Malvertising Attack Matrix

A project by

Confiant

[C800] Landing Page

Tactic Description: After several redirect chains, visitors end up on a final page, the landing page. Typically a landing page is the Malvertisers final "payload" and comes in different forms and purposes ranging from Drive-by downloads, Exploit kits, or investment scams, etc.

[C801] Gift Card Scam

Technique Description: Gift Card Scams are landing pages that tell the victim they have won an e-commerce gift card, usually to a major retailer. In order to claim the gift card the victim has to fill out a form with their email address or other contact information. In reality, there is never a gift card provided, but the victim gets lured into a near un-ending chain of filling out these forms. The victim's data is then packaged and sold or used for CPA / affiliate scams.

Procedure example: Malvertising Attack Hijacks 300 Million Sessions Over 48 Hours redirecting victim to gift card scams.

References [Confiant] https://blog.confiant.com/malvertising-attack-hijacks-300-million-sessions-over-48-hours-9d0218fe02cd

[C802] Carrier Branded Scams

Technique Description: Carrier Branded Scams are landing pages where the victim is presented with a fake message from their local ISP (or mobile phone carrier) inviting them to enter their credit card information to confirm their prize.

Procedure example: eGobbler and Nephos7 delivering carrier-branded "CC-Submit" scams.

References [Confiant] https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

[C803] Crypto Mining

Technique Description: Crypto Mining is a CPU intensive process for mining cryptocurrency. Some malicious landing pages might attempt to do this client-side, which can hurt the performance and longevity of a device and sometimes even lead to Denial Of Service.

Procedure example: Malvertising campaigns serving Coinhive tag, or the tag of a Coinhive copycat.

References [Confiant] https://blog.confiant.com/the-brief-and-wondrous-life-of-in-ad-cryptojacking-ebf19c2c3e7a

[C804] Drive-by Downloads

Technique Description: A drive-by download attack refers to the unintentional download of malicious code in the form of malware, or PUP/PUAs with or without user interaction. Malvertisers creates a vector for malware delivery via ads or legitimate program downloads that in turns download malware without the user consent.

Procedure example: tbd

References [Confiant] https://blog.confiant.com/malvertising-site-compromise-and-a-status-report-on-drive-by-downloads-c127e16e57d7

[C805] Exploit KIT

Technique Description: Exploit Kits are malicious web servers automatically chaining browser exploit in order to compromise victim hosts with a malware. When they are part of a redirection chain, exploit kits fingerprint the browser and its plugins then deliver a working exploit. After sucessfull exploitation, the browser is tricked to execute a shellcode which in turns download and execute malware to get the host infected. The reason why they became the most popular methods of mass malware or remote access tool (RAT) distribution by criminal groups is that this process is handled automatically by the exploit kit, lowering the barrier to entry for attackers.

Procedure example: In early 2015, there was a succession of zero-day vulnerabilities (including CVE-2015-0310, CVE-2015-0311, CVE-2015-0313, CVE-2015-0315, CVE-2015-0336, CVE-2015-0359) in Adobe Flash Player, which were quickly targeted by Angler ( and other exploit kits).

References [Confiant] https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30
[paloaltonetworks] https://www.paloaltonetworks.com/cyberpedia/what-is-an-exploit-kit
[sophos] https://news.sophos.com/en-us/2015/07/21/a-closer-look-at-the-angler-exploit-kit

[C806] Browser Locker

Technique Description: Browser locker is a set of techniques used by malvertisers consisting of "freezing" the browser, in full-screen, and showing a warning message asking the victim either to pay a fine, or to call a tech support number in order to unfreeze the browser. Browser locker makes various unwanted changes to the victim's system and browser settings to ensure that the lock screen cannot be evaded or the browser tab containing it be closed.

Procedure example: Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years.

References [Confiant] https://blog.confiant.com/browlock-malvertisers-abuse-unaddressed-denial-of-service-bugs-that-sit-dormant-for-years-a54a2c20b9dd

[C807] Browser Extension

Technique Description: Browser Extensions are software add-ons that extend web browser capabilities. Malicious Browser Extensions are rampant and typically do things like information / credential theft, or plain old ad fraud or SEO fraud. It's not uncommon that some malicious landing pages even try to get the victim to side load Malicious Browser Extensions that are not part of the official Browser's app store ecosystem.

