SlideShare une entreprise Scribd logo

Malvertizing Like a PRO

Télécharger en tant que PPTX, PDF
A
Alexander Rymdeko-Harvey

This presentation, given at BSidesAugusta 2015, discusses free tools and techniques penetration. This presentation is the culmination of research and execution into the emerging attack path of ad-based malware​ delivery. I'll cover the basics of social and web based marketing strategies and their relationship with advanced malware campaigns currently in the wild. I'll then dive into the mechanics of running a campaign, big-data analytics, OSINT, targeting, research, and my crack at *legally* performing malvertizing. This look at this up-and-coming attack vector will show how ad-based malware is circumventing thousands spent on security appliances geared towards standard email attacks, all while abusing the implied trust of social media to go after the real end point, “the user”.

Technologie
1  sur  74
Malvertizing Like a PRO A JUMP INTO THE NEWEST ATTACK VECTOR TAKING IT TO THE NEXT LEVEL
Introduction • Pen-Tester with Veris Group • Previous ARMY • How to find me: • @Killswitch_GUI • CyberSyndicates.com
Warning! What I'm not:  A SME in Malware or Reverse Engineering  Part of a Cyber Crime ring performing this everyday  What this is:  My take on Ad based malware  My journey on how I would execute it  Pure speculation of what's open source  What we will cover  Ad Based Malware  Touch of OSINT  My Campaign Methods and Failure ALL DATA Collected using Open Source methods
Overview  Forming an attack based on Strategic Malvertising using targeting principles  What is Malvertising  What's Malvertising vs Strategic Malvertising  What makes this so important ( What don't I already know)  Potential methods it can be used to conduct social engineering  How to target specific completely unknown, specific individuals within a demographic group?  How effective it is and is it worth the resources required?
Current Malware Trends  Phishing still effective  Major increase in Ad Delivery - 350%  Secondary and Trusted C2 being used (Covert C2)  Duke / Cloud Duke Toolsets  Twitter / OneDrive / Cloud Storage  Web Exploit Kits from years ago still working  C2 is becoming difficult to detect  Out of Band Communications  Implied Trust (WE WILL COVER THIS)  Notable Cases :  APT 29: HAMERTOSS  Flash Zero Day Ad Based
Talking money  Delivering malware to generate AD traffic  Text / HTML AD’s  Video AD’$  Delivering Randsomware  Crypto  Legit Business  cost publishers more than $21.8 billion in 2015 in lost revenue
Impacting Legit Business
What is Malvertizing?  It is the use and abuse of Ad services for attackers to deliver malicious content, using ad service providers vast network of audience. They can leverage this legitimate function to distribute their malware.  Many forms of malware based ad-ware attacks exist  Compromised Ad-Companies  Impersonation of legitimate companies  Malware being hosted in AD’s  Legitimate Targeted campaigns
Core Fundamentals  Major players  Google  Facebook*  Microsoft  Main Types of Delivery methods  Social media marketing  Sponsored search  Compensation methods  CPM (cost per mille)  CPE (cost per engagement)  CPC (cost per click)  CPV (cost per view)
Core Fundamentals Cont.  Ease of deployment (availability)  The targeting platform Is already built  Benefits of Web Ad’s:  Cost – There is a reason why AD profits are in the Billions  Measurable – Powerful analytics and cross platform support is built  Targeted?
Big Data Analytics  Analytical engines at your finger tips  Broad – Zip code  Specific – Job title  Extremely Accurate  Most Ad-Delivery systems display potential reach  Target research methods  We give our data away for free..
Malvertizing in the Wild  AD injection:  Exploitation of routers and redirecting DNS  Attacker can simply redirect normal AD traffic query's and place their AD in play  This has been used to replace Google analytics JS code and ADs  Passive Collection of AD data  capabilities of Ad / Tracking  This data can be sold or used for other Intelligence Collection Campaign's  Canadian ISP was caught MITM in 2014 stealing data from HTTP AD traffic
Malvertizing in the Wild  Exploit within AD traffic:  Using obfuscated flash exploits attacks are able to launch exploits from legit AD’s  Exploit AD Companies:  Campaign is put in motion after gaining access to AD serving organization  Redirects traffic to Exploit Kit  Drop Exploit Kit of choice: Angler etc.  Begins Click Fraud activity
