This presentation, given at BSidesAugusta 2015, discusses free tools and techniques penetration.
This presentation is the culmination of research and execution into the emerging attack path of ad-based malware delivery. I'll cover the basics of social and web based marketing strategies and their relationship with advanced malware campaigns currently in the wild. I'll then dive into the mechanics of running a campaign, big-data analytics, OSINT, targeting, research, and my crack at *legally* performing malvertizing. This look at this up-and-coming attack vector will show how ad-based malware is circumventing thousands spent on security appliances geared towards standard email attacks, all while abusing the implied trust of social media to go after the real end point, “the user”.
3. Warning!
What I'm not:
A SME in Malware or Reverse Engineering
Part of a Cyber Crime ring performing this everyday
What this is:
My take on Ad based malware
My journey on how I would execute it
Pure speculation of what's open source
What we will cover
Ad Based Malware
Touch of OSINT
My Campaign Methods and Failure
ALL DATA Collected using Open Source
methods
4. Overview
Forming an attack based on
Strategic Malvertising using
targeting principles
What is Malvertising
What's Malvertising vs Strategic Malvertising
What makes this so important ( What don't I
already know)
Potential methods it can be used to conduct social
engineering
How to target specific completely unknown, specific
individuals within a demographic group?
How effective it is and is it worth the resources
required?
5. Current Malware Trends
Phishing still effective
Major increase in Ad Delivery - 350%
Secondary and Trusted C2 being used
(Covert C2)
Duke / Cloud Duke Toolsets
Twitter / OneDrive / Cloud Storage
Web Exploit Kits from years ago still working
C2 is becoming difficult to detect
Out of Band Communications
Implied Trust (WE WILL COVER THIS)
Notable Cases :
APT 29: HAMERTOSS
Flash Zero Day Ad Based
6. Talking money
Delivering malware to generate AD
traffic
Text / HTML AD’s
Video AD’$
Delivering Randsomware
Crypto
Legit Business
cost publishers more than $21.8 billion in 2015
in lost revenue
8. What is Malvertizing?
It is the use and abuse of Ad services for
attackers to deliver malicious content,
using ad service providers vast network of
audience. They can leverage this
legitimate function to distribute their
malware.
Many forms of malware based ad-ware
attacks exist
Compromised Ad-Companies
Impersonation of legitimate companies
Malware being hosted in AD’s
Legitimate Targeted campaigns
9. Core Fundamentals
Major players
Google
Facebook*
Microsoft
Main Types of Delivery methods
Social media marketing
Sponsored search
Compensation methods
CPM (cost per mille)
CPE (cost per engagement)
CPC (cost per click)
CPV (cost per view)
10. Core Fundamentals Cont.
Ease of deployment (availability)
The targeting platform Is already built
Benefits of Web Ad’s:
Cost – There is a reason why AD profits
are in the Billions
Measurable – Powerful analytics and
cross platform support is built
Targeted?
11. Big Data Analytics
Analytical engines at your finger
tips
Broad – Zip code
Specific – Job title
Extremely Accurate
Most Ad-Delivery systems display
potential reach
Target research methods
We give our data away for free..
12. Malvertizing in the Wild
AD injection:
Exploitation of routers and redirecting DNS
Attacker can simply redirect normal AD traffic
query's and place their AD in play
This has been used to replace Google analytics JS
code and ADs
Passive Collection of AD data
capabilities of Ad / Tracking
This data can be sold or used for other Intelligence
Collection Campaign's
Canadian ISP was caught MITM in 2014
stealing data from HTTP AD traffic
13. Malvertizing in the Wild
Exploit within AD traffic:
Using obfuscated flash exploits attacks
are able to launch exploits from legit
AD’s
Exploit AD Companies:
Campaign is put in motion after
gaining access to AD serving
organization
Redirects traffic to Exploit Kit
Drop Exploit Kit of choice: Angler etc.
Begins Click Fraud activity
14. Malvertizing in the Wild
AD Fraud Exploit Kits:
Increasing dramatically!
