Editors’ note: In this series, “Unmasking Malvertising,” we explore various ways in which malvertising is executed to help us collectively see the digital landscape not just as defenders, but through the eyes of those who would exploit it. In this installment, we explore the role of obfuscation in malvertising, and how malvertising prevention technology can help thwart malicious actors.
Outsmarting those who seek to exploit digital advertising requires delving into the minds of bad actors. We need to act like behavioral analysis detectives, anticipating how malicious actors will disguise their malicious code, where they'll place their traps, and which vulnerabilities they'll try to exploit next.
Malicious actors use malvertising attacks to facilitate stealing a person’s money or identity or to infect a user’s device. These are significant issues that publishers, ad platforms, regulatory bodies, government agencies, and others take seriously.
To adopt the mindset of malicious actors, let’s consider some of their key tactics. Bad actors use various methodologies to avoid getting caught, such as device fingerprinting, environment detection, cloaking techniques such as microtargeting, vendor detection and evasion, and obfuscation.
Broadly defined, obfuscation is the practice of making something difficult to understand or interpret. Obfuscation is not in and of itself a threat (most ads contain innocuous obfuscated code). Like so many other things, it depends on how obfuscation is used and who uses it.
Obfuscation in malvertising, though, is particularly insidious, because it allows malicious actors to hide in plain sight as they carry out their attacks.
What is obfuscation in malvertising?
When a malvertising attack incorporates obfuscation, the obfuscation deliberately conceals malicious code within a digital advertisement. Threat actors deceptively write their code to make it difficult for security tools and researchers to recognize the code’s true purpose, while ensuring the code continues to function as intended. Simply put, the “message” remains intact, but it's scrambled in a way that only the intended recipient (in this case, a live browser) can decipher.
Then, if an ad enters the ad ecosystem and reaches an end user, that user’s browser renders the code, including the obfuscated malicious lines.
This code delivers the intended malicious payload, which was obfuscated, and therefore hidden, within the creative assets. That payload, in turn, can cause real harm to end users: directly stealing a person’s money, identity theft, credential harvesting, or many varieties of infecting a user’s device.
Bad actors utilize concepts of cryptography, often making their code unreadable without decryption. Think of it as the digital version of the old cereal box decoder rings or a traditional cipher disk. These tools embody the concept of obfuscation simply - spin the ring and you decode that A = 36, B = 13, C = 75, and so on.
How does obfuscation threaten digital ads?
Let’s walk through a simple example. A bad actor wants to redirect a user to a landing page. To accomplish this without getting caught by emulators and scanning environments, the malvertiser obfuscates two lines of code:
A fingerprinting check to test if the ad is rendering on a real user device, such as a touchscreen check for iPhones
A malicious function, ‘top.location.href,’ that relocates the user to the attackers intended URL
When a browser reads the lines of obfuscated code as the ad attempts to render, the included cypher is used by the computer to decode the functions in real time. Without a strong enough protection solution that is adept at decoding obfuscation, the malicious code to redirect a user can execute.
That is to say, even without a user taking any action, the function above navigates the user to a malicious landing page that tries a classic phishing scheme such as, “You won a gift card! Enter your details to receive it.”
Bad actors often don’t use obfuscation just once per attack, however. They obfuscate multiple calls or payloads. Each step makes it more likely that a human reviewing this ad, or a simple malvertising offline scanning environment, does not or cannot look any further into the code.
If everything is hidden, how can publishers and platforms prevail? The answer is: not alone.
Deciphering the code with malvertising prevention
In the battle against malvertising, what you can’t see can hurt you. Understanding and detecting obfuscation in malvertising is crucial to prevention. In this fight, the first step is to identify the right partner that is adept at deciphering hidden code and thinking like a bad actor in order to disrupt malicious activity.
Combating obfuscated malvertising attacks requires a multilayered approach. Our threat researchers advise security teams to look for several key indicators (and these best practices apply beyond malvertising analysis as well):
The key is striking the right balance: being thorough enough to catch sophisticated attacks while avoiding false positives that could disrupt innocuous ads.
HUMAN Malvertising Defense
HUMAN’s proven Malvertising Defense solution demonstrates that to combat malvertisers’ efforts, it takes a combination of expert threat research, reverse-engineering, and specialized insight from the HUMAN Malvertising Defense script.
Using runtime behavioral analysis, HUMAN’s Malvertising Defense has the advantage of seeing all this obfuscation play out and attempt to load a final malicious payload.
Our solution incorporates advanced machine learning, real-time monitoring, and years of expert threat intelligence to protect against obfuscated threats, processing billions of transactions daily to keep major advertising platforms safe from emerging attack patterns.
To learn more about HUMAN Malvertising Defense, click here to talk to a Human.