Malvertizing in the Wild AD Fraud Exploit Kits: Increasing dramatically! Powelike’s: later versions sported Ad-Clicking Component Kovter:  Evolved from stand alone to fully deployable with other exploit kits like Angler, Nuclear Pack  Allows for even Flash based Video Ads to be played for high ROI
Blue Team / Defenders  So why should I care?  Online attack surface has greatly reduced  Phishing is still Hot!  Circumventing millions in security: email / Phishing  With that comes every vendor in the sector with:  Sandbox appliances  Content Filtering  Spam Filters  Delivery method is trusted:  Do you block Twitter / Facebook / Google?  Reputable sites?  AD Delivery / C2 Chanel all on one platform  Good luck finding that
Systematic problem  Why it isn’t a Script Kiddy solution  Why it has to be funded..  It takes money to make money  ROI - It makes more money than put in?  Implied Trust of many Ad-Agency’s and sites using their services
My take on AD Delivery
My Methodology / Target Selection Demographic Nomination Target Selection SE/OSINT Research Campaign Development Reputation Development Deployment
Digging into Targeting
Calculating Reach  Reach is an important factor of targeting  Gives you a metric to calculate potential demographic  Need to judge a organizations size / Facility Activity / increases or presence?  Employees  Geographical location  Important concept for OSINT  Will I even have impact?
Recon / Sampling reach
Selecting a Sample Cont.
OSINT  Open Source Intelligence Collection Applications  Used in many types of operations  Penetration Testing  Physical Assessments  Targeting  Levels:  Physical - Things we can touch and see  Logical - Things over the wire  Individual- Persona Layer / Exploiting the nature of Humans
Questions that Need to Asked  What time frame will be effective?  Work Hours:  After Hours:  What System will I be targeting to reach my target audience  Mobile Platform:  We may even be able to target exact OS   Desktop OS  Laptop Users traveling?  May not be patched for a short period of time
Need to deliver based on schedule? No Prob!
Exploit only works on XP or exact OS, on IE ? No Prob!
Mobile Exploit? Certain Mobile OS? By Brand?
Exact mobile brand? Exact Model!?  Yea this is scary granularity!
Power of Big Data Targeting  Small Meta-Data that is data…  WIGLE  WIGLE + compromised Host = Potential Geographical location  Orientate an attacker  Can be done with so many methods…  Query registry for past locations  Ability to build a timeline (Forensic Capability)  Social-Mention  HONEY BADGER – Tim Tomes
Power of OSINT  ICWATCH:  https://transparencytoolkit.org  https://github.com/transparencytoolkit
Don’t Suggest that but..
Think Nation State?  “Hacking Team” - Beat a dead horse anyone?  De Anonomonyzing Location based on WLAN interface  Un-Cloaking physical Locations
Offensive Targeting  Imagine a world where you could deploy your malware only to people:  Making 100k+  Work for: “fill in agency here”?  More advanced campaigns being deployed?  Crime  Collection  Could support the IC effort of many countries  Getting into deep water..
Traditional Targeting  Phishing Campaigns –Social Engineering for *clicks* 
Phishing  Very Common / Known  Methodology  Very successful on engagements  This Same principle is how I created AD’s  Changing surface / Constraint of phishing  Lack ability to pin point demographics  The days of dumping every user in directory using ( * ) may be gone  Training increased / Trust has decreased in email  TONS OF APPLIANCES protecting email!  SPF Records / Correctly configured Mail servers verifying multiple fields of mail
Combined with a touch of SE  Same principles as Phishing Move over  Trending Results using Facebook  Selecting SE topic  Using topic
That SEO thing  Another Great SE technique to get a campaign off the ground  Another important aspect to SE or Any Targeting.  You wouldn't’t launch a Phishing Campaign saying your Marketing coming from it-support.net  Using SEO Tools to build (BUY):  Instant Reputation  Instant Legitimacy  I attempted this but sadly during testing FB cracked down!
What this means  I can now target at a:  Physical Layer  Logical Layer  I can correlate targets Using Demographics  Location  Jobs / workplace / salary etc.
One Week Campaign
Setup  Domain Name (Something Reliable)  VPS (Hosting) / Apache Vhost’s / Static Content  Analytics (Google-Analytics)  Ad Campaign (Facebook)  $20 a campaign  A good idea to SE
SE AD Targets  Augusta, GA – Broad Target AD  Any one in 25mi Range  Augusta, GA – Targeted Demographic AD  Any one in 25mi Range  Employer Specific  Time Range  AD Types:  Web-Site clicks  Post Promotion
Setup Analytics
Building a Relevant Page  Targets: Augusta, GA  Target Demographic: Cyber / Location Based
