[C500] Credential Access
Tactic Description: Credential Access consists of techniques for stealing credentials in the form of session cookies and access tokens. Techniques used to get these credentials are done via malware monitoring active browser sessions targeting a specific website. Using these credentials Malvertisers will have access to additional resources or services, allowing them to successfully run additional malvertising campaigns under stolen legitimate user sessions which makes them hard to detect.
[C501] Cookie stealing
Technique Description: Cookie stealing is the ability for malvertisers to steal and use cookies from previously compromised hosts, for further exploitation attempts directly related to malvertising without needing user credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.
Procedure example: SilentFade malware is equipped with credential-stealing components like those used by other malware campaigns in the wild. However, unlike the others, SilentFade’s credential-stealing component only retrieved Facebook-specific stored credentials and cookies located on the compromised machine. This gave the ability to SilentFade to use further stolen access tokens to access and compromise Facebook Ads Manager accounts.
References [Facebook] SilentFade: Unveiling a malware ecosystem that targeted the facebook ad platform: https://vblocalhost.com/uploads/VB2020-Karve-Urgilez.pdf
[C502] Access Tokens theft
Technique Description: Access Token theft is the ability for malvertisers to steal and use access tokens to access different resources provided by a web site. Information and access granted to Malvertisers will allow them to hijack web site resources in order to initiate fraudulent malvertising campaigns.
Procedure example: SilentFade made a request to the Facebook Graph API Explorer and parsed the page content to retrieve the access token for the Ads Manager product, additionally, SilentFade grabbed CSRF tokens to make additional requests from the page. After this process, it used the retrieved access token to obtain user information, linked payment information, and previous ad-related spend.
References [Facebook] SilentFade: Unveiling a malware ecosystem that targeted the facebook ad platform: https://vblocalhost.com/uploads/VB2020-Karve-Urgilez.pdf
[C503] MSISDN harversting
Technique Description: The Mobile Station International Subscriber Directory Number (MSISDN) is an international mobile phone identifier. These IDs are harvested by Malvertisers using a a variety of techniques, including XSS payloads or injected iframes via ads. the aim to defraud end-users (subscribers to telecom) by subscribing them to products and services without their consent through their operator billing systems.
Procedure example: Threat Actor WapSiphone harversting MSISDNs via display ads, from multiple carriers who make the MSISDN available over HTTP, either through headers or a lookup service.
References [Confiant] https://blog.confiant.com/confiant-protected-media-uncover-mobile-billing-malvertiser-dubbed-wapsiphone-12248d7fe7a1