Nov 22–25 Attack of The Cyber Turkey

Dec 05, 2018

Overview of Thanksgiving holiday weekend malvertising activity

During the holiday weekend, Confiant tracked and protected its clients from a massive malvertising spike, detecting and blocking 20 million malicious sessions across 3 distinct attacks (The Gobbler, Balk Friday and LLTag), each on different tier-1 ad exchanges.

We do not have precise scale measurement for these concurrent attacks but the combined impact is multiple times higher than the surge we measured on November 12, just two weeks earlier.

Although these specific attackers have been around for months, they concentrated their efforts over the holiday weekend, successfully betting that they would more easily break through during a time when ad operations teams are less available to troubleshoot security issues.

Campaigns like this have a massive negative impact on publishers, brands, and consumers. The bulk of these scams exists in order to commit affiliate fraud and phish users to steal personal identification data. Since brands ramp up their spending during the holidays, malvertising has a bigger overall impact on these peak periods.

The malvertisers’ business model is amplified by the holidays as the message is more likely to carry across to unsuspecting consumers who will fall for the scam. With more folks shopping online than usual, this enables the scammers to maximize their reach.

How do these hijacks work?

Broadly speaking, any website monetizing with ads introduces this risk to their users. From a user perspective, as they visit a web page, the malicious ad executes malicious Javascript to trigger a forceful redirection without user interaction. The user is presented with a fake ad promising a chance to win a $1000 or the latest iPhone. Like all advertisers, the malvertisers goal is engagement. Attackers piggy back on the trust established by websites with their users and leverage that to compromise users devices or steal personally sensitive information.

How do these attackers evade detection so effectively?

The ad industry attempts to weed out malicious ads using a mix of automated and manual controls. It is not economically feasible to test the millions of ad creatives running through the ecosystem using real user devices (i.e. iPhones). Attackers use this to their benefit and look for technical details that make an iPhone unique and difficult to replicate in an automated test environment in the cloud. In the cases occurring on Thanksgiving week-end, the criminals used Javascript APIs to look up device-specific information like the GPU chipset used by the device. In the cloud, automated scanners are obviously not equipped with the Apple A11 or A12 custom-made GPU chipsets.

How did Confiant spot it?

Confiant’s system performs advanced automated analysis on the creative code at the point of delivery (to users in their browsers or on their device). This analysis happens in real time and is able to recognize if certain malicious behaviors are being triggered. The automated methods are supported with additional automated scans and expert manual analysis of the code. Our security team reverse engineers any code associated with the creative in order to get a deeper understanding of the attack vector and the payload.

“The Gobbler”

Malicious behaviour: Triggers a forced redirect

This attack (targeting the United States exclusively) borrows a creative from Deutsche Bank normally aimed for the Netherlands market.

The HTML5 creative is modified to host an obfuscated malicious code snippet. Specifically, the Greensock library is altered deep inside the minified code, in order to make manual inspection extremely challenging.