Jump to content
Aerosol

Operation DeathClick

By Aerosol, in Tutoriale in engleza

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted

The era of spear phishing and the waterhole attack, which uses social engineering, has come to an end. Hackers are now moving their tricky brains towards targeted Malvertising — a type of attack that uses online advertising to spread malware. A recent campaign termed “Operation death click” displays a new form of cyber-attack focused on specific targets. The attack is also defined as micro targeted malvertising. In this newly targeted variation of malvertising, the hackers are attacking their victims using micro targeting techniques and real time bidding — a recent technology that helps to post ads based on user interests.

Until now, this type of attacks mainly focused on US defense companies, but they will spread to all financial and government sectors soon. Real time bidding plays a vital role in this attack. This technique has the ability to micro target ad delivery based on versions of Flash, OS, Java and browser. As per the latest analysis, researchers concluded that this type of attack is much more difficult to patch than a zero day vulnerability.

Operation DeathClick has a micro targeting system that uses IP address ranges, zip codes, and interests of users (stored in cookies) to target specific companies, company types and user interests. Thus, it doesn’t matter which site you are browsing or which antivirus you installed. If bidding is done properly, ad windows will get displayed on targeted sites which redirect visitors to malicious sites that can install malwares and backdoor Trojans on the victim’s computer.

What is Operation DeathClick?

Operation death click is an advanced persistent threat (APT) targeting the US defense industry. Invanciea, a security firm, detected this attack and named it Operation DeathClick (ODC). It uses social engineering, malvertising and real time bidding as the main tools. It mainly uses digital advertising targeting technology to find victims. ODC is also defined as micro targeted malvertising — a combination of malvertising with targeted attacks.

How Operation DeathClick is Carried Out

Operation DeathClick is mainly carried out using three tools:

  • Social engineering
  • Malvertising
  • Real time bidding

Social Engineering

Social engineering is the process of luring people into giving up confidential information. The sort of information these criminals are exploiting can vary, but when individuals are targeted, the attackers mainly focus on collecting their passwords, bank account information, etc. Criminals use social engineering tactics because it is an easier method to trick people rather than hacking by using some software. Security is all about knowing who and what to trust.

Ask any security professional, and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. Different social engineering attacks include email from a friend, phishing attacks, baiting scenarios, creating distrust, etc.

Malvertising

Malvertising is a process of placing an advertisement on the Internet that infects the victim’s computer with malware. As per the analysis of different security firms, malvertising is the popular computer hijacking technique which is widely used for organized crime. Once the system is attacked, it will be a part of botnet which will be used to carryout illegal activities.

Malvertising Techniques

  • Legitimate advertisements: Initially, attackers will create ads which are trustworthy, then will place this series of malware-free ads on a trusted site that supports third party ads. He will leave these ads as they are for several months so that frequent users will trust that theses links are safe. Later on, the attacker will inject malicious codes to these ads, which can install different type of Trojans or malware onto the victim’s computer.
  • Pop-up ads: A pop-up ad can deliver malware once it appears on the screen. There are also malwares that can get installed to the system once we press the close button of the pop-up window.
  • How Malvertising Works
    Attackers use different techniques to inject malicious code to their ads.
  • Direct purchase: Attackers will act as the representatives from a trusted organization and purchase ad spaces directly with the websites.
  • Leverage ad Exchanges: Attackers will post their ads in some ad network that provides ad spaces to websites. This automated process of ad distribution makes it difficult to identify the source of ad as well as in which sites they are published.
  • Exploit technical vulnerabilities: Attackers will use some vulnerability to compromise ad networks, DSP, etc. They will then replace the legitimate ads with some malicious codes which can be sent out to any number of destinations.

Real Time Bidding

The traditional ways of online advertising have many faults. For advertisers, buying impressions in bulk using the CPM model is not very efficient, and for publishers, 70% of their inventory remains unsold. So a new approach is implemented, called RTB (real time bidding).

