DustRoyal-3PC redirect influx hides behind CDNs
The use of hacked brand websites and landing pages as malware delivery vectors continues to grow, but that doesn’t mean redirects via ad tags are stagnating. Indeed, they appear to be evolving to better evade detection and creative-blocking technology.
Rather than cycling through domains, threat actors are using creative image files in cloud storage to evade detection and bypass domain-oriented blocking tools. (Who’s going to block a CDN/content distribution network? No one.) Extensive investigation is required to identify rogue CDN-hosted URLs and shut down attacks.
That’s just what happened in early 2023 when The Media Trust Digital Security and Operations (DSO) team identified and terminated a widespread malicious ad campaign that used CDNs as a payload delivery path. Generating dozens of incidents affecting consumers around the world—particularly in Canada, Germany, Japan and the US—the ad tag call chain included both a normal “jpg” and a malicious “jpeg” URL. Under the right conditions, the malicious URL redirects to fake virus alerts, phishing scams, and other malicious landing pages, harming the digital experience for thousands of consumers.
Uncovering the DustRoyal threat
In January, DSO detected several CDN-hosted URLs (most associated with CloudFront, a widely-used CDN) delivering suspiciously large image files relative to what is typically found in ad delivery. There were also discrepancies between the length and the size of the files, a strange inconsistency despite being delivered by the same URL in the same scan. [Figure 1]
Makings of a Redirect Attack
First, DustRoyal creates a link that points to a legitimate advertiser (https://www.ontheplussude[.]com) and includes a query string parameter “gclid” which is used to track the source of the traffic. The “target” attribute specifies that the link should open in a new browser tab or window when clicked.
Next the ad displays a source URL (jpg) to deliver a decoy creative (jpeg) via the “data-src” attribute. This decoy image is not displayed on the page because it has a “display:none” style attribute.
CDNs as a Front for Malvertising
Content delivery networks are used to deliver static and dynamic web content, video streams, APIs, and other web assets to users around the world without driving latency, slowing transfer speeds, or timing out. They store copies of your content in edge locations—data centers around the world—and route content requests to the edge location nearest to the user, which helps reduce the latency and improve the overall user experience.
Unfortunately, what makes CDNs such a great tool for business owners also means they can be used effectively in the distribution of malware by hosting malicious files. Common scenarios include:
- Ad fraud: Cloud-based URLs to host ads are used to generate fraudulent clicks or impressions, which can be used to inflate the cost of advertising campaigns or generate revenue for the malvertiser.
- Exploit kits: Hosting malicious ads that, when clicked, redirect to a page containing an exploit kit; i.e., tools that mine for vulnerabilities and/or to install malware on consumer devices.
- Phishing attacks: When a user clicks on a phishing ad, they may be redirected to a fake website that looks like a legitimate site (e.g., a banking site) where they are prompted to enter their login credentials.
For now, DustRoyal relies on CloudFront, a widely used and trusted CDN. However, we’re on the lookout for this activity across other CDNs due to their ubiquity in today’s digital advertising supply chain. A CDN’s ability to easily generate and quickly distribute URLs make them attractive targets for cybercriminals who want to avoid detection and increase the effectiveness of their attacks.
Defending against a CDN-hosted malvertising attack
While the initial campaign—affecting a handful of DSPs—was shut down within 11 days, new campaigns began emerging in late April across multiple DSPs, networks and publishers. It’s clear that the test period is over and the tactic is expanding to affect more parties. AdTech and publishers need to be aware of this evolving threat vector. An on-page/in-app blocker cannot block the whole cloud service. It requires more detective work to find the miscreant files.
Proper detection of the compromised/malicious CDN hosts and the code used by these malicious calls is essential for timely detection. The Media Trust specializes in detection of patterns used by malvertisers and has developed key signatures to detect these IOCs. In addition, ensure your creative blocking tool can functionally address the attacks occurring within injected iframes.
INDICATORS OF COMPROMISE
-Ad-tags that possess a “.jpeg” cloudfront url which do not resolve to images when manually visited
-Multiple calls to cloudfront hosts ending in “jpg” or “jpeg” format
IOCs (and counting)
* Naming Convention Note: Phishing attacks are represented by wind-related themes. Color represents the gravity of the threat using the ROYGBIV scale, where red signifies major and violet signifies minor impact. 3PC refers to the use of third-party code to distribute the malware; in this instance, it involves the use of CDNs to host malicious files used in the digital advertising ecosystem.
Be in the know
Sign up for our monthly newsletter to stay up-to-date with the latest industry news affecting the safety and health of the global digital ecosystem.