Building AD #1 – Broad Target  Select Control  :  How do I get them to take notice?  Tag-Line : Needed to be something Impactful  Deceiving: Had to be Believable but wont deliver 100% truth.  Enticing Image: Most important Aspect, everyone loves images
Build out Clone Site  Used Httrack for cloning of legit Data.. FB has too catch this!
Build out Config  Left these for testing their “Review”  Put in some Meta Tags for Picture Population  Removed all the original Google Tracking JS so we don’t pop up under their account.
Ad #1  Videos are very successful marketing tools  Can be easy wins
AD #1 – Not so fast  They actually enforce some polices I found out :/
AD #1 Cont.
AD #1 Setup
AD #1 Optimization
AD #1 Optimization cont.
AD 2# Setup http://chronicle.augusta.com/news/business/2014-02-27/cyber-general-touts- benefits-fort-gordon-growth
AD #2 – Targeted Demographics  Selected Topic / Control:  Certain location “Fort Gordon”  Target:  How do I get them to take notice?  Tag-Line : Home Values “I may have some inside knowledge”  Hint: Its about what a ton of people talk about in this area.  Deceiving: Large Increase coming!  Target Details Matter for Accuracy:  Life Style  Devices / Platform  Work hours
Website?  Lets test that review process:  Submit a simple WordPress page with a embedded video. Than remove for the duration of the test  Host a simple index.html with JS for GA  Questions that should be asked and how the relate to malware:  Will they detect this major change?  Can some one even report a shady link?  How long will it stay up?
AD #2 Demographics
AD #2 Configurations / AD Placement
AD #1 Analytics
Drilling Down on Geo  GA makes Geographic analytics streamlined and Accurate down to the city  25 mi range on Augusta, GA seems pretty accurate!
Service Providers  Makes tracking specific targets quite helpful  Tracking user agents in GA is simple
AD #2 Analytics - Web Clicks
Geographic Stats
(not set)
Am I really Hitting my Target?  Geographically its easy to say “YES”  Accurate GEOIP API services by google  What about Demographic:  Harder to determine true accuracy  Service Providers can be a major Identifier if they use a certain ISP or have their own!  Page Interaction can be a HUGE identifier  Likes  Comments
Am I really Hitting my Target? (not set)  Found 95 sessions of 273 to be (not Set) as the ISP…  Could this be proper filtering / Ammonization?  Take the time and verify your results  Also always resolve domain name!  This data was reassuring that I was on the right track
Am I really Hitting my Target cont.  Facebook Likes / Comments:  Helps performs post analysis of the target audience  All 8x likes where affiliated with my target audience.
Putting it in Context  One guy with limited funds and some time  Conducted 2 Ad campaigns  Each campaign took 6 hours from OSINT to Delivery  Each campaign ran one week at $20 each  Campaign 1 had 143 engagements, 2k reach  Campaign 2 had 219 engagements, 3k reach  Calculation:  Well funded group with 10k budget for a campaign and 160 hours.  On avg .09 cents per unique engagement  Potential = 26 unique AD’s , 111,111 Engagements, and 1.5M Reach!  I would consider this extremely effective mean of a targeted campaign.
Major Findings  Review process is a joke:  Couldn’t detect a clearly cloned website by static HTML source  The cloned website still had complete favicon / logos / static source of the cloned website  Do they even scan for malware?  Continued monitoring  Set up a page and immediately removed it and replaced with a simple index.html page with JS  Ran for one week and didn't’t raise one flag?  I can simply submit an ad and host malware 10 mins latter?
Are Ad-Agency’s protecting us  Google  Moving to Encrypted Ads June 30th  Only Protects Ad injection at the network layer (Compromised Routers)  Facebook  RiskIQ - monitoring advertising pages to protect users from malicious ads  Interesting collegial research on detecting cloned pages
Getting The Most out a Campaign Tip’s  Proper recon is crucial  Proper SE campaign must be relevant with your target.  Holistic view of an ad:  How do I view ad’s as a user?  What do I click on and what do I not?  Videos / Posts / News  CPC Compensation
Twitter How I Hate you  Rule one: Don’t buy bots and get caught in the Sec industry  @jaredcatkinson
Lessons Learned  Twitter is a news source not so much of a social source.  Although they have just as powerful analytic engines when it comes to AD delivery  Scary Easy to run a simple yet targeted campaign with relatively accurate results • Big shout out to: • @Slacker007 – keelyn roberts • @Hashtagcyber – Matt Domko

