Forbes.com, Adobe Flash Player, and Your Email
What do the three topics in today’s title have in common? Quite a bit if you are in the malware business! Near the top of the Tech news today is the story that Forbes.com, the 61st most popular website in the United States, has been distributing malware through it’s “Thought Of The Day” advertisements application.
When first visiting Forbes, regardless of which article link you have clicked on from your websearch, newsreader, Facebook/Twitter link, or email recommendation, you don’t go directly to the article. Instead you are taken to a “Thought Of The Day” page, where Forbes is able to sell some of their most valuable advertisements.
Those advertising spaces are valuable. They are displayed to all visitors to the website. That’s a lot of traffic and exposure for the advertisers. However, not all of those advertisers are genuine companies looking to promote their products or brands. Cybercriminals have also taken advantage of these ad blocks and have been using them for their own forms of adverts – Otherwise known as malvertising. These malvertising advertisements link to phishing websites or sites containing exploit kits that silently download malware.
The Patching Myth
The story, which was first shared with the media by Andrea Peterson via her technology policy blog at the Washington Post. She interviewed iSight Partners’ Steve Ward and was told that from at least November 28th to December 1st, two specific vulnerabilities were used in this attack. The first was a vulnerability in Adobe Flash Player known in the industry as CVE-2014-9163. Many Windows users faithfully patch their Microsoft software, including Windows and Internet Explorer, but fail to patch other applications that interact with their web browser. In this case, unless the user had patched their version of Adobe Flash Player AFTER December 9th, the day that Adobe released their patch, APSB14-27, they would have been vulnerable to attack. The website was delivering their attack until December 1st. That means EVERYONE WAS VULNERABLE! This condition, called a 0-day, is when hackers are actively exploiting a vulnerability for which there is no patch.
Many websites require the use of Adobe Flash in order to deliver animated advertisements, or to enable certain functionality of their websites. Apple Computers took a great deal of heat by refusing to allow Flash to be used in the iOS operating system used on iPhones and iPads. Their claim that this was a security feature is regularly proven.
The second exploit used in this attack was a vulnerability in Internet Explorer versions 9 and higher, known by its Common Vulnerabilities and Exposures id CVE-2015-0071. A patch for this vulnerability was released by Microsoft – MS15-009 – on February 10, 2015. It was another 0-day vulnerability that was being actively exploited in the wild.
An Exploit Kit is a way of delivering not just two exploits, but in some cases dozens. In the Forbes situation, a very advanced actor used two previously unpublished vulnerabilities to attack computers. If a visitor to the Forbes.com site was using Internet Explorer on a current version of Windows, the IE9 vulnerability was exploited. If they had Adobe Flash Player installed and were using an older version of Windows, that was the path of attack.
Exploit kits do that on steroids. Three of the most popular exploit kits today are the Angler Exploit Kit, the Rig Exploit Kit, and the Sweet Orange Exploit Kit. Criminals who run these malware delivery systems allow other criminals to subscribe to them so that whenever a new vulnerability is made public, these kits can take advantage of that vulnerability. Additional exploits are uploaded to the kit. For example, late last year, Rig was updated to include CVE-2014-0515 (another Flash Exploit, patched by Adobe in April 2014) and CVE-2014-0569 (another Flash Exploit, patched by Adobe in October 2014). Sweet Orange did both of those, and also CVE-2014-6332, a Microsoft Windows exploit patched in Critical Security Patch MS14-064.
The way the Exploit Kits work is they search for vulnerabilities on web visitors’ computers that can be exploited. When a vulnerability is discovered, it is used to push the payload of the criminals’ choice. So ANY malware that a criminal wants to deliver can be silently downloaded as the payload of an Exploit Kit. But first, they have to get a visitor to go to the site that is hosting the Exploit Kit.