Procedure example: Looking At Chrome Extensions That Hijack Search — Spread Via Malvertising

References [krebsonsecurity] https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor
[Confiant] https://blog.confiant.com/looking-at-chrome-extensions-that-hijack-search-spread-via-malvertising-28ddc548463c

[C808] Cryptocurrency Scam

Technique Description: Bitcoin Scam landing pages usually present outlandish investment opportunities that are backed by fake celebrity endorsements. Many of these scams are perpetuated at scale by large malvertising groups with big budgets and complex cloaking infrastructure. It is a sub category of Investment Scams.

Procedure example: Fizzcore fake celebrity-endorsed bitcoin scam targeting Europe.

References [Confiant] https://www.confiant.com/blogs/security-research/fizzcore-style-fake-celebrity-endorsed-bitcoin-scam-targeting-europe

[C809] Fake Software Updates

Technique Description: Fake Software Updates landing pages that lure victims into installing an application under the guise that their current software is out of date. These updates lead to installs of Malware of different types: Info Stealers, banking trojan or PUP/PUAs. Fake Software Updates are a sub category of Driveby downloads technique.

Procedure example: OSX/Shlayer delivering OSX/Tarmac via fake flash software updates.

References [Confiant] https://blog.confiant.com/osx-shlayer-new-shurprise-unveiling-osx-tarmac-f965a32de887

[C810] Tech Support Scam

Technique Description: Tech Support Scam landing pages are often deployed in conjunction with Browser Locking techniques or other Nagware. The scheme usually involves in trying to convince the victim that their machine has either been compromised or is experiencing some kind of software or hardware failure.
There will be a phone number to call for "support" where the victim is guided towards installing an application to "fix" the issue. They are then charged a one time or recurring fee. The application is at best a PUA, or at worst malware.

Procedure example: Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years.

References [Confiant] https://blog.confiant.com/browlock-malvertisers-abuse-unaddressed-denial-of-service-bugs-that-sit-dormant-for-years-a54a2c20b9dd

[C811] Giveaway scam

Technique Description: We generalize these landing pages as Free iPhone Scams, but they often include a multitude of other products or product giveaways including tablets, computers, and other electronics or highend items. Typically the victim is lead to believe that they have won a prize for being the "1000th User" or have an opportunity to enter a free sweepstakes in order to claim the prize. When they sign up, they are escorted through an unending funnel of email sign ups and pre-requisities, sometimes having provide such information like Name, Email, Phone, Physical Address, and Credit Card. At worst, the victim will be fraudulently billed. At best, their information is syndicated and sold for the purposes of defrauding CPA affiliate programs.

Procedure example: Active for at least several years now, ScamClub malvertisements are defined mainly by forced redirections to scams that offer prizes to "lucky" users, like the all too ubiquitous "You've won a Walmart giftcard!" or "You've won an iPhone!" landing pages.

References [Confiant] https://blog.confiant.com/malvertiser-scamclub-bypasses-iframe-sandboxing-with-postmessage-shenanigans-cve-2021-1801-1c998378bfba

[C812] Investment Scam

Technique Description: Investment Scams landing pages usually present outlandish investment opportunities that are backed by faked celebrity endorsements (pre-landers). Many of these scams are perpetuated at scale by large malvertising groups with big budgets and complex cloaking infrastructure.

Procedure example: Confiant has been blocking a large scale and persistent attack over the last six weeks that targets multiple European countries on mobile. The malicious campaign - operated by the Fizzcore group, portrays photoshopped celebrities to lure visitors into a bitcoin investment scam.

References [Confiant] https://www.confiant.com/blogs/security-research/fizzcore-style-fake-celebrity-endorsed-bitcoin-scam-targeting-europe

[C813] Web3 seed phrase phishing

Technique Description: Web3 seed phrases phishing landing pages are phishing pages targeting a web3 dapp for seed phrase phishing. These landing pages are usually perfect clones of existing Dapps. Once the victim starts interacting with the Dapp, a fake pop-up will be shown asking the victim to enter the seed phrase. Once the seed phrase is entered, the attackers can use this information to restore victim wallets then access the victim's private keys and the wallet's contents: coins, cryptocurrency tokens, NFTs, etc. then transfer them to an attacker-controlled wallet.

Procedure example: Malvertisers created fake seed phrase phishing landing pages. The websites https://looksrarees[.]org and https://loksrares[.]org are a fake copy of the legitimate https://looksrare.org/ marketplace. These fake sites steal victim wallets seed phrase, via a fake popup that is shown to the users, once they try to connect their wallet to interact with the dapp

References [ConfiantIntel] https://twitter.com/confiantintel/status/1484019817023959043?s=21

[C814] Web3 phishing

Technique Description: Web3 Phishing landing pages are phishing websites targeting web3 brands. The brand targeted are often Centralized exchanges, p2e games, or known non-custodial cryptocurrency wallets. The victims are lured into downloading software that is often malicious and can result in the installation of malware or backdoored wallets.