Powelike’s: later versions sported
Ad-Clicking Component
Kovter:
Evolved from stand alone to fully
deployable with other exploit kits like
Angler, Nuclear Pack
Allows for even Flash based Video Ads to
be played for high ROI
15. Blue Team / Defenders
So why should I care?
Online attack surface has greatly reduced
Phishing is still Hot!
Circumventing millions in security: email / Phishing
With that comes every vendor in the sector with:
Sandbox appliances
Content Filtering
Spam Filters
Delivery method is trusted:
Do you block Twitter / Facebook / Google?
Reputable sites?
AD Delivery / C2 Chanel all on one platform
Good luck finding that
16. Systematic problem
Why it isn’t a Script Kiddy solution
Why it has to be funded..
It takes money to make money
ROI - It makes more money than
put in?
Implied Trust of many Ad-Agency’s
and sites using their services
20. Calculating Reach
Reach is an important factor of
targeting
Gives you a metric to calculate potential
demographic
Need to judge a organizations size
/ Facility Activity / increases or
presence?
Employees
Geographical location
Important concept for OSINT
Will I even have impact?
23. OSINT
Open Source Intelligence Collection
Applications
Used in many types of operations
Penetration Testing
Physical Assessments
Targeting
Levels:
Physical - Things we can touch and see
Logical - Things over the wire
Individual- Persona Layer / Exploiting the nature of
Humans
24. Questions that Need to
Asked
What time frame will be effective?
Work Hours:
After Hours:
What System will I be targeting to
reach my target audience
Mobile Platform:
We may even be able to target exact OS
Desktop OS
Laptop Users traveling?
May not be patched for a short period of time
29. Power of Big Data
Targeting
Small Meta-Data that is data…
WIGLE
WIGLE + compromised Host = Potential Geographical
location
Orientate an attacker
Can be done with so many methods…
Query registry for past locations
Ability to build a timeline (Forensic Capability)
Social-Mention
HONEY BADGER – Tim Tomes
30. Power of OSINT
ICWATCH:
https://transparencytoolkit.org
https://github.com/transparencytoolkit
32. Think Nation State?
“Hacking Team” - Beat a dead
horse anyone?
De Anonomonyzing Location
based on WLAN interface
Un-Cloaking physical Locations
33. Offensive Targeting
Imagine a world where you could
deploy your malware only to people:
Making 100k+
Work for: “fill in agency here”?
More advanced campaigns being
deployed?
Crime
Collection
Could support the IC effort of many
countries
Getting into deep water..
35. Phishing
Very Common / Known
Methodology
Very successful on engagements
This Same principle is how I created AD’s
Changing surface / Constraint of phishing
Lack ability to pin point demographics
The days of dumping every user in directory using ( * )
may be gone
Training increased / Trust has decreased in email
TONS OF APPLIANCES protecting email!
SPF Records / Correctly configured Mail servers verifying
multiple fields of mail
36. Combined with a touch of
SE
Same principles as
Phishing Move
over
Trending Results
using Facebook
Selecting SE topic
Using topic
37. That SEO thing
Another Great SE technique to get a
campaign off the ground
Another important aspect to SE or Any
Targeting.
You wouldn't’t launch a Phishing Campaign
saying your Marketing coming from it-support.net
Using SEO Tools to build (BUY):
Instant Reputation
Instant Legitimacy
I attempted this but sadly during
testing FB cracked down!
38. What this means
I can now target at a:
Physical Layer
Logical Layer
I can correlate targets Using
Demographics
Location
Jobs / workplace / salary etc.
40. Setup
Domain Name (Something
Reliable)
VPS (Hosting) / Apache Vhost’s /
Static Content
Analytics (Google-Analytics)
Ad Campaign (Facebook)
$20 a campaign
A good idea to SE
41. SE AD Targets
Augusta, GA – Broad Target AD
Any one in 25mi Range
Augusta, GA – Targeted Demographic
AD
Any one in 25mi Range
Employer Specific
Time Range
AD Types:
Web-Site clicks
Post Promotion
43. Building a Relevant Page
Targets: Augusta, GA
Target Demographic: Cyber /
Location Based
44. Building AD #1 – Broad
Target
Select Control :
How do I get them to take notice?
