target iPhones and iPads – devices that most people assumed were safe from these types of attacks. The Apple iOS user sessions were made vulnerable, and it’s been reported that Apple Safari users may also be at risk, meaning that further exposure is quite possible.
The Easter malvertising attack was comprised of eight different campaigns using 30 different types of pop-up ads, each lasting just a couple of days. The pop-up malvertising ads subverted pop-up blockers and escaped sandboxing efforts in order to separate themselves from the Apple frameworks that delivered them.
Such malvertising can appear on legitimate sites, looking like a recognizable brand ad, except they do not allow a user to exit. This trap often results in a user click, which then takes the intended target to a phishing site that may steal credit card info, log-in credentials or other sensitive data that can then be sold on the dark web or exploited for gain.
One big takeaway from the big eGobbler Easter attack was that organizations simply cannot stop all ads from being served to their employees. Traditional anti-phishing security solutions focus primarily on email delivery mechanisms, but they do not address the new malvertising attack vector.
Google’s sandboxing attributes have proven ineffective against the eGobbler attack as well. While threat intelligence feeds can help, they are usually too slow to prevent such fast-moving malvertising attacks. What’s needed is some new way to prevent users from ever reaching these malicious websites in the first place.
One effective strategy involves running virtual browsers in the cloud to dynamically inspect sites through a combination of advanced computer vision, optical character recognition, natural language processing, and active site behavioral analysis. By taking this approach, machine learning systems can enable a definitive verdict whether the site is malicious or benign – before the user clicks on the malvertisement.
By preventing such straight-to-browser phishing attacks from sending victims to infected pages, the bad guys will fail to achieve their goals. In turn, their sneaky malvertising ads – which are sophisticated enough to bypass traditional security methods – will be rendered a simple nuisance.
About the Author
Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, he spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo, and Grum botnets.