‘Fingerprinting’ Helps Malvertising Attacks Find Victims And Avoid Detection

Research shows more malvertising assaults are using ‘fingerprinting’ at an advert level to avoid unncessary attention and save bandwidth

Malvertising attacks, which infiltrate genuine advertising networks with malicious creatives, are increasingly determining which systems are potential targets by inserting code directly into ad banners.

This practice, known as fingerprinting, allows the perpetrators behind such assaults to save time and effort by only targeting genuine web users on vulnerable systems. It also allows them to avoid detection by security researchers – prolonging the scam.

Fingerprinting is nothing new, but traditionally, attacks have waited until an exploit kit has been downloaded before performing such checks. The Angler exploit kit uses a flaw in Internet Explorer’s XMLDOM ActiveX control to do this – as seen in an assault on xHamster last year.


adblockBy moving the fingerprinting process “up the chain”, malvertising campaigns can choose whether to serve up a malicious ad to a vulnerable system or a safe one to a protected user – preserving bandwidth and avoiding attention.

Researchers at Malwarebytes and GeoEdge spent several months researching and monitoring several malvertising campaigns on a number of ad networks.

Some hid code in JavaScript and GIFs – sometimes secured via HTTPS and on-the-fly encoding – and used IP addresses related to VPNs to avoid detection. All used seemingly genuine advertisement-related domains, used an intermediate redirector and targeted genuine IP addresses. Attacks even stopped using public URL-shortening services because they were too obvious.

One campaign that used Google’s DoubleClick service, which used encoded GIFs to fingerprint, checked users with IP and HTTP headers to see what security products were installed. If the user had a unique IP address, Internet Explorer 10 or earlier and had not installed certain security software, they would be targeted.

Growing problem

The research also found that 42 percent of all malvertising infections occurred in the US, ahead of Canada (13.7 percent) and the UK in third (11.8 percent). Experts say scammers can get 1,000 ad impressions for as little as 19 cents, using real time bidding common on many advertising networks.

A number of malvertising attacks have previously affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software. Some have even turned to controversial ad-blockers to protect themselves against such attacks.

“It is obvious to us that malvertising has become a major issue that no one has a clear answer for,” said the report, co-authored by Jerome Seguara, senior researcher at Malwarebytes, and Eugene Aseev at GeoEdge.

“One of the most important things you can do is ensure your endpoints are fully up-to-date. The number one reason malvertising attacks are successful is due to unpatched programs. After all, ads are the vehicle to an ulterior motive which consists of infecting end users with malware or serving them scam pages.

“In the wake of a particularly busy year with Flash Player vulnerabilities and zero-day exploits, it has become imperative to complement your existing security solutions with exploit mitigation tools. By the same token, a layered defense is your best bet to fend off today’s most sophisticated attacks.”

What do you know about Internet security? Find out with our quiz!