Recommandé

Making social media monitoring and analytics work for your brand
Making social media monitoring and analytics work for your brandMaking social media monitoring and analytics work for your brand
Making social media monitoring and analytics work for your brandMarketwired
 
Viral Marketing : Viral Mechanisms and Seeding Strategies
Viral Marketing : Viral Mechanisms and Seeding StrategiesViral Marketing : Viral Mechanisms and Seeding Strategies
Viral Marketing : Viral Mechanisms and Seeding StrategiesBrian_Chappell
 
Pandemic Labs iBreakfast Presentation
Pandemic Labs iBreakfast PresentationPandemic Labs iBreakfast Presentation
Pandemic Labs iBreakfast PresentationAlan Brody
 
Gaining Visibility with Facebook Linkedin
Gaining Visibility with Facebook LinkedinGaining Visibility with Facebook Linkedin
Gaining Visibility with Facebook LinkedinNhat Pham
 
Press Release Headline Optimization Marketwire Widmann Mrs2009
Press Release Headline Optimization Marketwire Widmann Mrs2009Press Release Headline Optimization Marketwire Widmann Mrs2009
Press Release Headline Optimization Marketwire Widmann Mrs2009Marketwired
 
How One Little Facebook Like Button Will Change the Web
How One Little Facebook Like Button Will Change the WebHow One Little Facebook Like Button Will Change the Web
How One Little Facebook Like Button Will Change the WebJay Feitlinger
 
Event Streams: Outlook and Use of Social Media
Event Streams: Outlook and Use of Social MediaEvent Streams: Outlook and Use of Social Media
Event Streams: Outlook and Use of Social Mediaadas0009
 
Event streams
Event streamsEvent streams
Event streamsAnik Das
 

Recommandé

Making social media monitoring and analytics work for your brand
Making social media monitoring and analytics work for your brandMaking social media monitoring and analytics work for your brand
Making social media monitoring and analytics work for your brandMarketwired
 
Viral Marketing : Viral Mechanisms and Seeding Strategies
Viral Marketing : Viral Mechanisms and Seeding StrategiesViral Marketing : Viral Mechanisms and Seeding Strategies
Viral Marketing : Viral Mechanisms and Seeding StrategiesBrian_Chappell
 
Pandemic Labs iBreakfast Presentation
Pandemic Labs iBreakfast PresentationPandemic Labs iBreakfast Presentation
Pandemic Labs iBreakfast PresentationAlan Brody
 
Gaining Visibility with Facebook Linkedin
Gaining Visibility with Facebook LinkedinGaining Visibility with Facebook Linkedin
Gaining Visibility with Facebook LinkedinNhat Pham
 
Press Release Headline Optimization Marketwire Widmann Mrs2009
Press Release Headline Optimization Marketwire Widmann Mrs2009Press Release Headline Optimization Marketwire Widmann Mrs2009
Press Release Headline Optimization Marketwire Widmann Mrs2009Marketwired
 
How One Little Facebook Like Button Will Change the Web
How One Little Facebook Like Button Will Change the WebHow One Little Facebook Like Button Will Change the Web
How One Little Facebook Like Button Will Change the WebJay Feitlinger
 
Event Streams: Outlook and Use of Social Media
Event Streams: Outlook and Use of Social MediaEvent Streams: Outlook and Use of Social Media
Event Streams: Outlook and Use of Social Mediaadas0009
 
Event streams
Event streamsEvent streams
Event streamsAnik Das
 
Mass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social MediaMass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social MediaAdam Holden-Bache
 
Salesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release NotesSalesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release NotesRobin Leonard
 
Localytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of EngagementLocalytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of EngagementLocalytics
 
Webinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your BusinessWebinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your BusinessMass Transmit
 
Rr presentation
Rr presentationRr presentation
Rr presentationDan Schlossberg
 
#SummerofCPD - Social Media and the Law
#SummerofCPD - Social Media and the Law#SummerofCPD - Social Media and the Law
#SummerofCPD - Social Media and the LawChartered Institute of Public Relations
 
View-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into DataView-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into DataBusinessOnline
 
Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)Salesforce Partners
 
Mobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the ThreatsMobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the ThreatsAffiliate Summit
 
5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing Success5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing SuccessShawn Souto
 
The World of Measurement and Analytics
The World of Measurement and AnalyticsThe World of Measurement and Analytics
The World of Measurement and AnalyticsJarred Cinman
 
Digital marketing and site monitoring full report
Digital marketing and site monitoring full reportDigital marketing and site monitoring full report
Digital marketing and site monitoring full reportJIEMS Akkalkuwa
 
best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar mohit597829
 
How to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your businessHow to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your businesssammynicole
 
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & PanelFQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & PanelFabriQate
 
Digitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News keralaDigitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News keralaRakesh Mohan
 
Labelling – are you serious
Labelling – are you seriousLabelling – are you serious
Labelling – are you seriousPhil Archer
 
Frakture Deck v3.1
Frakture Deck v3.1Frakture Deck v3.1
Frakture Deck v3.1Chris Lundberg
 
social media strategy for real estate
social media strategy for real estatesocial media strategy for real estate
social media strategy for real estateD Scott Smith,CCIM
 
Social Media Business Strategy 0227 Master
Social Media Business Strategy 0227 MasterSocial Media Business Strategy 0227 Master
Social Media Business Strategy 0227 Masterautomatedsocialmedia
 
How to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual WorkforceHow to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual WorkforceExecuvite
 
Blackglass affili@ syd
Blackglass affili@ sydBlackglass affili@ syd
Blackglass affili@ sydMatt Bateman
 

Contenu connexe

Tendances

Mass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social MediaMass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social MediaAdam Holden-Bache
 
Salesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release NotesSalesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release NotesRobin Leonard
 
Localytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of EngagementLocalytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of EngagementLocalytics
 
Webinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your BusinessWebinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your BusinessMass Transmit
 
View-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into DataView-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into DataBusinessOnline
 
Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)Salesforce Partners
 

Tendances (8)

Mass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social MediaMass Transmit - Getting Started in Social Media
Mass Transmit - Getting Started in Social Media
 
Salesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release NotesSalesforce Social studio February 2016 Release Notes
Salesforce Social studio February 2016 Release Notes
 
Localytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of EngagementLocalytics ENGAGE - The Future of Engagement
Localytics ENGAGE - The Future of Engagement
 
Webinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your BusinessWebinar: 7 Ways Mass Transmit Can Help Your Business
Webinar: 7 Ways Mass Transmit Can Help Your Business
 
Rr presentation
Rr presentationRr presentation
Rr presentation
 
#SummerofCPD - Social Media and the Law
#SummerofCPD - Social Media and the Law#SummerofCPD - Social Media and the Law
#SummerofCPD - Social Media and the Law
 
View-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into DataView-Through Technology: Gaining Insight into Data
View-Through Technology: Gaining Insight into Data
 
Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)Social Customer Service (January 22, 2015)
Social Customer Service (January 22, 2015)
 

Similaire à Malvertizing Like a PRO

Mobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the ThreatsMobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the ThreatsAffiliate Summit
 
5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing Success5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing SuccessShawn Souto
 
The World of Measurement and Analytics
The World of Measurement and AnalyticsThe World of Measurement and Analytics
The World of Measurement and AnalyticsJarred Cinman
 
Digital marketing and site monitoring full report
Digital marketing and site monitoring full reportDigital marketing and site monitoring full report
Digital marketing and site monitoring full reportJIEMS Akkalkuwa
 
best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar mohit597829
 
How to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your businessHow to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your businesssammynicole
 
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & PanelFQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & PanelFabriQate
 
Digitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News keralaDigitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News keralaRakesh Mohan
 
Labelling – are you serious
Labelling – are you seriousLabelling – are you serious
Labelling – are you seriousPhil Archer
 
social media strategy for real estate
social media strategy for real estatesocial media strategy for real estate
social media strategy for real estateD Scott Smith,CCIM
 
Social Media Business Strategy 0227 Master
Social Media Business Strategy 0227 MasterSocial Media Business Strategy 0227 Master
Social Media Business Strategy 0227 Masterautomatedsocialmedia
 
How to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual WorkforceHow to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual WorkforceExecuvite
 
Blackglass affili@ syd
Blackglass affili@ sydBlackglass affili@ syd
Blackglass affili@ sydMatt Bateman
 
Unlocking Social CRM for your Organisation (Keynote)
Unlocking Social CRM for your Organisation (Keynote)Unlocking Social CRM for your Organisation (Keynote)
Unlocking Social CRM for your Organisation (Keynote)Joakim Nilsson
 
Emarketing strategies for success
Emarketing strategies for successEmarketing strategies for success
Emarketing strategies for successRalph Paglia
 
Carmelites Online Marketing Workshop
Carmelites Online Marketing WorkshopCarmelites Online Marketing Workshop
Carmelites Online Marketing WorkshopGrow Socially, Inc.
 
Innov day big data enabler & business opportunities(1)
Innov day big data enabler & business opportunities(1)Innov day big data enabler & business opportunities(1)
Innov day big data enabler & business opportunities(1)TelkomDDSKM
 

Similaire à Malvertizing Like a PRO (20)

Mobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the ThreatsMobile Ad Fraud Wikileaks: Exposing the Threats
Mobile Ad Fraud Wikileaks: Exposing the Threats
 
5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing Success5 Secrets to Internet Marketing Success
5 Secrets to Internet Marketing Success
 
The World of Measurement and Analytics
The World of Measurement and AnalyticsThe World of Measurement and Analytics
The World of Measurement and Analytics
 
Digital marketing and site monitoring full report
Digital marketing and site monitoring full reportDigital marketing and site monitoring full report
Digital marketing and site monitoring full report
 
best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar best Digital marketing institute in Laxmi Nagar
best Digital marketing institute in Laxmi Nagar
 
How to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your businessHow to use webcast linked in blog twitter facebook youtube to grow your business
How to use webcast linked in blog twitter facebook youtube to grow your business
 
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & PanelFQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
FQ Mobile Asia Congress - App Bytes 2011 - Session Speech & Panel
 
Digitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News keralaDigitalmarketing-SEO|News kerala
Digitalmarketing-SEO|News kerala
 
Labelling – are you serious
Labelling – are you seriousLabelling – are you serious
Labelling – are you serious
 
Frakture Deck v3.1
Frakture Deck v3.1Frakture Deck v3.1
Frakture Deck v3.1
 
social media strategy for real estate
social media strategy for real estatesocial media strategy for real estate
social media strategy for real estate
 
