Our security team is constantly profiling the threat actors using different techniques and tactics to exploit and scam users via digital ads.
The Malvertising Attack Matrix is a way to communicate actionable threat intelligence to entities that are outside of the ad tech world and give them real, credible information on threats to their digital security.
Filter by Threat Actors
[C100] Initial Access | [C200] Execution | [C300] Persistence | [C400] Browser Exploitation | [C500] Credential Access | [C600] Cloaking | [C700] Defense Evasion | [C800] Landing Page | [C900] Impact |
---|---|---|---|---|---|---|---|---|
[C101] Fake Advertising Agency
Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). |
[C201] JScript tag Injection
Specific to Internet Explorer legacy jscript.dll Javascript can be injected via script tag with language="Jscript.Encode" attribute set. |
[C301] Cloud Storage - Bucket
Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore. |
[C401] By-pass Popup Blocker
Popup Blocker bypass are browser exploits that circumvent the browser's built in pop-up protection. |
[C501] Cookie stealing
Cookie stealing is the ability for malvertisers to steal and use cookies from previously compromised hosts, for further exploitation attempts directly related to malvertising without needing user credentials. |
[C601] WebGL
WebGL APIs are heavily leveraged for device fingerprinting, because a device's graphics cards and their performance are highly variable and produce outputs that are in an entropy sweet spot. |
[C701] Code obfuscation
Code Obfuscation applies to a broad category of techniques and tactics that are employed by attackers in order to make their code hard to read by human analysts. |
[C801] Gift Card Scam
Gift Card Scams are landing pages that tell the victim they have won an e-commerce gift card, usually to a major retailer. |
[C901] Credential Theft
Credential Theft includes exfiltration of logins to third party services including but not limited to email providers, CRMs, banking, or any devices and/or services that might be found on a corporate intranet. |
[C102] Websites Targeting
Malvertisers may target specifically one or more websites based on their reputation, amount of traffic, or category. |
[C202] WebAssembly injection
Malvertisers relies on WASM by introducing it into the execution of a page, ad creative, or other resource when it has no place in the legitimate execution of the application or ad. |
[C302] CDN reverse proxies
A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. |
[C402] Same Origin Policy Bypass
CORS is a set of HTTP Header based security controls that allow developers to specify certain exemptions to the Same-Origin-Policy which is enforced by web browsers. |
[C502] Access Tokens theft
Access Token theft is the ability for malvertisers to steal and use access tokens to access different resources provided by a web site. |
[C602] User-Agent Fingerprinting
User-Agent Fingerprinting is a client-side check by which adversaries determine Browser types and version they might potentially be attacking. |
[C702] CDN usage
CDN usage is the practice of using reputable domains in order to conceal a threat, usually by operating under a subdomain of a legitimate website or a reputable CDN provider. |
[C802] Carrier Branded Scams
Carrier Branded Scams are landing pages where the victim is presented with a fake message from their local ISP. |
[C902] Denial of Service
Denial of Service or DOS is a category of techniques for making software or devices temporarily or permanently un-usable. |
[C103] Fake ad creative
Fake ad creative are display advertisements that are typically shown in standalone slots on websites and mobile apps, it is a great entry point for malvertisers. |
[C203] HTML DOM modification
DOM modification is the act of manipulating the DOM in an ad or on a website as part of the malware execution. |
[C303] Browser Extension
Malicious Browser extensions help attackers to achieve persistence on victim devices by enabling them to sit as a component that has access and visibility into the entirety of the browser's stack. |
[C403] Iframe Sandboxing bypass
Iframe Sandbox bypass are exploits that circumvent iframe sandbox attribute parameters, typically the "allow-top-navigation-by-user-activation" parameter. |
[C503] MSISDN harversting
The Mobile Station International Subscriber Directory Number (MSISDN) is an international mobile phone identifier. |
[C603] GeoIP check
GeoIP is commonly used as a server-side check consisting of determining the geographical location of a potential target based of the IP address. |
[C703] Anti-Devtools
Anti-Devtools techniques are employed by attackers in order to disrupt the debugging process of the malicious code when browser dev tools are detected. |
