'Fingerprint' security flaw ramps up malvertising campaigns

The exploit of an IE security flaw makes sure you're a legitimate victim before serving you with malware.

Malvertising campaigns have been discovered which utilise sophisticated "fingerprint" techniques to lead security researchers off the trail and only deliver payloads to legitimate victims.

screen-shot-2016-02-29-at-17-05-44.jpg

Malvertising is the use of ad networks to serve unwitting visitors malware and exploit kits, including Angler and Neutrino. Many legitimate websites rely on advertising to generate revneue, and unfortunately, malware may slip through the net.

In 2015, the UK's Daily Mail became a host for malvertising, which served up to 156 million visitors with redirects to the Angler exploit kit. The vendor, however, isn't the issue: it is the security processes and checks of third-party ad networks which may permit malicious adverts to display without realizing it.

In a new research study dubbed "Operation Fingerprint," Malwarebytes said in a blog post throughout the research, malvertising linked to the Angler exploit kit has recently affected thousands of publishers and dozens of ad networks.

Malwarebytes team member Jerome Segura and GeoEdge's Eugene Aseev say the problem is not simply focused on click-and-download infections, however. Malvertising, like all forms of cybercrime, is becoming more sophisticated -- and the latest example of enhanced techniques is fingerprinting, which has been discovered in a variety of Angler campaigns.

Fingerprinting is nothing new. The technique is used as a means for malicious payloads to avoid detection and stay hidden for as long as possible by injecting a tiny snippet of code into an advertising banner. This code then checks out traffic markers to rule out anything which is not a viable target, such as a patched system, honeypot or security companies performing checks. Unfortunately for consumers, fingerprinting is no longer limited to the exploit kit level, and has now been found in malvertising.

In a new swathe of malvertising campaigns, if a victim is using Internet Explorer 10 or below, they may be susceptible to malvertising due to a vulnerability in Microsoft Internet Explorer's XMLDOM ActiveX control. CVE-2013-7331 has been exploited by exploit kits including Angler for some time, and allows the malware to detect clues which identify a user -- and whether or not they may be a security researcher waiting in the wings.

The vulnerability allows attackers to search through local file dumps on unpatched systems to find "fingerprints" belonging to those malware operators want to avoid, such as IP addresses and geolocation tags. By adding these checks at the starting point of a chain of infection, only victims who are suitable for compromise will be redirected to an exploit kit.

"Fingerprinting represents the next step in malvertising attacks, where bogus advertisers are analyzing potential victims and either showing a benign ad or an ad laced with malicious code that ultimately redirects to an exploit kit," Malwarebytes says.

A variety of campaigns take advantage of this security flaw. According to Malwarebytes, the most common Angler-based campaigns include:

  • Fake companies: Stolen websites are rebranded to appear as legitimate companies, and while XMLDOM-based fingerprinting is not in evidence, these websites have "custom filters" for those who see malicious code and those who only see benign adverts. An Apache server component known as the .htaccess file can be tailored to specify who is given the malicious redirect -- and who isn't.
  • Custom SSL campaigns: Cyberattackers have leveraged the CloudFlare infrastructure to hide a malicious server's IP address, which also connects to clients via the SSL encryption protocol. In one campaign, the server checked to make sure traffic was legitimate before launching a redirection channel to Angler. The fingerprint code was lodged within the fake advertiser's JavaScript -- but if Kaspersky's Virtual Keyboard plugin was detected, the redirect was aborted to avoid detection.
  • Custom URL shortener campaigns: The security found one such campaign which hid the fingerprint payload within a .GIF image served over HTTPS. The firm says this was designed to "throw off" security researchers on the scent, and in addition, the campaign also used shortened URLs to make the infection chain more complex.
  • DoubleClick Open Referer campaign: The last and most sophisticated, Malwarebytes observed attackers using fingerprint payloads hidden within .GIF images -- but with an added layer of encoding provided by keys issued once per IP address and embedded within JavaScript.

All of these campaigns have similarities. They all use ad-based domain names and URLs, interim redirector systems, once-per-IP deliveries and, of course, served the Angler exploit kit in the end. The campaigns also implemented fingerprint codes to check for the presence of security products. If none were found, the Angler redirect took place.

"While some of those incidents have ceased, others are still ongoing and the threat actors responsible for them are very successful at bypassing most ad quality and security checks," Malwarebytes says.

While you cannot know if an online advert has malicious code and redirects embedded within, the best way to stay safe is to maintain your devices with automatic security updates and patching when they become available.

Read on: Top picks