After purchasing access to an Exploit Kit, criminals place their “license” to the Exploit Kit on a distribution page. They must then determine how they will drive traffic to that website. Some criminals do that by introducing malicious advertisements into ad networks (malvertising), causing their ads to show up on high-ranking websites such as Yahoo, the New York Times, Amazon.com, and YouTube. They can also place their malware on any website where they manage to acquire the userid and password of the webmaster. Sometimes that password gathering happens via a targeted phishing attack, such as those used to take over the Twitter accounts of CNN and Time Magazine. Other times the passwords are harvested through regular password-stealing software, such as the Dyre Trojan or GameOver Zeus.
Of course, millions of websites have their own vulnerabilities that allow massive exploitation, such as the WordPress exploits in December 2014 where more than 100,000 websites began distributing malware called SoakSoak, leading Google to temporarily block access to more than 10,000 WordPress sites in their search results! (According to Tripwire’s State of Security report, 23% of all websites run WordPress!)
A new explosion in Exploit Kit variants is likely after today’s revelation that the RIG Exploit Kit source code has been leaked online.
Exploit Kits and Spam
If a criminal doesn’t have the means to break in to sophisticated advertising networks, and doesn’t have ready access to webmaster passwords, the old reliable delivery mechanism is spam email. It’s not as sophisticated, but spam is still one of the most successful malware-delivery methods! Cisco’s 2015 Annual Security Report shared the surprising news that spam volumes had risen by 250% in 2014. Perimeter security and web filtering are often effective at preventing users from visiting websites hosting Exploit Kits. In the case of the former, it can be difficult for criminals to bypass those security controls. In the case of the latter, not all organizations have web filters in place. The leading theory behind the rise in spamming is the realization by cybercriminals that the attack vector is still highly effective. Targeting end users allows cybercriminals to bypass perimeter security by attacking the weakest link in the security chain: End users.
Other sources have reached a contrary but equally harmful conclusion. For example, PhishMe Intelligence shows there was a 56% DROP in spam volume in 2014; however, the percentage of emails that were deemed malicious increased to an average of 10%, with spikes as high as 40%! (See InfoSecurity magazine – Spam Volumes Drop but Unsolicited Emails Get More Malicious).
All too often, malware authors use multiple delivery mechanisms to infect end users. One of the most famous examples of recent “dual-delivery” malware is the CryptoWall malware that proved to be so popular in 2014. As Phil Muncaster shared in Infosecurity magazine last month, links to CryptoWall 3.0 are commonly found both in spam and drive-by forms of Exploit Kits. It doesn’t matter which delivery method is used, the underlying architecture of the payload malware is identical.
The Ad-Blocking Controversy
Several popular security products either specifically block online advertising, or block the ads as a side-effect of not allowing code to execute from unapproved pages. For example, see the Forbes “Home USA” news index page from today, as viewed in Chrome, and as viewed in Firefox with “NoScript” running.
In the top image, visiting the Forbes webpage results in top and bottom ads and an Adobe Flash Player-based video ad on the left of the page. Visiting with FireFox with NoScript running prevents all of those ads from being displayed. That means malvertising is blocked, but so are legitimate adverts.
Where is the controversy? The ethical question is that I am allowed to read Forbes magazine for free as a result of the contracts that Forbes has to display their ads to their customers. When I choose not to view ads for free content, am I not breaking the implied economy of the online world? As the saying goes “If you are not paying for something, you are not the customer, you are the product!” Online web pages sell our advertising market eyeballs to their vendors, but in viewing these ads are we exposing ourselves to risk?
Some online sources have revealed there were 5.3 trillion online advertisements displayed last year. “Only” a few million of those were malicious. On the same list we see that 50% of the clicks on mobile ads are accidental. Interestingly, Solve Media claims you are more likely to survive a plane crash than click a banner ad.
I’ll end this post with an amusing news story about the Flash malware at Forbes. NBC News had a video story about the article. I couldn’t see it, because my Firefox won’t play the Flash Player unless I specifically allow it. However, they published the story about the malware attack on Forbes users, and included a Flash advertising block underneath.