- Table of contents
The author
A passionate and enthusiastic research analyst with exemplary results dealing in intelligence research, nominated for several honors during military service. Recognized consistently for performance excellence and contributions to success in operational missions. Was active in Intelligence Special Operations, has sound knowledge of research methodologies and how to efficiently find and break down new pieces of information while presenting them to senior ranking officials.
Table of contents
Related Articles
Malvertising: How Phishing Campaigns Use Malicious Ads
During 2022 and the first quarter of 2023 Cyberint noticed an increased trend in Threat Actors engaging in malvertising, AKA abusing the ad space to distribute their phishing & malware campaigns. Malvertising increases their reach and potential victims due to advertisement prioritization in search engine results.
This trend is a lesser-known risk among the general public, and therefore poses a higher threat. This is because these advertisements reach the first page of search engine results, which are admittedly more trusted.
The main challenge organizations face is detecting and mitigating these campaigns due to their persistence and evolving evasion tactics. Additionally, takedown is not always successful if the hosting platform is not able to detect the phishing content proof needed on its end to enforce its policies. This is further exaggerated if the Threat Actor reuses the same advertisement profile for future campaigns.
Cyberint detected several campaigns targeting various retail and financial organizations during the year. In this report, Cyberint shares a review of the malicious activity; its challenges, impacts, and evasion tactics most likely used.
Cyberint’s recommendations to counteract this growing trend include lookalike domain monitoring, educating employees and customers on the dangers, possible counter campaigns, and recommended takedown procedures.
Please note that in this report, Cyberint will use the following keywords interchangeably:
• “Threat Actors” = Criminals/Nefarious Actors/Bad Actors
• “Phishing Kits” = Archived files that host all the files needed to impersonate a targeted website.
• “Typo squatting” = A technique that deceives users with typo mistakes and other hard-to-detect
grammar mistakes.
• “Lookalike domains” = Newly registered domains that are suspiciously similar to the company’s
domain, usually employing ‘typo squatting’ or different top-level domains.
• “2FA” = Two Factor Authentication
Case Study: Malvertising on Bing
Cyberint initiated an investigation into a suspicious advertisement detected on Bing’s search engine with text identical to the company website in the search engine results. These advertisements were hosted on previously detected lookalike domains which did not host malicious content upon detection.
Cyberint discovered that the lookalike domains hosted a blogging website and a hidden phishing page. The page was distributed via malvertising and had reached the top of search engine results. The campaign’s infrastructure was hosted on a single malicious Russian IP and implemented various evasion tactics to limit detection and analysis.
Interestingly, not all users could access the phishing page when clicking on the shared advertisement URL since they were redirected to a supposed ‘innocent’ blogging website hosted on the lookalike domains. Several organizations experienced a similar malicious advertising campaign which limited initial analysis due to the evasion tactics used. Moreover, with every taken-down domain, the malicious advertisements were persistent and pointed to a new domain.
Threat Actor’s Malvertising Tactics
The Threat Actors prepared well in advance by hijacking various vulnerable domains and subdomains two weeks before the campaign was even initiated. The Threat Actor also registered several lookalike domains targeting the company through ‘typo squatting’ and rerouted all the domains to a single Russian C&C server, which hosted the phishing kit. Consequently, more than 250 domains were attributed to the campaign, including 10 lookalike ‘typo squatting’ domains.
Alongside the Threat Actor’s preparation, and phishing kit uploaded to the C&C server, the Threat Actor initiated the impersonating advertisement on their ‘typo squatted’ domains. Only the users meeting the marketing criteria of the advertisement were able to see and click on it. Otherwise, users were met with what seemed to be an ‘innocent’ blogging website.
Malvertising Evasion Tactics
Researchers outside of the region, even with various VPN services that attempted to access the phishing page indirectly (through the advertisement redirection URL) were still redirected to the blogging website due to the implemented evasion tactics. As a result, when reporting said domains to the necessary establishments, they wouldn’t necessarily be able to detect the phishing content proof needed on their end to continue with the takedown procedure.
Cyberint was able to discern the possible evasion techniques that were put in place to limit detection and analysis. These evasion tactics also hinder a platform owner from confirming if a website is in fact hosting phishing content if it’s not directly detectable on their end.
Common Malvertising Evasion Tactics
1. Personalized Advertisement Marketing
Threat Actors utilize various advertisement services, such as Google Ads, Bing Ads, Facebook Ads, etc., to target specific victims.
As ad campaigns rely on other user attributes such as browsing history, third-party cookies, and more, threat actors can limit their campaign’s scope, targeting and redirect only necessary victims to their phishing pages. This also limits analysis and detection if the user does not meet the marketing criteria.
2. Geolocation-based filtering
This technique determines the user’s location via IP geolocation, Wi-Fi network, browser-based geolocation APIs, and GPS data. Once the user location is defined, Threat Actors filter which users should be targeted and which to ignore or redirect to other content.
