Investigating a malvertising scheme that tricked one of the world’s largest search engines is a dangerous game. Here’s how to do so safely:
A recent malware campaign targeted and abused Google advertising to direct unsuspecting users to a fraudulent tech support network. The campaign worked by leveraging popular keywords to trigger advertisements which redirected from legitimate domains to malicious ones without the users knowing. By hijacking specific keywords of websites users may search for with advertisements, the malware campaign appears to be legitimate while still being able to take the target to malicious content.
The malicious content in question may not always be traditional malware which downloads onto your machine. The goal of the scheme, instead, may be to get you to call a certain number (masquerading as tech support in this case), locking the browser or stealing data and sensitive information.
This isn’t the first malvertising campaign to target a major ad network such as Google’s and is unlikely to be the last. Researchers and analysts need to be able to investigate such schemes safely and effectively with a purpose-built solution and guaranteed isolation from the threats they are hunting.
Investigating malvertising schemes
When investigating malvertising schemes such as the recent campaign on Google ads, there are several considerations for researchers.
1. Appearing legitimate
The hackers behind malvertising schemes, especially those who target tech behemoths like Google, realize they need to protect their sites from security analysts. A major pitfall of many security operation centers (SOCs) and cyber threat intelligence (CTI) team investigations is to tip off the website admin by relying on VPNs or DIY networks which can be easily detected. This leaves the SOC unable to investigate or recreate the malicious activity, leaving them in the dark about what data may be collected, who could be behind it or who else may be at risk.
To investigate, researchers need to look like a regular user. With each new session of Silo for Research, not only can they do this, but they can manipulate the location and other browser attributes, such as user agent, to see how it affects the results. This allows teams to collect data on what may or may not trigger the malvertising scheme and gain valuable insights into the campaign.
Within the platform, you can also view network traffic. By having the ability to view redirects, inspect what content is being sent and view the website content and JavaScript, researchers can collect valuable data while staying in a 100% isolated environment.
2. Not getting hooked
Assuming a researcher on a VPN doesn’t tip off the web admins or get blocked from viewing the redirect, they have a new challenge to contend with — making sure they don’t get hooked by the very same scheme they're investigating. Researchers need 100% isolation to prevent data leaks. If the scheme works by locking or stealing information from the browser, a researcher needs to know that isolation is guaranteed, and they can simply exit and start a new session.
For the most effective investigations, analysts need the ability to download malicious content and play around with it in a cloud-based sandbox that never touches your machine.
Purpose-built to solve
The best way to investigate malvertising schemes like the recent Google exploit, is with a tool built for the explicit purpose of investigating malware, phishing and other malicious content. Silo for Research offers 100% isolation and control of the digital fingerprint, which not only protects the researcher, but protects their organization by allowing them to manipulate their identity to collect as much useful information as possible while remaining anonymous. For a researcher, having the ability to collect and analyze information from malicious sites securely, enables them to protect users and future victims of malvertising attacks.
Similarly, researchers need to be able to safely exfiltrate data from the network without compromising the security of their own machines, networks, or identities. Silo for Research allows them to collect information and perform analysis on the collected content, such as JavaScript, from a safe vantage point with their team. The ability to knowingly interact with malicious content is invaluable for a researcher — and can only be made possible by a purpose-built research platform.
To learn more about how you can safely investigate malvertising schemes while keeping your team’s online research secure and anonymous, try Silo.
Tags Phishing/malware Secure web access SOC Threat intelligence