Social Media Business Strategy 0227 Master
Social Media Business Strategy 0227 MasterSocial Media Business Strategy 0227 Master
Social Media Business Strategy 0227 Master
 
How to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual WorkforceHow to Reach More Customers with a Virtual Workforce
How to Reach More Customers with a Virtual Workforce
 
Blackglass affili@ syd
Blackglass affili@ sydBlackglass affili@ syd
Blackglass affili@ syd
 
Unlocking Social CRM for your Organisation (Keynote)
Unlocking Social CRM for your Organisation (Keynote)Unlocking Social CRM for your Organisation (Keynote)
Unlocking Social CRM for your Organisation (Keynote)
 
eMarketer
eMarketereMarketer
eMarketer
 
Emarketing strategies for success
Emarketing strategies for successEmarketing strategies for success
Emarketing strategies for success
 
Carmelites Online Marketing Workshop
Carmelites Online Marketing WorkshopCarmelites Online Marketing Workshop
Carmelites Online Marketing Workshop
 
Digital marketing
Digital marketingDigital marketing
Digital marketing
 
Innov day big data enabler & business opportunities(1)
Innov day big data enabler & business opportunities(1)Innov day big data enabler & business opportunities(1)
Innov day big data enabler & business opportunities(1)
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Malvertizing Like a PRO