[C803] Crypto Mining
Crypto Mining is a CPU intensive process for mining cryptocurrency. |
[C903] Resource Hijacking
The traditional malware model considers Resource Hijacking to encompass any techniques that leverage access to victim's hardware or infrastructure in a disruptive way. |
[C104] Misconfigured Cloud Storage Buckets
Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore. |
[C204] Forceful Redirects
Forceful redirects are the technique by which malvertisers redirect victims to a malicious landing page through no action of their own. |
[C304] Browser Notifications
Browser Notifications and Push Notifications in particular are used by apps to send notices to subscribed users. |
[C404] Logic flaw
Logic flaws are bugs that exploitable due to application or business logic failures in businesses or applications. |
[C604] IP Targeting
IP targeting is a more fine-grained check than GeoIP check, consisting of determining if targets are using their home, datacenter, Enterprise, or 4G mobile connection. |
[C704] String Concatenation
String Concatenation is an obfuscation technique where strings are split into small chunks and added together so that the original strings will be difficult to search for during static analysis. |
[C804] Drive-by Downloads
A drive-by download attack refers to the unintentional download of malicious code in the form of malware, or PUP/PUAs with or without user interaction. |
[C904] Financial Loss
Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers. |
|
[C105] Application Vulnerability
Application Vulnerability is a technique that consist of the direct exploitation of a web application, specifically Advertising servers. |
[C205] PDF Redirect
PDF redirect is a redirect technique that utilizes a malicious PDF document which will redirect the victim to the attacker's URL when the document is opened in the browser. |
[C305] BackEnd as A Service
Backend as a Service, for example Firebase allows developers to create embeddable scripts and web applications that are hosted on google infrastructure. |
[C605] Passsive TCP/IP Fingerprinting
Passsive TCP/IP Fingerprinting is a server side technique used by Malvertisers consisting of passively sniffing the network and classifying targets hosts based on the observed traffic. |
[C705] Dom Traversal
The Document Object Model (DOM) is a standard convention for accessing and manipulating elements within HTML and XML documents. |
[C805] Exploit KIT
Exploit Kits are malicious web servers automatically chaining browser exploit in order to compromise victim hosts with a malware. |
|||
[C106] Browser Notifications
Browsers notification API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background. |
[C206] Click Jacking
Click jacking is a technique used by malvertisers in order to hijack the click action of a user to get them to click on an invisible element that is controlled by the attacker. |
[C306] Compromised websites
Compromised websites can be used to host malicious javascript code, that will be executed during malveritising redirect chains. |
[C606] OS Fingerprinting
OS Fingerprinting is a check used to accurately determine the Operating system and its version of a target user. |
[C706] Standard Library Hijacking
Library Hijacking can take on many forms as either an attacker vector or a concealment technique. |
[C806] Browser Locker
Browser locker is a set of techniques used by malvertisers consisting of "freezing" the browser, in full-screen, and showing a warning message asking the victim either to pay a fine, or to call a tech support number in order to unfreeze the browser. |
|||
[C107] Calendar Injection
Calendar Injection is a technique where fake calendar invites are sent to victims in order to trigger certain actions. |
[C207] Web Socket
The WebSocket protocol, described in the specification RFC 6455 provides a way to exchange data between browser and server via a persistent connection. |
[C307] Fake Advertising Agency
Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). |
[C607] HTTP Fingerprinting
HTTP Fingerprinting is a server side technique which consist of checking the HTTP protocol headers. |
[C707] Reputable Ad servers
Reputable Ad Servers encompass any ad serving platforms whose ad serving domains are "house hold names" in the Ad Tech industry. |
[C807] Browser Extension
Browser Extensions are software add-ons that extend web browser capabilities. |
|||
[C108] Search Engine Ads
Search engine advertising allows Malvertisters to directly display paid ads among the search results on various search engines. |
[C608] TLS Fingerprinting
TLS Fingerprinting a technique used by Malvertisers at the server-side of the TLS-connection. |
[C708] Steganography
Steganography is the practice of concealing data inside files - typically images or binaries. |