Procedure example: Mavertisers created a web3 phishing website targeting @AxieInfinity users. The malicious domains used was axieinfiniyie[.]com point to a cloned @AxieInfinity website. The victims are lured to download a fake Mavis Hub for different platforms. The binary targeting windows platforms was backdoored and installed NetSupport Manager Remote Access Tool (RAT) allowing attackers to have full control on the victim windows computers.

References [ConfiantIntel] https://twitter.com/confiantintel/status/1480061948397977600?s=21

[C815] Web3 giveaway scam

Technique Description: Web3 giveaway scams are landing pages convincing unsuspecting people to send cryptocurrency to scammers. Scammers attempt to trick people into believing that they can receive twice as much cryptocurrency as they would send to them. This particular giveaway scam is used to trick people into transferring cryptocurrency to an attacker-controlled wallet (that often rotate). Such scams are promoted via hacked social media accounts on YouTube, Twitter, Facebook or via deceptive deceptive advertisements.

Procedure example: Fake Bitcoin giveaways impersonating the Tesla Motors CEO were found spreading all over Twitter by "verified" accounts.

References [Decrypt] https://decrypt.co/54271/elon-musk-twitter-scams-rake-in-580000-of-bitcoin

[C816] Fake iOS provisioning

Technique Description: Fake iOS provisioning landing pages are used to lure victims into installing an iOS Development provisioning profile. This profile enables sideloading of iOS applications into the victim iOS devices whether these devices are jailbroken or not. Based on the current web3 threat activity we observed a large number of attacks sideloading backdoored crypto currency wallets or web clips pointing to fake crypto currency exchanges.

Procedure example: WireLurker, a new family of malware that abuses app provisioning profiles to install potentially malicious apps on any iOS device, regardless of whether it is jailbroken.

References [PaloAlto] https://unit42.paloaltonetworks.com/protecting-users-ios-app-provisioning-profile-abuse/

[C817] Fake cryptocurrency exchange

Technique Description: Fake centralized exchanges landing pages are cloned/fake centralized exchanges webpages allowing users to create accounts and deposit money to start trading cryptocurrency. Once the funds are deposited they are usually transferred to attacker-controlled wallets and indefinitely lost.

Procedure example: Many observed sideloaded WebClips, originating from fake iOS provisioning profiles, are configured with URLs pointing to fake cryptocurrency exchanges.

References [ConfiantIntel] TBD

[C818] Web3 Fake ICO

Technique Description: Web3 fake ICO landing pages are web pages offering an Initial Coin Offering (ICO) for a web3 project. The web3 project is either fake (nonexisting project) or targeting an existing one by cloning the whole website. These websites are often very realistic, ask the users to create an account and follow a KYC process. Usually, the KYC process is fake and results in stealing PII. Upon successful KYC submission, victims are lured into sending funds to attacker-controlled wallets, losing their funds indefinitely.

Procedure example: Mavertisers registers an NFL fan club token ICO scam hosted at https://nfltokens[.]net stealing cryptocurrency from victim and also ID card, passport, via their fake KYC process.

References [ConfiantIntel] https://twitter.com/confiantintel/status/1483661716856934401?s=21

[C819] Web3 Fake Mint

Technique Description: Fake MINT landing pages consist of a cloned webpage of an existing NFT project during the mint period. The difference is instead of minting an NFT the user is lured into sending ETH to a wallet controlled by the attacker. Minting refers to the process of turning a digital file into an NFT on the Ethereum blockchain. A valid minting process consists of sending a signed transaction to the NFT smart contract. The data field in transactions is usually a call to the smart contract mint function (often named mintNFT) which usually requires a tokenURI parameter that refers to a JSON document where the metadata (image, properties, name, description, ...) is stored.

Procedure example: Malvertisers setting up a fake mint of @coolcatsnft hosted at the fake website: https://coolcats-sale[.]com. The fake mint in place is sending stolen funds to a wallet 0x3Cb368aB45aD72BF901Dac98f9A7CA930c2CEc06 more at https://etherscan.io/address/0x3Cb368aB45aD72BF901Dac98f9A7CA930c2CEc06

References [ConfiantIntel] https://twitter.com/confiantintel/status/1487344646451720192?s=21