ShapeShifter-3PC: Adaptive Malware Campaign Hits Alexa 500 Sites

ShapeShifter-3PC

This article was authored by Pat Ciavolella, Director of Digital Security & Operations at The Media Trust.

In mid-January 2019, The Media Trust Digital Security & Operations (DSO) team prevented a large-scale malicious campaign from exploiting 44 adtech vendors to attack tens of millions of visitors of 49 premium publishers ranked among Alexa 500 sites. The group behind the attack had designed an adaptive campaign so that as soon as one malware and supply chain route was identified and terminated, another attack would immediately ensue using different malware and alternative supply chain routes. Over the course of just two days, the DSO terminated at their source more than 600,000 instances of malware, and, in so doing, shielded the visitors’ devices, around 80% of which ran on iOS. The attackers’ persistence leaves little doubt that the campaign succeeded in stealing personal information from the visitors of less secure, unmonitored sites. 

The malicious group commenced their attacks by sneaking past three large ad exchanges with hijacked legitimate ads for unknowing popular retailers in order to target the publishers’ site visitors. Once DSO alerted the exchanges of the malicious ads, the exchanges quickly cut off the supplier further up the chain. Further down the chain, the publishers did the same as soon as they received their alerts. The various malware appeared to have their sights on iOS device users. Without clicking on any ads, unsuspecting visitors would be redirected to malicious content prompting them to enter sensitive information. 

The campaign’s novelty lay in its adaptability. Each time attacks were identified and foiled, new ones would launch using other ad formats, fire up new delivery routes in the digital ad supply chain, and employ unique code obfuscation techniques. Some visitors were sent to sites attempting to install malicious add-ons or browser plug-ins into their devices. Each attack made calls to one of four malicious domains, all of which were set up only two weeks before. When one domain was closed down, others would take over. The frequent, multivariate shifts would conceal the attacks from conventional detectors that rely on a database of known malicious code. 

The affected publishers and adtech vendors warded off the attacks with the help of a deep bench of digital threat analysts equipped with security response tools that can quickly spot and analyze anomalous code and anticipate obfuscation techniques. Combining resources that fed into the entire solution was key. Scanning surfaced the unauthorized code, which was analyzed by experts, who fed real-time analysis into a smart blocker, enabling it to learn new malware and thwart them at their source within minutes of their discovery. Without the solution’s capability to change tack and predict new patterns, the malware would have easily passed through the publishers’ first line of defense. For other publishers, that line of defense consists of a conventional blocker that does not learn from a continuous feed of new malware data and cannot predict new obfuscation patterns, leaving the publishers—and their users—open to attacks.

This combination has proven effective against increasingly potent, adaptive campaigns that now plague digital publishing. The value of real-time scanning and analysis is the only way to keep abreast of these quickly morphing attacks. Anything less would have left the publishers and their vendors defenseless against the onslaught of attacks, especially those that rely on third-party malware data sources. As the threat landscape continues to change, if not worsen, joining the dots between security resources will be key to a company's success.