RTB is a method of buying and selling online ad impressions through real-time auctions that occur in the time it takes a webpage to load. Ad exchange or supply side platforms are the most used bidding methods. It uses per impression context and targets the ads to specific people based on data about them. Real time bidding is a dynamic bidding process where each impression is a bid. Real time bidding makes it easier for ad networks to buy the inventory they want. In RTB, every online ad impression is evaluated, bought and sold, all independently and spontaneously. It helps both exchangers and buyers to work together to place bids on ads and to sell those ads. RTB also ensures that the ad has the right content and it is forwarded to the right person at the right time, rather than displaying ads widely.

Real time bidding is used currently in Web and mobile platforms and social networking sites, and it is defined as a part of the future ad market.

How It Works

120114_1331_OperationDe1.jpg

When a user visits a website, a bid request is generated, which includes site information, user information, browsing history and location. This information is then passed to an ad exchange, which helps to collect info from inventories. The ad exchange places this as an auction to the advertisers to find who is ready to pay the highest price for it. Then the winning bidder’s ad will get displayed in the browser. The whole process happens within milliseconds.

Attack Process

Before starting the attack, or as an initial stage of attack, an attacker must know about the victim and his environment. Session hijacking, also known as cookie hijacking, is a method of taking over a Web user session by obtaining the session ID and masquerading as the authorized user.

Mainly there are three methods by which cookie hijacking is done:

  • Session Fixation

Session Fixation is an attack where the attacker sets a user’s session ID to one which is known to him. By understanding the methods used in the target web site, different types of techniques (like cross site scripting) can be utilized to fix the session ID value. Once the session ID of the victim is fixed, the attacker will wait for that victim to login. Once the user logs in, the attacker uses the predefined session ID value to assume the same online identity.

Generally speaking, there are two types of session management systems when it comes to ID values. The first type is “permissive” systems that allow web browsers to specify any ID. The second type is “strict” systems that only accept server-side-generated values. Permissive systems’ session IDs are maintained without contact with the web site.

Session Fixation attack can be mounted against any web site that uses sessions to identify authenticated users. Most of the Web sites are cookie-based. Unfortunately, cookie-based sessions are easier to attack. In contrast to stealing a users’ session IDs after they have logged into a web site, session fixation uses a different technique in which the active part of the attack takes place before a user logs in.

  • Side Jacking

Side jacking is the method of stripping someone’s access to a website. Packet sniffers are mainly used to do this, which will obtain an unencrypted cookie that will grant access to a specific website, such as webmail, Gmail, etc. This helps the attacker to act like the actual user.

Once the session is logged off, the attacker loses access, because in this type of attack getting the user’s username and password is not possible, and when the next authentication (logging in with the correct username and password combination) is required, the bad actor loses access. SSl is one of the important methods used to do encryption, but many sites do not encrypt data after login and therefore are open to this type of security attack.

  • Cross Site Scripting (XSS)

Cross site scripting is a computer security vulnerability mostly found in web applications. XSS helps attackers to inject malicious codes to the client side script which will be viewed by other users. VBScript, ActiveX, HTML, and Flash are the main scripts used in cross site scripting to inject into a vulnerable dynamic page to fool the user. This type of scripts is executed on his machine in order to gather data. XSS might compromise private information, steal cookies, inject malicious code, etc. Data is usually formatted as a hyperlink that contains malicious code which will circulate over the Internet.

Once cookie hijacking is done, the attacker will come to know what the user interested in, etc. Based on this analysis, advertisements are created. Once advertisements are created, placing them on the targeted website is a difficult task. Real time bidding is the method used nowadays for advertisements. Many intermediates like inventories, ad exchanges, etc. are present in the process cycle of real time bidding. So it is a great challenge for an attacker to overcome all this and to be the highest bid, because only the highest bid will get displayed on the webpage. So in order to overcome this, the attacker will try to compromise the network.

Once the collection of cookies is finished, then he will create or download an ad which the victim is interested in, and he will inject malicious code into it. So once the user loads the page, the malicious ad will be displayed and once he clicks on that, he will be directed to some other page which will install a backdoor Trojan to his system, and will make that system to act as a part of a botnet.

