So far, 2018 is shaping up to be a year in which malicious advertising is growing and spreading throughout the web. Threats are becoming more and more sophisticated, with home and corporate web surfers being tricked into clicking on innocent looking ads and unknowingly installing malware on their computers, or triggering other kinds of attacks. Many people and companies haven’t installed ad blockers. Some companies feel it’s just too difficult to implement a company-wide ad-blocking policy. Reputable ad services, such as Google Adwords or Bing Ads, have been exploited by attackers who find clever ways of disguising their activities and slip their way onto users’ PCs.

One such way is through the use of delivering utility applications which, at first glance, seem helpful to the user, but are really pieces of malware with a sinister purpose. Attackers are often favouring lower-profile techniques, such as browser hijacking, delivered by these innocent-looking applications, that won’t raise alarms the way ransomware attacks would. Ads function as they are expected to function, but browser hijacking goes on in the background to siphon data from a system, inject data into web pages, or deliver other payloads without the user even knowing.

Here is an example of a browser hijacking attack delivered through Google Adwords. All samples were collected by ElevatedPrompt’s DET3CT security monitoring service:

Network data showing path from Google.ca to imgfarm[.]com
NetwordEvidence

Executable Details
ExecutableInfo

Users are forced to change their homepage in order to install the utility

Post install callback to hp.myway.com, with a unique ID, date, and other information.
[HTTPListener80] --------------------------------------------------------------------------------
[HTTPListener80] GET /favicon.ico HTTP/1.1
[HTTPListener80] Accept: */*
[HTTPListener80] User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
[HTTPListener80] Host: hp.myway.com
[HTTPListener80] --------------------------------------------------------------------------------
[HTTPListener80] Received a GET request.
[HTTPListener80] --------------------------------------------------------------------------------
[HTTPListener80] GET /anx.gif?anxa=CAPDownloadProcess&anxe=InstallerFinished&tbUID=DD3773AC-42FC-42FE-9997-F80D373F
54A5&tbVer=&platform=vicinio&anxv=2.7.1.1000&anxd=2017-08-04&coid=d7d581e46d2e45b8b2d9e2591a78806

Browsers homepage changed to myway[.]com
BrowserHijack

How do you know if you’ve been the victim of browser hijacking? Look for the following indicators:

User-Agent:
Mindspark MIP (Windows NT 6.1; Win64; MSIE 11.0; Build 7601; SP 1)
IACApps-TooltabExtension/3.0.46.16263 (Windows NT 6.1; Win64; MSIE 11.0; Build 7601;

Destination Hosts:
*.imgfarm[.]com
*.myway[.]com
*.mindspark[.]com

What’s a user to do? Many users and companies have resorted to installing ad blockers to protect their security. Ad blockers are basically little pieces of software that don’t allow ads to be presented to users on web pages. If the user can’t see it, they also can’t click it, and the threat is mitigated before it can become a problem.

Ad blockers are helpful at blocking ads, along with the malware, phishing and scams that can come through ads. They can also reduce bandwidth use, improve page load times, and block other fraudulent activity.

But they’re more powerful when combined with other solutions. For example, the OpenDNS service can be used to mitigate known malicious ad traffic. Some browsers can also be of help. For example, advanced browsers such as Google Chrome Enterprise let administrators implement policies similar to a how it’s done in a Windows domain; admins can configure browser polices to ensure that ad blocking is enforced across the entire enterprise.

Ad blockers can only stop threats that are known. They’re not that much help in dealing with new and unknown threats. New threats are being developed all the time and remain undetectable until someone identifies them and publishes helpful technical guides on mitigating them. Once a threat is known, the makers of ad blockers add the threat to their list, and the little piece of software on the user’s PC downloads the updated list, much the same way that anti-virus definitions are updated and installed. Some companies even maintain their own blacklist of domains and add them to the mix. When combined with other security layers such as browser policies, firewalls, IPS devices, and host-based solutions, ad blockers can be very helpful at mitigating the threats that are often delivered under the guise of advertising. It’s also helpful to get security training for your staff so they know what to look for and how to prevent those threats that do make it through all the layers of security.

In short, the risks carried by online advertising are growing. Most businesses don’t need to allow ads to be displayed on the websites viewed by their staff. Endpoint agents are rapidly evolving, and a good, well-rounded combination of ad blockers, browser policies, blacklists, user education and sound perimeter security practices can reduce infection vectors and keep your company’s data and reputation safe and protected.



Ensuring your security is our priority at ElevatedPrompt. If you have any questions or concerns regarding this vulnerability or have any cybersecurity concerns and questions, please reach out to your ElevatedPrompt account representative or email us at [email protected]