Malvertising Attack Matrix

A project by

Confiant

C:\>Terms of Service
D:\>Privacy Policy

  • LinkedIn
  • Medium
  • Twitter
  • Reddit

Detailing threat actors through Malvertising Activity

Our security team is constantly profiling the threat actors using different techniques and tactics to exploit and scam users via digital ads.

The Malvertising Attack Matrix is a way to communicate actionable threat intelligence to entities that are outside of the ad tech world and give them real, credible information on threats to their digital security.

Zirconium

  1. Initial Access
    1. [C101]
    2. [C103]
  2. Execution
    1. [C203]
    2. [C204]
    3. [C205]
  3. Persistence
    1. [C307]
  4. Browser Exploitation
    1. [C403]
  5. Cloaking
    1. [C601]
    2. [C602]
    3. [C603]
    4. [C605]
    5. [C606]
    6. [C607]
    7. [C608]
    8. [C609]
    9. [C611]
    10. [C612]
    11. [C613]
    12. [C614]
  6. Defense Evasion
    1. [C701]
    2. [C703]
    3. [C704]
    4. [C705]
    5. [C707]
    6. [C708]
    7. [C710]
    8. [C715]
  7. Landing Page
    1. [C805]
    2. [C808]
    3. [C810]
    4. [C811]
    5. [C812]
  8. Impact
    1. [C903]
    2. [C904]

eGobbler

  1. Initial Access
    1. [C101]
    2. [C103]
  2. Execution
    1. [C204]
  3. Persistence
    1. [C302]
    2. [C307]
  4. Browser Exploitation
    1. [C401]
    2. [C403]
    3. [C404]
  5. Cloaking
    1. [C601]
    2. [C602]
    3. [C603]
    4. [C604]
    5. [C606]
    6. [C607]
    7. [C609]
    8. [C612]
    9. [C613]
  6. Defense Evasion
    1. [C701]
    2. [C702]
    3. [C704]
    4. [C710]
    5. [C711]
  7. Landing Page
    1. [C801]
    2. [C802]
    3. [C804]
    4. [C809]
  8. Impact
    1. [C903]
    2. [C904]

ScamClub

  1. Threat Actor Profile
  2. Initial Access
    1. [C101]
    2. [C103]
  3. Execution
    1. [C204]
  4. Persistence
    1. [C301]
  5. Browser Exploitation
    1. [C403]
  6. Cloaking
    1. [C601]
    2. [C602]
    3. [C603]
    4. [C604]
    5. [C606]
    6. [C609]
    7. [C612]
    8. [C615]
  7. Defense Evasion
    1. [C701]
    2. [C703]
    3. [C704]
    4. [C705]
    5. [C715]
    6. [C717]
    7. [C718]
  8. Landing Page
    1. [C801]
    2. [C802]
    3. [C811]
    4. [C820]
  9. Impact
    1. [C904]

DCCBoost

  1. Initial Access
    1. [C103]
  2. Execution
    1. [C204]
    2. [C207]
  3. Browser Exploitation
    1. [C403]
  4. Cloaking
    1. [C601]
    2. [C602]
    3. [C606]
    4. [C607]
    5. [C611]
    6. [C612]
  5. Defense Evasion
    1. [C701]
    2. [C703]
    3. [C704]
    4. [C708]
    5. [C710]
    6. [C715]
  6. Landing Page
    1. [C801]
    2. [C811]
  7. Impact
    1. [C904]

Tag Barnakle

  1. Initial Access
    1. [C105]
  2. Execution
    1. [C204]
  3. Persistence
    1. [C306]
  4. Cloaking
    1. [C601]
    2. [C602]
    3. [C612]
  5. Defense Evasion
    1. [C701]
    2. [C703]
    3. [C704]
    4. [C716]
  6. Landing Page
    1. [C801]
    2. [C804]
    3. [C807]
    4. [C809]
    5. [C811]
    6. [C812]
  7. Impact
    1. [C903]
    2. [C904]

