Malvertising: Distributing Malice via Cross-Domain Script Inclusion

Online advertisements provide a convenient platform for spreading malware. Since ads provide a significant portion of revenue on the web, significant effort is put into attracting users to them. Malicious agents take advantage of this skillful attraction and then redirect users to malicious sites that serve malware

Recently, malvertising (malicious advertising on the Internet) attack mechanism has been opted by the attackers to infect Equifax (https://www.forbes.com/sites/leemathews/2017/10/12/equifax-website-caught-serving-malicious-ads-to-visitors/#5dad5d2f19f8 ) and Transunion (https://arstechnica.com/information-technology/2017/10/equifax-rival-transunion-also-sends-site-visitors-to-malicious-pages/ )credit bureau websites.

In malvertisements, the malicious code is injected in the third-party libraries hosted on the Content Delivery Networks (CDNs) or any other third-party domain. A Content Delivery Network (CDN) is a third-party ad server that provides content to different domains across the web. CDNs are the preferred choice for attackers to spread malware by exploiting the CDN web servers — the attackers can simply let the servers assist in spreading the malware. Advertisements use Flash, Silverlight, pop-ups, Windows Media Player files and Javascript extensively. However, this is a grave concern because if a CDN server is exploited, the attacker can inject malicious code in the form of malvertisements and that code is widely distributed. There is a chain reaction because if a parent server is infected, the child nodes will automatically get infected, too. Corrupting a server that serves thousands of sites spreads the malvertisements broadly and often in a trusted manner.

Attack Flow

  • The attacker analyzes the scripts that are included in the target website from the third-party domain.
  • The attacker compromises the third-party domain, injects malicious code and then let the attack trigger.
  • When user opens the primary website in browser, the scripts are included from the cross domain injected with malicious content and served to the end-users.

Browser Exploit Packs (BEPs) infections have also been triggered using malvertisements. In this scenario, primary website has not control as it simply includes the script hosted on server that is not managed and operated by the primary website. This attack mode is used to distribute infections to a large number of users on the Internet.

As you can see, CDNs have the potential to be a big problem with respect to web malware.

In our earlier paper, Malvertising — Exploiting Web Advertising, we covered different malvertisements attack scenarios as listed below:

  • Malvertising with malicious widgets and redirection
  • Malvertising with hidden iframes
  • Malvertising with infected Content Delivery Networks (CDNs)
  • Malvertising through Malicious Banners

You can read our earlier paper published in Computer Fraud and Security (CFS)Journal here: http://secniche.org/released/NESE_Mal_AKS_RJE.pdf | https://scholars.opb.msu.edu/en/publications/malvertising-exploiting-web-advertising-4

Sood, A. K., & Enbody, R. J. (2011). Malvertising — Exploiting web advertising. Computer Fraud and Security, 2011(4), 11–16. DOI: 10.1016/S1361–3723(11)70041–0

http://www.sciencedirect.com/science/article/pii/S1361372311700410