Malvertising Attack Matrix

A project by


[C900] Impact

Tactic Description: The Impact help Enterprise assesses the risks of Malvertising attacks and understands whether they are destructive, causing a denial of service, hijacking resources, or causing a financial loss.

[C901] Credential Theft

Technique Description: Credential Theft includes exfiltration of logins to third party services including but not limited to email providers, CRMs, banking, or any devices and/or services that might be found on a corporate intranet. Most credential theft that results from malvertising campaigns will happen as a result of malware infection.

Procedure example: SilentFade malware is equipped with credential-stealing components like those used by other malware campaigns in the wild. However, unlike the others, SilentFade's credential-stealing component only retrieved Facebook-specific stored credentials and cookies located on the compromised machine.

References [Facebook] SilentFade: Unveiling a malware ecosystem that targeted the facebook ad platform:

[C902] Denial of Service

Technique Description: Denial of Service or DOS is a category of techniques for making software or devices temporarily or permanently un-usable. In malvertising, this often materializes in the form of browser lockers. The purpose of browser lockers is not only to scare but also to create the illusion that the computer has been locked, forcing the victim to call for assistance, which leads to tech support scams. Finally, Browser Locking Denial of Service is used in conjunction with Tech Support Scams in order to scare the victim into action - which often leads to Financial Loss.

Procedure example: Browlock Malvertisers Abuse Unaddressed Denial-Of-Service Bugs That Sit Dormant For Years

References [Confiant]

[C903] Resource Hijacking

Technique Description: The traditional malware model considers Resource Hijacking to encompass any techniques that leverage access to victim's hardware or infrastructure in a disruptive way. The more common example being theft of compute cycles in order to mine cryptocurrency. This has been attempted at scale in malvertising as well, but the poor economics of in-browser cryptocurrency mining has killed the practice: These days Resource Hijacking in the malvertising attack model will manifest in fraudulent ads that commit ad fraud by firing off many requests during a victim's session that might cause their browser to slow to a crawl.

Procedure example: Malvertising campaigns serving Coinhive tag, or the tag of a Coinhive copycat.

References [Confiant]

[C904] Financial Loss

Technique Description: Financial Loss encompasses any attack whose impact results in lost money from the victim targeted by malvertisers. This could be an end user who clicked in an investment scam setup by attackers, as well as Ad Tech Platforms, Publishers, and Advertisers who can also experience Financial Loss due to fraud, brand hijacking, and of course the negative PR that goes along with high profile incidents.

Procedure example: Bitcoin scams, Investments scams, or more recently WAP billing theft from threat actor wapsiphone.

References [Confiant]