[C808] Cryptocurrency Scam
Bitcoin Scam landing pages usually present outlandish investment opportunities that are backed by fake celebrity endorsements. |
|||||
[C609] Fake AD creatives
Fake AD creatives are copy/pasted legitimate AD creatives that are used by malvertisers as a pretext for them to appear legitimate in the eyes of ad platforms. |
[C709] Copycat Sites
Copycat Sites are used by malvertisers to establish their fake brands so that when their campaigns go through traditional Ad Tech quality controls, they look like real advertisers. |
[C809] Fake Software Updates
Fake Software Updates landing pages that lure victims into installing an application under the guise that their current software is out of date. |
||||||
[C610] Fake Landing Pages
Fake Landing Pages [C610] are display ad destinations that exist only to make the decoy ad seem convincing. |
[C710] Fake HTML5 Creative
HTML5 Creatives are usually dynamic ads that consist of largely pure HTML and Javascript. |
[C810] Tech Support Scam
Tech Support Scam landing pages are often deployed in conjunction with Browser Locking techniques or other Nagware. |
||||||
[C611] Hardware Concurrency
Hardware Concurrency is a client-side check using the browser API that allows attackers to fingerprint how many CPU cores a target device has. |
[C711] Domain typosquatting
Typo domains are a common tool in the cybercrime pipeline, where at least one character different than a trusted domain. |
[C811] Giveaway scam
We generalize these landing pages as Free iPhone Scams, but they often include a multitude of other products or product giveaways including tablets, computers, and other electronics or highend items. |
||||||
[C612] Browser Objects
Browser Objects are any objects that are native to a browser's implementation of JavaScript and/or the many APIs available to browsers. |
[C712] Homoglyph
Homoglyphs are characters that appear the same to the naked eye, but have a different underlying code. |
[C812] Investment Scam
Investment Scams landing pages usually present outlandish investment opportunities that are backed by faked celebrity endorsements (pre-landers). |
||||||
[C613] Time-based
Time-based cloaking consist of hiding malicious activity and only activate it during specific time slots. |
[C713] Zero width space chars
Similar to Homoglyphs, there exist "invisible" characaters which are symbols that have zero width. |
[C813] Web3 seed phrase phishing
Web3 seed phrases phishing landing pages are phishing pages targeting a web3 dapp for seed phrase phishing. |
||||||
[C614] Abuse third party bot & proxy detection
Ads verification vendors are using bots also known as "scanners" to monitor the quality of the ads served on a specific URL or by specific ad tag and alerting when violation is found. |
[C714] OCR Distruption
OCR (optical character recognition) disruption is a technique for thwarting in-image text analysis. |
[C814] Web3 phishing
Web3 Phishing landing pages are phishing websites targeting web3 brands. |
||||||
[C615] Plugin Detection
The Browser Identification through Plugin Detection technique is employed by attackers to determine the type of browser a user is running based on the identified plugins. |
[C715] Security Vendor Detection
Malvertising security vendors typically have a client-side component for blocking malvertisements. |
[C815] Web3 giveaway scam
Web3 giveaway scams are landing pages convincing unsuspecting people to send cryptocurrency to scammers. |
||||||
[C716] Mutex
Technique used to avoid executing the payload more than one time. |
[C816] Fake iOS provisioning
Fake iOS provisioning landing pages are used to lure victims into installing an iOS Development provisioning profile. |
|||||||
[C717] Automated Framework Detection
The Automated Framework Detection Avoidance technique is employed by attackers to identify and differentiate victims using automated testing frameworks. |
[C817] Fake cryptocurrency exchange
Fake centralized exchanges landing pages are cloned/fake centralized exchanges webpages allowing users to create accounts and deposit money to start trading cryptocurrency. |
|||||||
[C718] Anti-replay
The anti-replay technique aims to ensure that the malvertising payload is executed only once on a targeted device. |
[C818] Web3 Fake ICO
Web3 fake ICO landing pages are web pages offering an Initial Coin Offering (ICO) for a web3 project. |
|||||||
[C819] Web3 Fake Mint
Fake MINT landing pages consist of a cloned webpage of an existing NFT project during the mint period. |
||||||||
[C820] Scareware
This technique involves leveraging scare tactics to manipulate victims; a landing page is designed to instill fear in the users by falsely indicating that their system is infected with malware. |