11:00-11:20 AM - TRACK 3, ROOM 1420/1430
MALVERTISING VIA GOOGLE ADS: WHEN MALSPAM IS NOT ENOUGH, MALWARE COMES VIA AN AD NEAR YOU
Do you remember the last time you wanted to download a program? You probably did a Google search for it and clicked on the top link you saw. In recent months, this behaviour has become more risky due to an increase in malicious ads from threat actors previously engaged in malspam campaigns.
Criminals are purchasing ad space and tricking users with realistic-looking sites for some of the most popular software programs. The downloaded files are usually distributed in formats that will evade detection for many antivirus programs or prevent them from being uploaded to services like VirusTotal because of their excessive size. While you may install the piece of software you were looking for, you also infected your machine with malware.
In this talk, we review some of the malvertising techniques used by criminals to deceive Google and sandboxes using tricks such as cloaking. We also present some stats based on over 500 reported incidents to identify the most targeted brands and malware families. Finally, we share the results of community-based tracking and reporting and where threat actors might go next.
Jérôme Segura is a seasoned infosec professional with extensive experience uncovering client-side web threats such as malvertising and Magecart.
He has built web crawlers to capture drive-by downloads and identify compromised websites. He also maintains EKFiddle, a plug-in for the web debugging tool Fiddler.
He regularly presents his work at Virus Bulletin and BSides conferences, and enjoys taking part in joint research with industry partners.