Malvertising Attack Matrix

A project by


[C100] Initial Access

Tactic Description: Initial Access is the first step where the Malvertisers enters the Advertising ecosystem. Usually Malvertisers access the ad ecosystem by creating fake agencies for the purpose of establishing relationships with ad buying platforms (DSPs) or by creating fake ad creatives.

[C101] Fake Advertising Agency

Technique Description: Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). The agency will usually claim to have relationships with real brands, but these relationships are typically fabricated.

Procedure example: Zirconium group successfully created and operated 28 fake ad agencies to distribute malvertising campaigns through 2017, buying an estimate of 1 billion ad views throughout the year, and reaching 62% of ad-monetized websites on a weekly basis.

References [Confiant] Uncovering 2017's largest malvertising operation:

[C102] Websites Targeting

Technique Description: Malvertisers may target specifically one or more websites based on their reputation, amount of traffic, or category. Reputable websites with high traffic might then deliver malicious ads, resulting in redirects or infections of millions of their visitors.

Procedure example: FizzCore Threat Actor redirecting millions visitors of a major News website to fake celebrity endorsed bitcoin scams.

References [Confiant] FizzCore Fake celebrity endorses scam:

[C103] Fake ad creative

Technique Description: Fake ad creative are display advertisements that are typically shown in standalone slots on websites and mobile apps, it is a great entry point for malvertisers.

Procedure example: eGobbler threat actor, borrowing an ad creative from Deutsche Bank normally aimed for the Netherlands market and use it to target the United states. The HTML5 creative is modified to host an obfuscated malicious code snippet. Specifically, the Greensock library is altered deep inside the minified code, in order to make manual inspection extremely challenging.

References [Confiant] Nov 22–25 Attack of The Cyber Turkey:

[C104] Misconfigured Cloud Storage Buckets

Technique Description: Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore. Cloud Storage Buckets is a technique were malvertisers hosts their malicious script in malconfigured Buckets of cloud services with very good reputation allowing to execute malicious script and to bypass domain-reputation based scanners at the same time. A common Buckets targeted by malvertisers are Amazon S3 Buckets.

Procedure example: Magecart campaign leveraging misconfigured S3 buckets to insert JavaScript credit card skimmers on hundreds of website.

References [RiskIQ] Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code:

[C105] Application Vulnerability

Technique Description: Application Vulnerability is a technique that consist of the direct exploitation of a web application, specifically Advertising servers. The vulnerability if exploited successfully could gain to the adversary an authorized access to advertising server resources.

Procedure example: Tag Barnakle exploiting Revive Ad severs, then append their malicious payload to existing ad slots, all of which results in free access to publisher inventory.

References [Confiant] Tag Barnakle:
[Avast] Malvertiser target WordPress vulnerabilities:

[C106] Browser Notifications

Technique Description: Browsers notification API lets a web page or app send notifications that are displayed outside the page at the system level; this lets web apps send information to a user even if the application is idle or in the background. Browser Notifications are push notifications that are sent by web applications. Usually they come under the form a social engineering attack that tries to trick users into subscribing to its push notifications so that it can send unwanted advertisements directly to the user desktop.

Procedure example: The Browser-notification[.]site site displayed a "Confirm notifications" message, asking visitors to subscribe to notifications from this site. upon subscription users will start getting unwanted pop-up ads from even when the browser is closed.

References [malwaretips] Browser push notification abuse:

[C107] Calendar injection

Technique Description: Calendar Injection is a technique where fake calendar invites are sent to victims in order to trigger certain actions like clicking a malicious link that might lead to a malvertising chain.

Procedure example: A malvertiser may obtain user credentials, possibly dumped on the Dark Web in the aftermath of a data breach incurred by an email provider, and from there orchestrate a spam campaign featuring custom event descriptions with phishing links in them.

References [macsecurity] Iphone calendar spam events:

[C108] Search engine ads

Technique Description: Search engine advertising allows Malvertisters to directly display paid ads among the search results on various search engines, like Google, Bing, and Yahoo. A typical search ad includes a headline, a display URL, and a text description. Malvertisers control the Display URL to redirect the victim into a legitimate (and often cloaked) site, that will redirect the victim to a final landing page.

Procedure example: A Malvertiser create a search engine ads redirecting victims searching for "brave browser" to a malicious website for drive-by download, the malware used was IceID Loader.

References [ConfiantIntel] IceID Loader used in search engine ads drive-by downloads, targeting brave browser