  • 1. Malvertizing Like a PRO A JUMP INTO THE NEWEST ATTACK VECTOR TAKING IT TO THE NEXT LEVEL
  • 2. Introduction • Pen-Tester with Veris Group • Previous ARMY • How to find me: • @Killswitch_GUI • CyberSyndicates.com
  • 3. Warning! What I'm not:  A SME in Malware or Reverse Engineering  Part of a Cyber Crime ring performing this everyday  What this is:  My take on Ad based malware  My journey on how I would execute it  Pure speculation of what's open source  What we will cover  Ad Based Malware  Touch of OSINT  My Campaign Methods and Failure ALL DATA Collected using Open Source methods
  • 4. Overview  Forming an attack based on Strategic Malvertising using targeting principles  What is Malvertising  What's Malvertising vs Strategic Malvertising  What makes this so important ( What don't I already know)  Potential methods it can be used to conduct social engineering  How to target specific completely unknown, specific individuals within a demographic group?  How effective it is and is it worth the resources required?
  • 5. Current Malware Trends  Phishing still effective  Major increase in Ad Delivery - 350%  Secondary and Trusted C2 being used (Covert C2)  Duke / Cloud Duke Toolsets  Twitter / OneDrive / Cloud Storage  Web Exploit Kits from years ago still working  C2 is becoming difficult to detect  Out of Band Communications  Implied Trust (WE WILL COVER THIS)  Notable Cases :  APT 29: HAMERTOSS  Flash Zero Day Ad Based
  • 6. Talking money  Delivering malware to generate AD traffic  Text / HTML AD’s  Video AD’$  Delivering Randsomware  Crypto  Legit Business  cost publishers more than $21.8 billion in 2015 in lost revenue
  • 8. What is Malvertizing?  It is the use and abuse of Ad services for attackers to deliver malicious content, using ad service providers vast network of audience. They can leverage this legitimate function to distribute their malware.  Many forms of malware based ad-ware attacks exist  Compromised Ad-Companies  Impersonation of legitimate companies  Malware being hosted in AD’s  Legitimate Targeted campaigns
  • 9. Core Fundamentals  Major players  Google  Facebook*  Microsoft  Main Types of Delivery methods  Social media marketing  Sponsored search  Compensation methods  CPM (cost per mille)  CPE (cost per engagement)  CPC (cost per click)  CPV (cost per view)
  • 10. Core Fundamentals Cont.  Ease of deployment (availability)  The targeting platform Is already built  Benefits of Web Ad’s:  Cost – There is a reason why AD profits are in the Billions  Measurable – Powerful analytics and cross platform support is built  Targeted?
  • 11. Big Data Analytics  Analytical engines at your finger tips  Broad – Zip code  Specific – Job title  Extremely Accurate  Most Ad-Delivery systems display potential reach  Target research methods  We give our data away for free..
  • 12. Malvertizing in the Wild  AD injection:  Exploitation of routers and redirecting DNS  Attacker can simply redirect normal AD traffic query's and place their AD in play  This has been used to replace Google analytics JS code and ADs  Passive Collection of AD data  capabilities of Ad / Tracking  This data can be sold or used for other Intelligence Collection Campaign's  Canadian ISP was caught MITM in 2014 stealing data from HTTP AD traffic
  • 13. Malvertizing in the Wild  Exploit within AD traffic:  Using obfuscated flash exploits attacks are able to launch exploits from legit AD’s  Exploit AD Companies:  Campaign is put in motion after gaining access to AD serving organization  Redirects traffic to Exploit Kit  Drop Exploit Kit of choice: Angler etc.  Begins Click Fraud activity
  • 14. Malvertizing in the Wild AD Fraud Exploit Kits: Increasing dramatically! Powelike’s: later versions sported Ad-Clicking Component Kovter:  Evolved from stand alone to fully deployable with other exploit kits like Angler, Nuclear Pack  Allows for even Flash based Video Ads to be played for high ROI
  • 15. Blue Team / Defenders  So why should I care?  Online attack surface has greatly reduced  Phishing is still Hot!  Circumventing millions in security: email / Phishing  With that comes every vendor in the sector with:  Sandbox appliances  Content Filtering  Spam Filters  Delivery method is trusted:  Do you block Twitter / Facebook / Google?  Reputable sites?  AD Delivery / C2 Chanel all on one platform  Good luck finding that
  • 16. Systematic problem  Why it isn’t a Script Kiddy solution  Why it has to be funded..  It takes money to make money  ROI - It makes more money than put in?  Implied Trust of many Ad-Agency’s and sites using their services
  • 17. My take on AD Delivery
  • 18. My Methodology / Target Selection Demographic Nomination Target Selection SE/OSINT Research Campaign Development Reputation Development Deployment
  • 20. Calculating Reach  Reach is an important factor of targeting  Gives you a metric to calculate potential demographic  Need to judge a organizations size / Facility Activity / increases or presence?  Employees  Geographical location  Important concept for OSINT  Will I even have impact?
  • 23. OSINT  Open Source Intelligence Collection Applications  Used in many types of operations  Penetration Testing  Physical Assessments  Targeting  Levels:  Physical - Things we can touch and see  Logical - Things over the wire  Individual- Persona Layer / Exploiting the nature of Humans
  • 24. Questions that Need to Asked  What time frame will be effective?  Work Hours:  After Hours:  What System will I be targeting to reach my target audience  Mobile Platform:  We may even be able to target exact OS   Desktop OS  Laptop Users traveling?  May not be patched for a short period of time
  • 25. Need to deliver based on schedule? No Prob!
  • 26. Exploit only works on XP or exact OS, on IE ? No Prob!
  • 28. Exact mobile brand? Exact Model!?  Yea this is scary granularity!
  • 29. Power of Big Data Targeting  Small Meta-Data that is data…  WIGLE  WIGLE + compromised Host = Potential Geographical location  Orientate an attacker  Can be done with so many methods…  Query registry for past locations  Ability to build a timeline (Forensic Capability)  Social-Mention  HONEY BADGER – Tim Tomes
  • 30. Power of OSINT  ICWATCH:  https://transparencytoolkit.org  https://github.com/transparencytoolkit
  • 32. Think Nation State?  “Hacking Team” - Beat a dead horse anyone?  De Anonomonyzing Location based on WLAN interface  Un-Cloaking physical Locations
  • 33. Offensive Targeting  Imagine a world where you could deploy your malware only to people:  Making 100k+  Work for: “fill in agency here”?  More advanced campaigns being deployed?  Crime  Collection  Could support the IC effort of many countries  Getting into deep water..
