Nowadays, malvertising is getting more and more sophisticated and smart. Among the latest methods being used lately, appears to be fingerprinting. This is a great way to check the potential victims’ computers with snippets of code injected directly into the ad banner.
The security researchers claim that exploit kit creators are using advanced “fingerprinting” for pre-selecting and pursuing specific victims without any user interaction. The code can quickly rule out non-viable targets like honeypots, set up by malware researchers to detect malware, or security companies performing ad check validation.
The new technique gives the exploit kit creators an opportunity to no longer wait for victims, meaning that they can now actively chase targets while avoiding detection by researchers and anti-malware companies. Besides, this is very cheap: it costs only 19 cents for each 1000 impressions (CPM).
A company states that, “Malware authors no longer need to send users to an exploit kit web landing page to begin to identify victims’ software and vulnerabilities.”
“They come to the victims in disguise, appearing as a legitimate advertiser on popular websites to pre-qualify or fingerprint a user before sending them to the exploit kit.”
Security experts reported that nowadays overall hundreds of goo.gl URLs are being used in malicious fingerprinting redirections, together with more than 100 fake advertiser domains and dozens of ad networks. Last year, about 42% of malvertising-related infections happened in USA.
In April 2014, there was a massive malvertising attack on the adult website xHamster. That was one of the first attacks to be seen using the new technique which redirected users to an Angler EK landing page to perform fingerprint checks on the system.
The recent DoubleClick Open Referer campaign shows a more advanced fingerprinting effort, which uses booby-trapped GIF images hiding code, with on-the-fly encoding. Currently, it is encoded with a special key, only provided once per IP address, and embedded in a JavaScript sequence. At the same time, new fake advertiser domains are created on a regular basis, many of them abusing CloudFlare or Let’s Encrypt, and employing proxies for domain registration.
“This represents the next step in malvertising attacks, where bogus advertisers are analyzing potential victims and either showing a benign ad or an ad laced with malicious code that ultimately redirects to an exploit kit,” security experts concluded.