Yosec

  1. Initial Access
    1. [C101]
    2. [C103]
  2. Execution
    1. [C204]
  3. Persistence
    1. [C307]
  4. Browser Exploitation
    1. [C403]
  5. Cloaking
    1. [C603]
    2. [C604]
    3. [C605]
    4. [C606]
    5. [C607]
    6. [C612]
  6. Defense Evasion
    1. [C704]
    2. [C705]
  7. Landing Page
    1. [C804]
    2. [C809]
    3. [C810]
  8. Impact
    1. [C903]
    2. [C904]

FizzCore

  1. Initial Access
    1. [C102]
    2. [C103]
  2. Execution
    1. [C203]
  3. Cloaking
    1. [C602]
    2. [C603]
    3. [C604]
    4. [C609]
    5. [C610]
  4. Defense Evasion
    1. [C707]
    2. [C709]
  5. Landing Page
    1. [C812]
  6. Impact
    1. [C904]

MutantBedrog

  1. Initial Access
    1. [C101]
  2. Execution
    1. [C203]
    2. [C204]
  3. Persistence
    1. [C307]
  4. Cloaking
    1. [C601]
    2. [C602]
    3. [C603]
    4. [C606]
    5. [C607]
    6. [C612]
    7. [C615]
  5. Defense Evasion
    1. [C701]
    2. [C703]
    3. [C704]
    4. [C705]
    5. [C707]
    6. [C708]
    7. [C715]
    8. [C717]
  6. Landing Page
    1. [C811]
  7. Impact
    1. [C904]

Initial Access

  1. [C101] Fake Advertising Agency
  2. [C102] Websites Targeting
  3. [C103] Fake ad creative
  4. [C104] Misconfigured Cloud Storage Buckets
  5. [C105] Application Vulnerability
  6. [C106] Browser Notifications
  7. [C107] Calendar injection
  8. [C108] Search engine ads

Execution

  1. [C201] JScript tag Injection
  2. [C202] WebAssembly injection
  3. [C203] HTML DOM modification
  4. [C204] Forceful redirects
  5. [C205] PDF redirect
  6. [C206] Click Jacking
  7. [C207] Web Socket

Persistence

  1. [C301] Cloud Storage - Bucket
  2. [C302] CDN reverse proxies
  3. [C303] Browser Extension
  4. [C304] Browser Notifications
  5. [C305] BackEnd as A Service
  6. [C306] Compromised websites
  7. [C307] Fake Advertising Agency

Browser Exploitation

  1. [C401] By-pass Popup Blocker
  2. [C402] Same Origin Policy Bypass
  3. [C403] Iframe Sandboxing bypass
  4. [C404] Logic flaw

Credential Access

  1. [C501] Cookie stealing
  2. [C503] Access Tokens theft
  3. [C504] MSISDN harversting

Cloaking

  1. [C601] WebGL
  2. [C602] User-Agent Fingerprinting
  3. [C603] GeoIP check
  4. [C604] IP Targeting
  5. [C605] Passsive TCP/IP Fingerprinting
  6. [C606] OS Fingerprinting
  7. [C607] HTTP Fingerprinting
  8. [C608] TLS Fingerprinting
  9. [C609] Fake AD creatives
  10. [C610] Fake Landing Pages
  11. [C611] Hardware Concurrency
  12. [C612] Browser Objects
  13. [C613] Time-based
  14. [C614] Abuse third party bot & proxy detection
  15. [C615] Plugin Detection

Defense Evasion

  1. [C701] Code obfuscation
  2. [C702] CDN usage
  3. [C703] Anti-Devtools
  4. [C704] String concatenation
  5. [C705] Dom Traversal
  6. [C706] Standard Library Hijacking
  7. [C707] Reputable Ad servers
  8. [C708] Steganography
  9. [C709] Copycat Sites
  10. [C710] Fake HTML5 Creative
  11. [C711] Domain typosquatting
  12. [C712] Homoglyph
  13. [C713] Zero width space chars
  14. [C714] OCR Disruption
  15. [C715] Security Vendor Detection
  16. [C716] Mutex
  17. [C717] Automated Framework Detection
  18. [C718] Anti-replay