  • 34. Traditional Targeting  Phishing Campaigns –Social Engineering for *clicks* 
  • 35. Phishing  Very Common / Known  Methodology  Very successful on engagements  This Same principle is how I created AD’s  Changing surface / Constraint of phishing  Lack ability to pin point demographics  The days of dumping every user in directory using ( * ) may be gone  Training increased / Trust has decreased in email  TONS OF APPLIANCES protecting email!  SPF Records / Correctly configured Mail servers verifying multiple fields of mail
  • 36. Combined with a touch of SE  Same principles as Phishing Move over  Trending Results using Facebook  Selecting SE topic  Using topic
  • 37. That SEO thing  Another Great SE technique to get a campaign off the ground  Another important aspect to SE or Any Targeting.  You wouldn't’t launch a Phishing Campaign saying your Marketing coming from it-support.net  Using SEO Tools to build (BUY):  Instant Reputation  Instant Legitimacy  I attempted this but sadly during testing FB cracked down!
  • 38. What this means  I can now target at a:  Physical Layer  Logical Layer  I can correlate targets Using Demographics  Location  Jobs / workplace / salary etc.
  • 40. Setup  Domain Name (Something Reliable)  VPS (Hosting) / Apache Vhost’s / Static Content  Analytics (Google-Analytics)  Ad Campaign (Facebook)  $20 a campaign  A good idea to SE
  • 41. SE AD Targets  Augusta, GA – Broad Target AD  Any one in 25mi Range  Augusta, GA – Targeted Demographic AD  Any one in 25mi Range  Employer Specific  Time Range  AD Types:  Web-Site clicks  Post Promotion
  • 43. Building a Relevant Page  Targets: Augusta, GA  Target Demographic: Cyber / Location Based
  • 44. Building AD #1 – Broad Target  Select Control  :  How do I get them to take notice?  Tag-Line : Needed to be something Impactful  Deceiving: Had to be Believable but wont deliver 100% truth.  Enticing Image: Most important Aspect, everyone loves images
  • 45. Build out Clone Site  Used Httrack for cloning of legit Data.. FB has too catch this!
  • 46. Build out Config  Left these for testing their “Review”  Put in some Meta Tags for Picture Population  Removed all the original Google Tracking JS so we don’t pop up under their account.
  • 47. Ad #1  Videos are very successful marketing tools  Can be easy wins
  • 48. AD #1 – Not so fast  They actually enforce some polices I found out :/
  • 54. AD #2 – Targeted Demographics  Selected Topic / Control:  Certain location “Fort Gordon”  Target:  How do I get them to take notice?  Tag-Line : Home Values “I may have some inside knowledge”  Hint: Its about what a ton of people talk about in this area.  Deceiving: Large Increase coming!  Target Details Matter for Accuracy:  Life Style  Devices / Platform  Work hours
  • 55.
  • 56. Website?  Lets test that review process:  Submit a simple WordPress page with a embedded video. Than remove for the duration of the test  Host a simple index.html with JS for GA  Questions that should be asked and how the relate to malware:  Will they detect this major change?  Can some one even report a shady link?  How long will it stay up?
  • 58. AD #2 Configurations / AD Placement
  • 60. Drilling Down on Geo  GA makes Geographic analytics streamlined and Accurate down to the city  25 mi range on Augusta, GA seems pretty accurate!
  • 61. Service Providers  Makes tracking specific targets quite helpful  Tracking user agents in GA is simple
  • 62. AD #2 Analytics - Web Clicks
  • 65. Am I really Hitting my Target?  Geographically its easy to say “YES”  Accurate GEOIP API services by google  What about Demographic:  Harder to determine true accuracy  Service Providers can be a major Identifier if they use a certain ISP or have their own!  Page Interaction can be a HUGE identifier  Likes  Comments
  • 66. Am I really Hitting my Target? (not set)  Found 95 sessions of 273 to be (not Set) as the ISP…  Could this be proper filtering / Ammonization?  Take the time and verify your results  Also always resolve domain name!  This data was reassuring that I was on the right track
  • 67. Am I really Hitting my Target cont.  Facebook Likes / Comments:  Helps performs post analysis of the target audience  All 8x likes where affiliated with my target audience.
  • 68. Putting it in Context  One guy with limited funds and some time  Conducted 2 Ad campaigns  Each campaign took 6 hours from OSINT to Delivery  Each campaign ran one week at $20 each  Campaign 1 had 143 engagements, 2k reach  Campaign 2 had 219 engagements, 3k reach  Calculation:  Well funded group with 10k budget for a campaign and 160 hours.  On avg .09 cents per unique engagement  Potential = 26 unique AD’s , 111,111 Engagements, and 1.5M Reach!  I would consider this extremely effective mean of a targeted campaign.
  • 69. Major Findings  Review process is a joke:  Couldn’t detect a clearly cloned website by static HTML source  The cloned website still had complete favicon / logos / static source of the cloned website  Do they even scan for malware?  Continued monitoring  Set up a page and immediately removed it and replaced with a simple index.html page with JS  Ran for one week and didn't’t raise one flag?  I can simply submit an ad and host malware 10 mins latter?
  • 70. Are Ad-Agency’s protecting us  Google  Moving to Encrypted Ads June 30th  Only Protects Ad injection at the network layer (Compromised Routers)  Facebook  RiskIQ - monitoring advertising pages to protect users from malicious ads  Interesting collegial research on detecting cloned pages
  • 71. Getting The Most out a Campaign Tip’s  Proper recon is crucial  Proper SE campaign must be relevant with your target.  Holistic view of an ad:  How do I view ad’s as a user?  What do I click on and what do I not?  Videos / Posts / News  CPC Compensation
  • 72.
  • 73. Twitter How I Hate you  Rule one: Don’t buy bots and get caught in the Sec industry  @jaredcatkinson
  • 74. Lessons Learned  Twitter is a news source not so much of a social source.  Although they have just as powerful analytic engines when it comes to AD delivery  Scary Easy to run a simple yet targeted campaign with relatively accurate results • Big shout out to: • @Slacker007 – keelyn roberts • @Hashtagcyber – Matt Domko

Notes de l'éditeur

  1. Question: What if I want to keep tabs on movements, increases and activity of facility?
  2. OSINTForm of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence
  3. I want to target work resources? (9 to 5) Remote / Home Users will be out of patch?
  4. -Make your own assumptions -Kept it Wide!!