Security researchers have uncovered a security threat that’s seen users of Windows 10 desktop apps served up with malicious adverts pushing everything from tech support scams to fake antivirus malware. Worse yet, because they are served up by ad-supported apps, and Windows 10 is just launching your default browser, your ad-blocker will likely not stop them. To date, the malvertising campaign has delivered more than 100 million of these ads, and the attack surface extends way beyond just Windows 10 apps.
Eliya Stein, a senior security engineer at Confiant, confirmed that “in-app advertisements are not the only vehicle of delivery for this particular attacker.” Writing in a blog posting that explores the methodology of the malvertising campaign and tracks the threat actor behind it, Stein pointed out that desktop and mobile devices are targeted in relatively equal quantities, “but desktop Windows and iOS are heavily favored by the attacker.”
Indeed, there have been reports of these malicious ads being spawned from within the Microsoft News app as well as Outlook and some Microsoft Games. “Malvertisers rely on forced redirections in order to drive victims to phishing pages, tech support scams, or drive-by downloads,” Stein explained, adding that “the redirections spawn without any user interaction.”
The Hong Kong connection
The threat actor, in this case, according to the Confiant investigation, appears to be operating under the name of “fiber-ads” out of Hong Kong. By partnering with legitimate demand-side platforms (DSPs) which broker automated advertising placements that can target users as they are browsing. It’s hardly surprising that fiber-ads should choose to form relationships with totally legitimate DSPs; it gives them access to premium audiences. And premium audiences represent a high-value target for players in the malvertising market.
You can think of malvertisers operating across two primary business models: the ones that own the whole delivery chain, including the payload, and those which act purely as intermediaries. The fiber-ads operation is firmly in the second camp.
With some 50 ad-serving domains created by fiber-ads in 2019 alone, Stein has traced a further 100 domains back to 2017; this points to a very mature and well-resourced criminal campaign. And an ongoing one at that. “New ad serving domains from this malvertiser continue to surface on a weekly basis on varying platforms,” Stein said.
The investigation shows how fiber-ads exploits a media buyer marketplace and social forum called MyMediAds to post listings that position the actor “as a middleman in questionable supply-side and demand-side practices.” The fiber-ads profile is particularly active at MyMediAds with offers coming in from what Stein suspects are “likely botnet operators or brokers of poor quality traffic.”
Mitigation advice for Windows 10 users
Mike Thompson, an application security specialist, says that “Microsoft needs to engage with this, as it affects apps running on the OS, rather than as a result of casual browsing to a site loaded with the dubious ads.” Thompson suggests that seeing as Microsoft has “great anti-virus protection in the shape of Windows Defender,” it might look at ways of being able to intercept and block malvertising from being able to execute in this fashion.
Sean Wright, the Open Web Application Security Project (OWASP) chapter leader in Scotland, agrees that Windows Defender is actually very good and some form of antivirus is essential in helping to prevent the malware side of the threat from being realized. However, Wright also says that site operators “need to start using features such as content security policy (CSP),” as this can go a long way “to prevent rogue requests being made by client browsers, as well as help to alert when client browsers attempt to do reach out to a domain which is not expected.”
Both agree that for every mitigation there’s always a workaround and ultimately this will turn into a cat and mouse game. “Once the existing domains are blacklisted,” Wright warns “the attackers will no doubt obtain new domains.”
And as for the advertising platforms themselves, Eliya Stein has some words of advice. He suggests that “ad tech platforms take extra care to vet their advertisers and if something smells a bit fishy, like a buyer incorporated in a dodgy jurisdiction, it might be prudent to bypass that business opportunity altogether.”
I have contacted Microsoft for a statement regarding the Windows 10 applications threat from malvertising and will update the story when that statement arrives.