Landing Page

  1. [C801] Gift Card Scam
  2. [C802] Carrier Branded Scams
  3. [C803] Crypto Mining
  4. [C804] Drive-by Downloads
  5. [C805] Exploit KIT
  6. [C806] Browser Locker
  7. [C807] Browser Extension
  8. [C808] Cryptocurrency Scam
  9. [C809] Fake Software Updates
  10. [C810] Tech Support Scam
  11. [C811] Giveaway scam
  12. [C812] Investment Scam
  13. [C813] Web3 seed phrase phishing
  14. [C814] Web3 phishing
  15. [C815] Web3 giveaway scam
  16. [C816] Fake iOS provisioning
  17. [C817] Fake cryptocurrency exchange
  18. [C818] Web3 Fake ICO
  19. [C819] Web3 Fake Mint
  20. [C820] Scareware

Impact

  1. [C901] Credential Theft
  2. [C902] Denial of Service
  3. [C903] Resource Hijacking
  4. [C904] Financial Loss

Filter by Threat Actors

[C100] Initial Access [C200] Execution [C300] Persistence [C400] Browser Exploitation [C500] Credential Access [C600] Cloaking [C700] Defense Evasion [C800] Landing Page [C900] Impact
[C101] Fake Advertising Agency

Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs).

More information

 [C201] JScript tag Injection

Specific to Internet Explorer legacy jscript.dll Javascript can be injected via script tag with language="Jscript.Encode" attribute set.

More information

 [C301] Cloud Storage - Bucket

Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore.

More information

 [C401] By-pass Popup Blocker

Popup Blocker bypass are browser exploits that circumvent the browser's built in pop-up protection.

More information

 [C501] Cookie stealing

Cookie stealing is the ability for malvertisers to steal and use cookies from previously compromised hosts, for further exploitation attempts directly related to malvertising without needing user credentials.

More information

 [C601] WebGL

WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot.

More information

 [C701] Code obfuscation

Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts.

More information

 [C801] Gift Card Scam

Gift Card Scams are landing pages that tell the victim they have won an e-commerce gift card, usually to a major retailer.

More information

 [C901] Credential Theft

Credential Theft includes exfiltration of logins to third party services including but not limited to email providers, CRMs, banking, or any devices and/or services that might be found on a corporate intranet.

More information
[C102] Websites Targeting

Malvertisers may target specifically one or more websites based on their reputation, amount of traffic, or category.

More information

 [C202] WebAssembly injection

Malvertisers relies on WASM by introducing it into the execution of a page, ad creative, or other resource when it has no place in the legitimate execution of the application or ad.

More information

 [C302] CDN reverse proxies

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers.

More information

 [C402] Same Origin Policy Bypass

CORS is a set of HTTP Header based security controls that allow developers to specify certain exemptions to the Same-Origin-Policy which is enforced by web browsers.

More information

 [C502] Access Tokens theft

Access Token theft is the ability for malvertisers to steal and use access tokens to access different resources provided by a web site.

More information

 [C602] User-Agent Fingerprinting

User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and version they might potentially be attacking.

More information

 [C702] CDN usage

CDN usage is the practice of using reputable domains in order to conceal a threat, usually by operating under a subdomain of a legitimate website or a reputable CDN provider.

More information

 [C802] Carrier Branded Scams

Carrier Branded Scams are landing pages where the victim is presented with a fake message from their local ISP.

More information

 [C902] Denial of Service

Denial of Service or DOS is a category of techniques for making software or devices temporarily or permanently un-usable.

More information
[C103] Fake ad creative

Fake ad creative are display advertisements that are typically shown in standalone slots on websites and mobile apps, it is a great entry point for malvertisers.

More information

 [C203] HTML DOM modification

DOM modification is the act of manipulating the DOM in an ad or on a website as part of the malware execution.

More information

 [C303] Browser Extension

Malicious Browser extensions help attackers to achieve persistence on victim devices by enabling them to sit as a component that has access and visibility into the entirety of the browser's stack.

