Attackers abuse security feature to deliver malicious content via video ads

News by Davey Winder

A new malware campaign is abusing a security feature - sandboxed iFrames - so that instead of protecting links in video advertising it can be used to deliver malicious content.

A newly discovered redirected advertising attack methodology has been abusing sandboxed iFrames in order to go undetected by those solutions that employ blacklisting to block malicious ads the research team at GeoEdge has found.

Described by GeoEdge as a malicious ad vulnerability, it also exploits the Video Player Ad-serving Interface Definition (VPAID) format that is increasingly popular thanks to the interactivity it brings to advertising. VPAID itself also brings geo-targeting, video click-throughs and improved ad-tracking metrics. The main problem associated with the VPAID format has always been one of latency, but malvertising must now also be considered moving forward.

While malware within video is a very unusual attack methodology, GeoEdge researchers have been seeing an increase across the last year. GeoEdge warns that attackers are exploiting the tag for redirecting adverts being encoded in a sandboxed cross-origin iFrame that makes it all but impossible to find them to blacklist a malicious ad.

The problem is that sandboxed iFrames provide a dedicated space for the ad network to insert these encoded ad codes within the inline frame on the publisher’s page. This is a good thing in that it allows an iFrame to present adverts using JavaScript without exposing user data. It's a bad thing, GeoEdge says, because the iFrame also enables malvertisers to serve those malicious auto-redirect ads encoded within.

GeoEdge researchers decoded the specific tag to uncover the malicious auto-redirect ads, and warn that as programmatic advertising involves multiple players, this task becomes onerous as each tag has to be decoded as it passes through the programmatic chain. 

"We see growing sophistication among malvertisers who currently use more advanced forms of programmatic ads and are trying out platforms that they haven’t used in the past," Adi Zlotkin, head of security at GeoEdge, told SC Media UK, "if malvertising can be distributed in multiple formats and platforms, including video and VPAID, then it’s important for platforms and networks to be aware of this and ready to deal with the problem."

Paul Bischoff, privacy advocate with Comparitech, warns that "advertisers want people to go buy stuff when they click on an ad, but it's difficult to allow this without also allowing possible bad behaviour." At least, Bischoff says, it's difficult to do in a way that works across all browsers. "There are also concerns about iFrames within iFrames," he points out, "which can lead to problems with domain verification."

These iFrame’d advertisements are positioned for cross-site attacks, according to Craig Young, principal security researcher at Tripwire. "An advertiser with control of an iFrame on an interesting site is perfectly positioned to exploit DNS rebinding," Young told SC Media UK, "in this model, the attacker leverages the fact that they can manipulate DNS settings after content has been loaded." The end result being that same-origin policy (SOP) can be partly broken by making unauthenticated cross-site requests while still being able to receive response data. "This gives the malicious advertiser access to interrogate devices like printers, TVs, cameras, and file servers which may be otherwise protected by home or corporate firewalls," Young says.

Young recommends a two-tiered approach when it comes to mitigating a lot of risk from malicious advertising. "The first step is to get better control over what content is allowed to run and from where. This is achieved with a script blocking plugin like NoScript or specialised monitoring extensions such as EFF’s Privacy Badger," Young says, "the second to sinkhole name lookups to known intrusive advertising networks by setting up Pi Hole or a similar DNS filter." The strategy is by no means foolproof, but at least it forces the user to be more aware of what content browsers are loading while they surf the web.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews