5 Reasons to Focus on Malware Delivery Mechanisms

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Originally published by Security Magazine

Malware Delivery Mechanism

Defending against today’s pervasive web-based malware is not as straightforward and simple as it used to be. According to Symantec’s Monthly Threat report, the number of web attacks almost doubled in April of this year alone, up from 584,000 per day to 1,038,000 per day. Bad actors – seasoned cyber criminals, hacktivists, insiders, script kiddies and more – target premium, frequently whitelisted websites with varied motives such as financial, espionage and sabotage, to name a few. These web-based attacks are more targeted, complex and hard to detect, and when an employee visits an infected website, the damage to an enterprise network can be debilitating. Traditional security defenses like blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls fail to offer comprehensive protection. An alternative security approach is necessary, especially when working with malware data.

Managing malware data needs a paradigm shift

Currently, Information Security Professionals (InfoSec) and IT teams are trained to focus on the context of the web-based malware: What the payload might be; Is it replicating or morphing; Where’s the payload analysis; Who is targeting the website and why; along with a host of other variables. These are definitely valid questions, but should only be asked after action is taken to block it – not in order to take action.

Using existing analysis tactics to assess the ever-increasing volume of malware information is a Sisyphean task in the digital environment. The time it takes to agree that something is malicious is in direct proportion to your network’s exposure to web-based malware.

It’s time for InfoSec and IT teams to take a new, proactive approach to shielding customers and Internet real estate from web-based malware. It starts with adopting this simpler definition of malware: “Any code, program or application that behaves abnormally or that has an unwarranted presence on a device, network or digital asset.”

In essence, any code or behavior not germane to the intended execution of a web-based asset is considered malware. While this definition covers the obvious overt offenders it also includes seemingly non-malicious items including toolbars, redirects, bot drops, etc. Adopting a simple, yet broad definition enables you to focus on shielding your enterprise network from a wide range of active and potential malware attacks.

Understanding the digital environment is critical to breaking the analysis paralysis cycle and replacing it with a “block and tackle” approach. To do so, IT professionals need to focus on what matters: identifying the delivery mechanism in order to stop malware from penetrating the enterprise network. Here are five reasons why you should focus on the delivery mechanism:

Reason 1: Temporal malware is still dangerous

Web-based malware or malware delivered via the consumer internet (websites a typical person visits in the course of their daily activities, such as news, weather, travel, social and ecommerce sites) is fleeting and temporal. Research from The Media Trust reveals that in many scenarios web-based malware is active for as short as a few hours, giving little time for a deep dive analysis before blocking offending domains. If you spend time on analysis, you are a target for compromise because if the malware doesn’t infect your organization at the outset, it will most likely morph into another malicious domain or code to retarget the website with something more debilitating such as ransomware or keystroke logging.

Reason 2: Non-overt malware will turn on you eventually

Malware does not necessarily need to be complex or overtly malicious right from the start or upon initial detection. Annoying or seemingly innocuous behavior such as out-of-browser redirects, excessive cookie use, non-human clicks/actions or toolbar drops qualify as malware. While these behaviors may initially appear benign, they will frequently reveal their true intention upon a closer look at both Indicators of Threat (IOC) and Patterns of Attack (POA).

It happens quite often and reports suggest that every year researchers track 500+ malware evasion tactics used to bypass detection. For instance, a recent attack on several small and medium-tier ecommerce websites demonstrates malicious domains executing over varying time intervals and, in at least one instance, move from website to website across various geographies in order to avoid detection. In other instances, malware is specifically coded to look benign and only execute when certain conditions are met, e.g., geography, device, user profile or combinations of conditions. Taking weeks or months, this delayed execution is an effective technique to evade detection by most scanners. An auto-refresh ad on the browser or an alert to update software could be a red flag.

Reason 3: What’s in a name? 

While names are understandably necessary to tag malware, there is a tendency to initially fixate on labels rather than block the malware itself. For professionals in the frontlines of trying to stop web-based malware from infecting the enterprise network, focusing on the name can increase the dwell time and do more harm than good. Instead compromised domains will give teams better insight and allow them to block the malware from penetrating networks.

Reason 4: Past malware doesn’t predict future attacks

Just because malware is validated with a name or belongs to a recognized family; it does not always mean that information to defend against future attacks is necessarily reliable. The polymorphic nature of web-based malware allows it to propagate via different domains in various shapes and forms – embed malicious code on a web page through a particular CMS platform, execute an out-of-browser redirect, or present a fake system update alert. Not only is the delivery channel constantly changing, but also the actual intent and payload may change as well. Relying on past research is not a foolproof defense when it comes to ever-changing malware propagating in the digital ecosystem, which is a complex, mostly opaque environment.

Reason 5: Death by analysis

Extensive analysis of web-based malware before blocking it could have severe repercussions – either by way of a corrupted endpoint or a larger network breach. Once web-based malware reach endpoints, it is already past the security perimeter which means remediation efforts are necessary. According to reports, the average cost for an enterprise to clean up a web-based attack is estimated to be $96,000 and more.  Think of how many resources – people, time, money – could be saved if malware was immediately blocked upon detection.

By focusing on the delivery mechanism, security professionals can take a proactive stance to harden website defenses against web-based malware and also significantly reduce the time to action when it comes to securing endpoints and the enterprise networks. Real-time response is required or it provides the perfect window of opportunity for an attack to be successful.

Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

Did malvertising kill the video star?