More information

 [C403] Iframe Sandboxing bypass

Iframe Sandbox bypass are exploits that circumvent iframe sandbox attribute parameters, typically the "allow-top-navigation-by-user-activation" parameter.

More information

 [C503] MSISDN harversting

The Mobile Station International Subscriber Directory Number (MSISDN) is an international mobile phone identifier.

More information

 [C603] GeoIP check

GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based of the IP address.

More information

 [C703] Anti-Devtools

Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected.

More information

 [C803] Crypto Mining

Crypto Mining is a CPU intensive process for mining cryptocurrency.

More information

 [C903] Resource Hijacking

The traditional malware model considers Resource Hijacking to encompass any techniques that leverage access to victim's hardware or infrastructure in a disruptive way.

More information
[C104] Misconfigured Cloud Storage Buckets

Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore.

More information

 [C204] Forceful Redirects

Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own.

More information

 [C304] Browser Notifications

Browser Notifications and Push Notifications in particular are used by apps to send notices to subscribed users.

More information

 [C404] Logic flaw

Logic flaws are bugs that exploitable due to application or business logic failures in businesses or applications.

More information

 [C604] IP Targeting

IP targeting is a more fine-grained check than GeoIP check, consisting of determining if targets are using their home, datacenter, Enterprise, or 4G mobile connection.

More information

 [C704] String Concatenation

String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis.

More information

 [C804] Drive-by Downloads

A drive-by download attack refers to the unintentional download of malicious code in the form of malware, or PUP/PUAs with or without user interaction.

More information

 [C904] Financial Loss

Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers.

More information
[C105] Application Vulnerability

Application Vulnerability is a technique that consist of the direct exploitation of a web application, specifically Advertising servers.

More information

 [C205] PDF Redirect

PDF redirect is a redirect technique that utilizes a malicious PDF document which will redirect the victim to the attacker's URL when the document is opened in the browser.

More information

 [C305] BackEnd as A Service

Backend as a Service, for example Firebase allows developers to create embeddable scripts and web applications that are hosted on google infrastructure.

More information

 [C605] Passsive TCP/IP Fingerprinting

Passsive TCP/IP Fingerprinting is a server side technique used by Malvertisers consisting of passively sniffing the network and classifying targets hosts based on the observed traffic.

More information

 [C705] Dom Traversal

The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents.

More information

 [C805] Exploit KIT

Exploit Kits are malicious web servers automatically chaining browser exploit in order to compromise victim hosts with a malware.

More information
[C106] Browser Notifications

Browsers notification API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background.

More information

 [C206] Click Jacking

Click jacking is a technique used by malvertisers in order to hijack the click action of a user to get them to click on an invisible element that is controlled by the attacker.

More information

 [C306] Compromised websites

Compromised websites can be used to host malicious javascript code, that will be executed during malveritising redirect chains.

More information

 [C606] OS Fingerprinting

OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user.

More information

 [C706] Standard Library Hijacking

Library Hijacking can take on many forms as either an attacker vector or a concealment technique.

More information

 [C806] Browser Locker

Browser locker is a set of techniques used by malvertisers consisting of "freezing" the browser, in full-screen, and showing a warning message asking the victim either to pay a fine, or to call a tech support number in order to unfreeze the browser.

More information
[C107] Calendar Injection

Calendar Injection is a technique where fake calendar invites are sent to victims in order to trigger certain actions.

More information

 [C207] Web Socket

The WebSocket protocol, described in the specification RFC 6455 provides a way to exchange data between browser and server via a persistent connection.

More information

 [C307] Fake Advertising Agency

Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs).

More information

 [C607] HTTP Fingerprinting

HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers.

More information

 [C707] Reputable Ad servers

Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "house hold names" in the Ad Tech industry.

More information

 [C807] Browser Extension

Browser Extensions are software add-ons that extend web browser capabilities.

More information
[C108] Search Engine Ads

Search engine advertising allows Malvertisters to directly display paid ads among the search results on various search engines.

More information

 [C608] TLS Fingerprinting

TLS Fingerprinting a technique used by Malvertisers at the server-side of the TLS-connection.

More information

 [C708] Steganography

Steganography is the practice of concealing data inside files - typically images or binaries.

