IcePick-3PC Malware Strain Steals Device IPs

Infosecurity Magazine
Original Source
Infosecurity Magazine

This article originally appeared in Infosecurity Magazine on January 9, 2019.

IcePick-3PC has impacted a range of businesses, from publishers to e-commerce, across a variety of industries, including retail and healthcare, according to researchers from The Media Trust’s digital security and operations (DSO) team. The malware strain was first identified in spring 2018 and is able to steal device IPs en masse.  

When it was initially detected, IcePick-3PC was used to spam device owners using phishing in a campaign that fraudulently offered gift cards from big-name retailers, such as Amazon and Walmart, in return for users sharing their personal information.

In a January 9, 2019, blog post, researchers explained that a website’s third-party tools are designed to incorporate interactive web content, such as animation via HTML5, and are loaded onto client platforms by self-service agencies. In the attack, which has affected more than 100 clients, IcePick-3PC executes after malware writers successfully hijack a website’s third-party tools.  

“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog stated.

Additionally, before it downloads, the malware is able to examine the devices of those users who visit a website with a compromised third party library. “The extraction and collection of IPs represents the largest scale of IP theft the DSO has observed to date and marks a significant advancement in malware authoring, as stealing IP en masse with such efficiency demands rarefied coding skills,” researchers wrote.

“But now that this malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs, it enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for exploit targeting and potential future attacks.”

JavaScript tools used for animations in HTML5, called the GreenSock Animation Platform, were identified as the self-service agencies most often used, with malicious code injections found in TweenMax and CreateJS.

“In order to protect sites from this malware, publishers and e-commerce businesses should thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code,” researchers said.