Tag-Line : Needed to be something Impactful
Deceiving: Had to be Believable but wont
deliver 100% truth.
Enticing Image: Most important Aspect,
everyone loves images
45. Build out Clone Site
Used Httrack for cloning of legit
Data.. FB has too catch this!
46. Build out Config
Left these for testing their “Review”
Put in some Meta Tags for Picture
Population
Removed all the original Google
Tracking JS so we don’t pop up
under their account.
47. Ad #1
Videos are very successful
marketing tools
Can be easy wins
48. AD #1 – Not so fast
They actually enforce some polices
I found out :/
54. AD #2 – Targeted
Demographics
Selected Topic / Control:
Certain location “Fort Gordon”
Target:
How do I get them to take notice?
Tag-Line : Home Values “I may have some inside
knowledge”
Hint: Its about what a ton of people talk about in this
area.
Deceiving: Large Increase coming!
Target Details Matter for Accuracy:
Life Style
Devices / Platform
Work hours
55.
56. Website?
Lets test that review process:
Submit a simple WordPress page with a
embedded video. Than remove for the
duration of the test
Host a simple index.html with JS for GA
Questions that should be asked
and how the relate to malware:
Will they detect this major change?
Can some one even report a shady link?
How long will it stay up?
65. Am I really Hitting my
Target?
Geographically its easy to say “YES”
Accurate GEOIP API services by google
What about Demographic:
Harder to determine true accuracy
Service Providers can be a major Identifier if
they use a certain ISP or have their own!
Page Interaction can be a HUGE
identifier
Likes
Comments
66. Am I really Hitting my
Target? (not set)
Found 95 sessions of 273 to be (not Set) as the
ISP…
Could this be proper filtering / Ammonization?
Take the time and verify your results
Also always resolve domain name!
This data was reassuring that I was on the right
track
67. Am I really Hitting
my Target cont.
Facebook Likes / Comments:
Helps performs post analysis of
the target audience
All 8x likes where affiliated with
my target audience.
68. Putting it in Context
One guy with limited funds and some time
Conducted 2 Ad campaigns
Each campaign took 6 hours from OSINT to Delivery
Each campaign ran one week at $20 each
Campaign 1 had 143 engagements, 2k reach
Campaign 2 had 219 engagements, 3k reach
Calculation:
Well funded group with 10k budget for a campaign and
160 hours.
On avg .09 cents per unique engagement
Potential = 26 unique AD’s , 111,111
Engagements, and 1.5M Reach!
I would consider this extremely effective
mean of a targeted campaign.
69. Major Findings
Review process is a joke:
Couldn’t detect a clearly cloned website by
static HTML source
The cloned website still had complete favicon
/ logos / static source of the cloned website
Do they even scan for malware?
Continued monitoring
Set up a page and immediately removed it
and replaced with a simple index.html page
with JS
Ran for one week and didn't’t raise one flag?
I can simply submit an ad and host malware 10 mins
latter?
70. Are Ad-Agency’s
protecting us
Google
Moving to Encrypted Ads June 30th
Only Protects Ad injection at the network layer
(Compromised Routers)
Facebook
RiskIQ - monitoring advertising pages to
protect users from malicious ads
Interesting collegial research on
detecting cloned pages
71. Getting The Most out a
Campaign Tip’s
Proper recon is crucial
Proper SE campaign must be
relevant with your target.
Holistic view of an ad:
How do I view ad’s as a user?
What do I click on and what do I not?
Videos / Posts / News
CPC Compensation
72.
73. Twitter How I Hate you
Rule one: Don’t buy bots and get
caught in the Sec industry
@jaredcatkinson
74. Lessons Learned
Twitter is a news source not so much
of a social source.
Although they have just as powerful analytic
engines when it comes to AD delivery
Scary Easy to run a simple yet
targeted campaign with relatively
accurate results
• Big shout out to:
• @Slacker007 – keelyn roberts
• @Hashtagcyber – Matt Domko
Notes de l'éditeur
Question: What if I want to keep tabs on movements, increases and activity of facility?
OSINTForm of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence
I want to target work resources? (9 to 5)
Remote / Home Users will be out of patch?