Video Malware Vector

Large-scale video malware attack propagates across thousands of sites

Malware purveyors continue to evolve their craft, creatively using video to launch a large-scale malvertising attack late last week. Video has been an uncommon vector for malware, though its use is on the rise. What’s different is the massive reach of this particular attack and the ability to infect all browsers and devices. Much like The Buggles decried about video changing the consumption of music, this intelligent malware attack used video to orchestrate mayhem affecting 3,000 websites—many on the Alexa 100. Is this the future?

Charting the infection

The Media Trust team detected a surge in the appearance of the ad-based attack late Thursday night and immediately alerted our client base to the anomalous behavior of the malware-serving domain (brtmedia.net). As it unfurled, the team tracked the creative approach to obfuscation. (See image)

First, the domain leveraged the advertising ecosystem to drop a video player-imitating swf file on thousands of websites. The file identified the website domain—to purposefully avoid detection by many large industry players—and then injected malicious javascript into the website’s page. Imitating a bidding script, the “bidder.brtmedia” javascript determined the video tag placement size (i.e., 300×250) and called a legitimate VAST file. As the video played, the browser was injected with a 1×1 tracking iframe which triggered a “fake update” or “Tripbox” popup which deceptively notified the user to update an installed program. (In the example below, the user is instructed to update their Apple Safari browser). Unsuspecting users who clicked on the fake update unwittingly downloaded unwanted malware to their device.

The compromise continued unabated for hours, with The Media Trust alerting clients to attempts to infect their websites. This issue was resolved when brtmedia finally ceased delivery, but only after tainting the digital experience for thousands of consumers.

video-borne malware infection

Process flow for video-borne malware infection

The devil in the artistic details

The use of video as a malware vector is increasing. As demonstrated above, video and other rich media provide avenues for compromising the digital ecosystem, impacting both ads and websites.

The clever design and inclusion of multiple obfuscation attempts allowed this attack to propagate across some of the largest, most heavily-trafficked sites. As The Media Trust clients realized, the best defense against this kind of attack is through continuous monitoring of all ad tags and websites, including mobile and video advertising.

Leaving the light on…and exposing visitors to malware

Hotel websites are vulnerable to malware and data leakage

Hotel website security

The hotel industry is poised for continued growth in 2015, coming off a stellar 2014 which saw occupancy rise to levels not seen in more than 20 years. With the World Tourism Organization projecting more than 1.4 billion international journeys in the year 2020, you can bet that hotel websites will play a central role in fulfilling these travel needs.

What are hotels doing to secure a share of this volume? Many incorporate video, add feedback collection and recommendation features, leverage blogs, or enhance the content management system. These various services provide for a more interactive and engaging website, as well as enable the site to be optimized. But, did you know that they also represent an entry point for malware and data leakage that can expose a customer’s personally identifiable information?

Yes, hotel ecommerce sites are rife with third-party vendors. As outlined in our recent blog post, brand and ecommerce site managers are not doing enough to protect the online and mobile environment FOR their customers. And hotel websites are no different. In fact, current industry rumors point to a manipulation of an account-checking tool used by a major hotel chain. The compromised tool, in concert with stolen passwords, allowed fraudsters to open new accounts and transfer rewards points which were then exchanged for gift cards. So that got The Media Trust thinking about other website vulnerabilities faced by hotels.

In early December, The Media Trust analyzed the 34 top hotel websites, as listed in STORES magazine’s annual “2013 Top 250 Global Hotels” report published in January 2014. Analysis involved the scanning of all public-facing website pages and the capture of all third-party vendors, domains and cookies present on each hotel’s site.

Over a seven-day period, The Media Trust’s Media Scanner scanned each hotel’s website homepage and major sections 250 times a day—a total 1,750 scans across each site. Each scan executed the web page as if being viewed by a typical consumer, and collected and analyzed all third-party code, content and text for security, latency and data leakage issues. Leveraging our presence in more than 500 global locations, The Media Trust replicated a true user experience as if a real consumer visited the website, and therefore did not have the ability to collect actual visitor data.

The results were interesting. The average site utilized 47 different domains, 31 vendors and 65 cookies; however, some outlier hotel sites used as many as 134 domains and 148 cookies.

                                      Average       High

            Domains:             47              134
Vendors:              31                57
Cookies:              65              148

What does this mean? That’s a good question. In theory, low numbers are preferred from a manageability perspective as each domain, vendor or cookie represents an access point to or action on a site—the fewer utilized in site operation, the fewer to manage. However, the reality is that a sizeable number of third-party vendors, domains and cookies are found on most sites as they provide the interactive and engaging functionality executing on browsers.

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware; or, redirect visitors to another, possibly malicious, website or app; or, secretly collect website visitor (first-party) data. In addition, each third party can call dozens of fourth or fifth parties which exponentially increases the risk to site visitors.

Browser cookies provide essential site functions, including the ability to navigate without repeating data entry such as destination, travel dates and room requirements. However, the process of dropping the cookie can easily be compromised by an unauthorized party piggybacking on the cookie. In addition, some third-party vendors drop cookies to collect website visitor/first-party data without website owner/operator knowledge. Known as “data leakage”, these cookies track valuable user behavior—data about guests, their interests and travel periods—which can be resold into the online ecosystem for customer targeting by competitors or industry partners. If that data includes personally identifiable information (PII) the website owner/operator could be subject to data privacy violations. With state attorneys general and the federal government cracking down on PII, hotels must be mindful of public-facing website properties and what is executing on visitor browsers.

Hotel websites are vulnerable to data leakage and malware, and this vulnerability opens the door to litigation and significant brand damage. For these reasons website owner/operators need to thoroughly identify, approve and monitor third-party vendors and their activities at all times.

The big question is: How are the major hotel chains managing their public-facing websites to protect their customers?