This is a common technique, and in most cases is the first step of various implemented evasion tactics. It’s important to note that it’s varied. Geolocation-based filtering can also be implemented combined with the techniques shown below.
3. Generating Redundant File Directories & Hiding Phishing Content
In sophisticated phishing websites and phishing kits, Threat Actors implement decoy files and redundant files on their website directories to limit initial detection and analysis. In some cases, Threat Actors also hide their phishing page in one of the website directories while their homepage hosts ‘innocent’ content.
As a result, this reduces the chances of a successful takedown on their lookalike ‘typo squatting’ domain as long as the hosting platform cannot detect proof of brand-abusing or phishing content. It is worth noting that lookalike domains are only applicable for UDRP requests, which are requests to buy out the domain.
4. Behavioral Analysis
While behavioral analysis is typically used to detect suspicious or malicious activities, Threat Actors use this technique to detect suspicious behavior that’s not associated with typical victims, thereby limiting analysis, such as various crawlers that are involved with phishing detection.
Furthermore, the behavioral analysis can also include browsing patterns, language preferences, time zone settings, or other user behaviors that may well reveal a user’s true location.
5. Browser Fingerprinting
Browser Fingerprinting includes tracking the user’s browser and device’s attributes, which include plugins, fonts, screen resolution, and more. These can be used to identify and track the user. This is difficult to mask with a VPN and sophisticated Threat Actors can use the same techniques advertisers and analytic platforms use to identify the underlying user to limit analysis.
6. User Agent Filtering
This technique involves analyzing the user agent string sent by the browser to determine the device, browser, and operating system being used. In most cases, User-agent filtering is combined with other filtering techniques, such as geolocation-based filtering, behavioral analysis, and browser fingerprinting. Any detected discrepancies can be used by Threat Actors to limit detection and analysis.
Although using a VPN-based user-agent string can help emulate the VPN location, other browsing habits or configuration aspects might still reveal a user’s true location.
Revealing Malvertising Phishing Infrastructure
Even with the implemented evasion tactics, Cyberint was able to discover the phishing interface via brute-forcing techniques. In the process, we were able to map the phishing infrastructure and the Threat Actor’s modus operandi which concluded with a successful takedown of the advertisement and phishing campaign.
The instant users inserted their usernames and passwords on the phishing page, the information was broadcast on the Threat Actor’s Telegram channel and the victims were redirected to a phishing 2FA interface.
The Threat Actor initiated a login request on the company website with the harvested credentials, which resulted in the victim receiving an authentic one-time password. Subsequently, the Threat Actor was granted access to the account if the victim inserted their one-time password in the interface, which was also transmitted to the Threat Actor’s Telegram channel.
How to Combat Malvertising (Malicious Advertisements)
Some Threat Actors go to great lengths to build phishing infrastructure that can harvest and target a larger audience. While the underlying infrastructure is taken down the Threat Actor often re-uses the same advertisement infrastructure to initiate the same campaign pointing to hundreds of other redundant domains. This leads to a persistent phishing campaign that is a challenge to deal with if domain takedowns are the only mitigation vector.
While advertisement platforms continuously have to improve their detection and mitigation procedures to catch abuse on their platforms, it’s important to go through the possible procedures that companies can also employ to combat this trend.
Recommendations to Combat Malvertising
1. Lookalike Domain Monitoring
Threat Actors usually register several ‘typo squatting’ domains to fool potential victims by their resemblance to the company domain. Several newly registered lookalike domains registered under one IP address, especially those that might have a negative reputation could point to an upcoming phishing campaign that might implement a malvertising campaign with it. Although Lookalike domains do not initially host malicious content, therefore they are not applicable for a direct takedown request; companies can still initiate a UDRP request and buy out the domain.
2. Employee & Customer Education
Cyberint recommends educating employees and customers about the dangers of accessing potentially malicious advertisements. It’s recommended to always check the domain and verify that the advertisements redirect to the intended domain.
3. Consider Competing with Malicious Advertisements
Threat Actors mostly rely on considerably expensive reputable advertisement accounts or various business logic bypass techniques for their advertisement account abuse. Companies have an overall advantage in general reach and SEO (search engine optimization). This means that companies can initiate their own campaign promoting their website, out-competing the Threat Actor’s advertisement campaign in the process. As a result, customers and employees are a lot less likely to click on a malicious advertisement if it isn’t in the top search results.
4. Report the Associated Advertisement Account
If Malvertising is detected, it’s important to report the advertisement URL or its account directly. Threat Actors can have hundreds of domains ready in case one of their domains fails or is taken down. By reporting the Advertisement URL directly to the relevant platform, the associated account can be banned, therefore limiting the Threat Actor’s reach and persistence. It’s also seemingly more difficult to create an operational malicious advertisement account than to create the initial phishing infrastructure, according to various darknet forums.
Cyberint can assist with the takedown procedure if a campaign is detected, get in touch with our team today.