120114_1331_OperationDe2.png

  • Diagram Explanation

Different stages of the attack are explained in the above diagram:

a) Using session hijacking techniques, the attacker will collect information about the victim who is working in ABC company. He comes to know that the victim is interested in anti-aging creams.

B) The attacker may download or create some ad which is closely related to anti-aging creams and will embed it with some malicious codes or unwanted redirections.

c) Using attack methods, the attacker will somehow compromise the bidding network and make his ad as the highest bid (in certain cases, the attacker may go for a direct purchase).

d) Once the user gets into his company site, he will find this ad about anti-aging creams.

e) User clicks on the ad.

f) User will be redirected to unwanted pages, which will install backdoor Trojans in his system and will make him part of botnets.

  • Screen Shots

Invanciea found ODC in some US defense companies. Screenshots of the vulnerable sites perpetrated against the defense firms are posted below.

Fleaflicker.com

120114_1331_OperationDe4.png

Gpokr.com

120114_1331_OperationDe5.png

webmail.com

120114_1331_OperationDe6.png

Detection

Network data and host file data can be monitored to detect DeathClick attacks. A combination of open source tools such as Snort, Splunk and Squirt can be used to monitor the network and to find some potential attacks.

Some of the factors associated with this type of APT attacks:

  • Change in network traffic and outbound transfers
  • Transfer of huge amounts of data not during office hours to external locations.
  • Queries to dynamic DNS names.
  • Unwanted searchers for files and locations.
  • To/fro communication with external IP addresses.
  • Uses API calls and recognized proxy to make external access.
  • Router, firewall and other device configurations are changed.
  • Increased number of IDS events.

Snort: Snort is an intrusion detection and prevention system which is used widely. Snort can analyze real time traffic as well as packet logging on IP networks. It can also perform protocol analysis, content searching and matching, buffer overflows, portscans, CGI, etc.

  • Snort has three modes:

  • Sniffer: read and display network packets on the console.

  • Packet Logger: program will log packets to the disk.

  • Intrusion detection: monitor network traffic and analyze against a rule set.

Scapy: Scapy can create different types of packets based on protocols. It mainly uses Python scripts and can be used for various types of detection. It can send, receive, and match requests from packets.

OSSEC: an intrusion detection system, mainly host-based. Log analysis, file integrity, rootkit detection and alerting can be performed using correlation and analysis engine. It has an active support and can work on most operating systems.

Splunk: Logs and other data information are collected from servers and various network devices. It can be used to search, monitor, and create graphs and reports.

Squil: Squil GUI helps to access session data, raw packet data, real time events, etc. It also helps for various security monitoring and event-driven analysis.

Squirt: a web application that helps to view and query data. It provides additional context to events with the help of metadata, time series representations, weighted and logically grouped result sets.

Mitigation

These types of attacks are detailed and multiphase in nature, so it seems impossible to prevent, but organizations can take some preventive measures.

Many researchers advise that APT attacks like DeathClick can be mitigated to a certain extent by following best security practices. Companies should test their protection mechanism regularly to check whether it is working properly. Organizations should also have a vulnerability management system that can quickly mitigate any system attacks.

Prioritizing contents based on their importance is one of the best ways that all organizations should take. The most sensitive and profitable data should be protected using efficient security measures.

Mitigation always lies as a problem in APT attacks. Most of the zero day attacks will have patches, but for this type of attack, finding a patch is not possible. So the mitigation process remains more complex. But some of the techniques that we can adopt to cure such attacks are:

  • Keep up to date with the threat landscape — make sure that the whole security team is aware of recent attacks and how they take place
  • Prevent social engineering techniques through education — making everyone aware of the policies
  • Update network based security services: review all SSL, IPSec and VPN connections and make sure that the users have access only to the internal network.
  • Get updated with Next Gen Firewalls
  • Advance threat detection appliances — make sure they are taking appropriate measures to detect zero day malwares and other attacks
  • Email and web content security
  • Automated monitoring, correlation and analysis
  • Use proper sandbox testing methods
  • DNS based intelligence
  • Sandbox analysis for unknown threats

References

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...