Figure 15: Recreated lure page shown only to connections that successfully pass the verification checks on ktgotit[.]com
In this scenario, the "Free Download" link in Figure 15 led to a download for a malicious archive file named “Advanced_IP_Scanner_v.3.5.2.1.zip” (MD5: “5310d6b73d19592860e81e4e3a5459eb”) from the URL “hxxps://britanniaeat[.]com/wp-includes/Advanced_IP_Scanner_v.3.5.2.1.zip”.
Defending Against Advertising Attacks
Ad networks should aim to respond quickly to new abuse tactics. Once an abuse methodology is known by one threat actor, it will soon become known by many.
For enterprises, an elegantly simple and proactive solution would be to consider elevating your environment’s current default browser security settings for everyday browsing. Most modern browsers seek to optimize a balance between usability and security when it comes to automated protective measures enabled by default (such as in Google SafeBrowsing). For some enterprise environments these can be elevated past default levels without much noticeable impact to overall user experience.
For individual users, when clicking on ads or links in ads, users should double-check the website address (URL) of the destination to make sure it matches the company or product in the ad and doesn’t contain typos. This is especially important on phones where the URL bar might be hidden. In the example shown in Figure 13, the URL for the ad was ”ktgotit[.]com” and the landing page content matched the domain shown in the ad (i.e., ktgotit). Yet, the content of the benign landing page showed dubiously formatted product details for loosely related products that all purported to be affiliated with different manufacturers, and the content of the malicious page (protected by cloaking mechanisms) did not have a domain that matched the one shown in the ad (Figure 13).
Google encourages users to report any ads they think may violate their policies or harm users so they can review and take action as needed. This article contains more guidance on how to report ads.
In a digital world where every click leaves a trace, the line between data analytics tooling around marketing demographics and malware attack campaign optimization has become dangerously blurred to some degree. As the capabilities of legitimate tooling increases, so too will the capabilities of threat actors who choose to use them for nefarious purposes. However, as we have demonstrated through the practical examples shown throughout this blog post, by demonstrating how attackers use these tools and providing insights on ways defenders can proactively take steps to mitigate or eliminate their effects, mounting a viable and impactful defense against them is achievable.
Special Acknowledgments
Adrian McCabe would like to thank Joseph Flattery for his subject matter expertise on digital marketing tools.
The authors would like to thank Mandiant Advanced Practices for their in-depth review of associated threat indicators.
