What is the state of malvertising and drive-by downloads in 2020?
A new Confiant report explores “the details behind a recent spree of website hacks” as well as the malicious payloads delivered to victims. The report also includes details on drive-by downloads, their current state in major browsers, and how they will be addressed in the future.
There’s more to malvertising than meets the eye
The researchers also look into malvertising campaigns, thus aiming to provide “a much broader landscape beyond what merely happens in the ad slot“. In other words, there’s more to malvertising than malicious ads. Media buys may be a preferred option for an entry point, but they are not the only option available.
In a typical malvertising chain, there are multiple handoffs, similar to a traditional ad tech driven CPA campaign. With malware, it just so happens that the latter stages of the hand off happen among sketchy middlemen that take pull the victim to a malicious landing page, Confiant explains.
The researchers closely inspected a malicious incident that happened to the Android app version of BoingBoing in January 2020, when malicious overlays were detected on the website. Initially believed to be a “bad ad” incident, the same attack was later detected on other websites as well:
Over the following weeks, we detected this attack on a multitude of sites. Usually this manifests through a CMS compromise that introduces this malicious payload.
In other words, it turned out that the supposed malvertising campaign is not related to malvertisinf. In fact, BoingBoing’s CMS was hacked, and a script was injected that displayed the malicious overlays to visitors.
A question then appeared: even though the BoingBoing attack wasn’t malvertising, could a similar scenario happen via malvertising and sandboxed iframes?
Most ads rely on sandboxed iframes to embed an ad on a web page. Since ads are typically controlled by third-parties, the iframes are usually utilized with sandboxing to improve security and restrict actions on the side of third-parties.
How are browsers doing?
To check whether the malicious script would lead to a drive-by-download of an APK in sandboxed cross-origin iframes, the researchers created a proof-of-concept page with the idea to test several browsers.
The inspiration for doing this analysis was the shocking discovery that most browsers will honor forced downloads from cross-origin frames. In fact, forced downloads like this are still often possible in Sandboxed Cross-Origin iframes, having only been addressed in Chrome for this last release of Chrome 83, the report explained.
However, things are not as good with Mozilla Firefox, as this browser doesn’t prevent downloads in cross-origin iframes, which leads to the user being prompted to download the file. A similar picture was seen in the Brave browser. As for Safari, for some reason the browser “wants to honor the download, but seems to just get stuck” without even finishing it.
Mobile browsers displayed inconsistent behavior:
For example, Android browsers are quick to warn you when the download is a file with an APK extension, but anything else often doesn’t even get a prompt.
As pointed out in the report, it is quite surprising that in 2020 we can still force downloaded not initiated by the user, without any prompt from cross-origin iframes in most major browsers. The question why still stands unanswered.
In April 2020, a large malvertising campaign which has been taking over entire ad servers to insert malicious ads into their ad inventories was discovered by Confiant. The malicious ads would redirect unsuspecting users to sites ridden with malware typically masqueraded as Adobe Flash Player updates. The campaign had been going on for at least nine months.