More information

 [C808] Cryptocurrency Scam

Bitcoin Scam landing pages usually present outlandish investment opportunities that are backed by fake celebrity endorsements.

More information
[C609] Fake AD creatives

Fake AD creatives are copy/pasted legitimate AD creatives that are used by malvertisers as a pretext for them to appear legitimate in the eyes of ad platforms.

More information

 [C709] Copycat Sites

Copycat Sites are used by malvertisers to establish their fake brands so that when their campaigns go through traditional Ad Tech quality controls, they look like real advertisers.

More information

 [C809] Fake Software Updates

Fake Software Updates landing pages that lure victims into installing an application under the guise that their current software is out of date.

More information
[C610] Fake Landing Pages

Fake Landing Pages [C610] are display ad destinations that exist only to make the decoy ad seem convincing.

More information

 [C710] Fake HTML5 Creative

HTML5 Creatives are usually dynamic ads that consist of largely pure HTML and Javascript.

More information

 [C810] Tech Support Scam

Tech Support Scam landing pages are often deployed in conjunction with Browser Locking techniques or other Nagware.

More information
[C611] Hardware Concurrency

Hardware Concurrency is a client-side check using the browser API that allows attackers to fingerprint how many CPU cores a target device has.

More information

 [C711] Domain typosquatting

Typo domains are a common tool in the cybercrime pipeline, where at least one character different than a trusted domain.

More information

 [C811] Giveaway scam

We generalize these landing pages as Free iPhone Scams, but they often include a multitude of other products or product giveaways including tablets, computers, and other electronics or highend items.

More information
[C612] Browser Objects

Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers.

More information

 [C712] Homoglyph

Homoglyphs are characters that appear the same to the naked eye, but have a different underlying code.

More information

 [C812] Investment Scam

Investment Scams landing pages usually present outlandish investment opportunities that are backed by faked celebrity endorsements (pre-landers).

More information
[C613] Time-based

Time-based cloaking consist of hiding malicious activity and only activate it during specific time slots.

More information

 [C713] Zero width space chars

Similar to Homoglyphs, there exist "invisible" characaters which are symbols that have zero width.

More information

 [C813] Web3 seed phrase phishing

Web3 seed phrases phishing landing pages are phishing pages targeting a web3 dapp for seed phrase phishing.

More information
[C614] Abuse third party bot & proxy detection

Ads verification vendors are using bots also known as "scanners" to monitor the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found.

More information

 [C714] OCR Distruption

OCR (optical character recognition) disruption is a technique for thwarting in-image text analysis.

More information

 [C814] Web3 phishing

Web3 Phishing landing pages are phishing websites targeting web3 brands.

More information
[C615] Plugin Detection

The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins.

More information

 [C715] Security Vendor Detection

Malvertising security vendors typically have a client-side component for blocking malvertisements.

More information

 [C815] Web3 giveaway scam

Web3 giveaway scams are landing pages convincing unsuspecting people to send cryptocurrency to scammers.

More information
[C716] Mutex

Technique used to avoid executing the payload more than one time.

More information

 [C816] Fake iOS provisioning

Fake iOS provisioning landing pages are used to lure victims into installing an iOS Development provisioning profile.

More information
[C717] Automated Framework Detection

The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks.

More information

 [C817] Fake cryptocurrency exchange

Fake centralized exchanges landing pages are cloned/fake centralized exchanges webpages allowing users to create accounts and deposit money to start trading cryptocurrency.

More information
[C718] Anti-replay

The anti-replay technique aims to ensure that the malvertising payload is executed only once on a targeted device.

More information

 [C818] Web3 Fake ICO

Web3 fake ICO landing pages are web pages offering an Initial Coin Offering (ICO) for a web3 project.

More information
[C819] Web3 Fake Mint

Fake MINT landing pages consist of a cloned webpage of an existing NFT project during the mint period.

More information
[C820] Scareware

This technique involves leveraging scare tactics to manipulate victims; a landing page is designed to instill fear in the users by falsely indicating that their system is infected with malware.

More information