They’re profiling you to see if you might make a good victim, experts say.
Talk about a bad date. Love seekers on the free dating site Plenty of Fish made a special connection—with malicious hackers, according to researchers, part of a wave of malvertising using new tricks to hide under the radar.
You might want to call it “Plenty of Phish.” But this bad hook-up happened without singles having to click on anything at all, unlike a phishing campaign.
Instead, malvertisers searched for ‘profiles’ they could exploit, and delivered a secret message through a tainted ad, researcher Jerome Segura with Malwarebytes said.
Not dating profiles, but computer profiles that told them if you were trying to protect yourself from malware.
This new tactic of “fingerprinting” you and your computer is making it easier for the bad guys to get to their victims, and making it harder for investigators to track them down, said Segura and Eugene Aseev with GeoEdge, a mobile ad security company.
“…Cybercriminals are able to target their victims like never before in attacks that are both cost effective and difficult to pinpoint,” wrote Segura and Aseev in a white paper.
Plenty of hot tubs
The malicious ad on Plenty of Fish in August was for home spas, according to Segura.
“Twilight Hot Tubs” asked you to “Feel the Healing Power of a Hydro Therapy Spa.”
Could you tell if it, or ads like it, were malvertising, just by looking?
“No chance,” Aseev told Archer News. “Ads look 100% legitimate and benign.”
And even if you don’t click on them, the ad can infect you simply by appearing on your screen, downloading ransomware or spyware, taking your money or your passwords.
“Unfortunately, even if you are an extremely savvy and careful web surfer, your endpoint can be compromised in a smooth and seamless way without any user interaction,” said Aseev.
“Typical result of such compromise – infection with ransomware, banking or ad fraud malware – practically everything that can bring value to attackers by monetizing their efforts, usually with help of user’s wallet,” added Aseev.
Did you fit the profile?
Did you see the ad—or ads like it on other sites—and get infected?
If you did not fit the profile, probably not. This is where ‘fingerprinting’ comes in.
The ad itself decides if you and your computer are ripe for the picking, or too wise to the bad guys’ tricks, the researchers said.
In one malvertising campaign, a banner ad called out, “Interested in life of the stars? Learn music with us! More on www.musical4.com.”
Secretly, the ad was checking to see if your computer had a tool used in protective software, often in Kaspersky products. If the ad found that you were protected, it did not connect you to a malicious site, the researchers said.
Other ads showed a “booby-trapped” GIF that checked for security products from Malwarebytes, Kaspersky, TrendMicro, Invincea and others.
If you didn’t have the products, the ad “fingerprinted” you as a possible victim and tried to send you off to a malicious site.
Hiding out
But this tactic doesn’t just help the bad guys find their victims more easily.
It also helps them dodge investigators, who are more likely to have security products on their computers.
“This is what fingerprinting is all about,” Segura told Archer News, “Trying to identify machines that don’t belong to regular users and may expose the malicious activity.”
“In other words, if no ad network and security company can see anything, the malvertising campaigns will last for days, even weeks,” he added.
The tainted ads can tell if a computer belongs to a security company checking ads to make sure they are safe, and instead show a non-tainted ad. Or, it can see if the computer is a “honeypot,” set up to try to catch fake ads. If so, the ad will not reveal its seamy malware underbelly.
Fingerprinting has been used before, the researchers said, but is becoming more prevalent in this kind of attack.
“Fingerprinting joins a growing arsenal of tactics developed by cybercriminals to avoid discovery by security researchers,” Segura and Aseev wrote.
What you can do
The bad guys have “upped their game,” the researchers said. But so can you.
“How can a user avoid such elusive and painful attacks?” asked Aseev. “Pay special attention to software updates and use advanced endpoint protection.”
Many people still do not do the basics, said Segura.
“People can still use the same tools and proper security hygiene to avoid being the lowest-hanging fruit,” he said.
“A large part of malvertising is due to the fact that still too many computers are left unpatched and are easy targets to exploit,” Segura said.