MAD Monday

Cookie-stuffing ad attacks continue

I recently started adding the malvertizing category to posts which discuss Flash-based cookie-stuffing ads. There can be no question that this form of advertising is nothing short of deliberately harmful. At the end of the day, an unscrupulous advertiser is using the online advertising networks to target the hard earned users of legitimate publishers. The nature of the targeting is such that if the publisher gets in the way (let’s say if the publisher is an Amazon affiliate and the attacker is targeting Amazon), then not only is the attacker potentially stealing from Amazon the merchant, but from the publisher as well (the publisher loses conversions!).

If you are an Amazon affiliate and you see the following Google display ads on your Web site (red arrows), then you may have a problem:

Ad #1

Ad #2

From the screenshots above, we see Google ads displayed on highdefforum.com and clipwithpurpose.com. These ads are engaging in Flash-based cookie-stuffing. We know from previous posts that this means these ads are forcing cookies into the browsers of unsuspecting users. The cookies will signal merchants to pay an affiliate in the event that a purchase is made. In this scenario, the ads are targeting Amazon. So in the event that the consumers who see these ads then make a purchase from Amazon with 24 hours, well then the affiliate (the advertiser in this case) is paid a small percentage.

If you browse through clipwithpurpose.com, you will encounter a number of affiliate links, i.e., clipwithpurpose.com is a legitimate affiliate. Now whilst I have only seen the ads from today’s post targeting Amazon, it’s possible that they are targeting other merchants as well. In which case, clipwithpurpose.com may see a significant decline in their own conversion rate.

Attack Analysis

The attack from ad #2 is not as sophisticated as the first. As a result, it makes for a good example when trying to understand an attack in detail. I’ll step you through a packet capture from the attack with some comments (// this is a comment added by me).

 

GET /pagead/imgad?id=CICAgICQ0Z-rThD6ARj6ATIIE2mQJPQmZJQ HTTP/1.1 // the browser makes a request for an ad
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: pagead2.googlesyndication.com

HTTP/1.1 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
Content-Type: application/x-shockwave-flash // Google responds with an ad and it's flash
Date: Fri, 01 Jun 2012 16:20:27 GMT
Expires: Fri, 08 Jun 2012 16:20:27 GMT
Cache-Control: public, max-age=604800
X-Content-Type-Options: nosniff
Server: cafe
Content-Length: 16180
X-XSS-Protection: 1; mode=block

------------------------------------------------------------------
GET /img/0/R.jpg HTTP/1.1 // the flash ad has rendered, it is now requesting an image
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQ0Z-rThD6ARj6ATIIE2mQJPQmZJQ
x-flash-version: 11,2,202,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.dogsvscats.info // this is the host that the image is being requested from
Connection: Keep-Alive

HTTP/1.1 302 Found // the host says it doesn't have the image, but it knows where it can be found
Vary: Accept-Encoding
Date: Fri, 01 Jun 2012 16:20:29 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.11
Set-Cookie: PHPSESSID=85e9465ed033e8202a0959538f4516f6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.dogsvscats.info/img/kick/0/R.jpg // new location of the image, note the tricky https Content-Type: text/html
Content-Length: 0

------------------------------------------------------------------
CONNECT www.dogsvscats.info:443 HTTP/1.0 // setup an ssl tunnel
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.dogsvscats.info:443
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 DecryptTunnel Established
Timestamp: 09:20:25.341

------------------------------------------------------------------
GET /img/kick/0/R.jpg HTTP/1.1 // ssl redirects to new image location
Accept: */*
Accept-Language: en-US
Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CICAgICQ0Z-rThD6ARj6ATIIE2mQJPQmZJQ
x-flash-version: 11,2,202,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.dogsvscats.info
Connection: Keep-Alive
Cookie: PHPSESSID=85e9465ed033e8202a0959538f4516f6

HTTP/1.1 302 Found // host says doesn't have the image, but knows where it can be found
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 01 Jun 2012 16:20:30 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.11
Location: http://www.dogsvscats.info/img/t/0/R.jpg // new image location
Content-Type: text/html
Content-Length: 20

------------------------------------------------------------------
GET /img/t/0/R.jpg HTTP/1.1 // new request for new image location
Accept: */*
Accept-Language: en-US
Connection: Keep-Alive
x-flash-version: 11,2,202,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Cookie: PHPSESSID=85e9465ed033e8202a0959538f4516f6
Host: www.dogsvscats.info

HTTP/1.1 302 Found
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 01 Jun 2012 16:20:30 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.11
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.amazon.com/dp/B006596HUC/?tag=conshomgarvar-20 // host says go to amazon for the image
Content-Type: text/html
Content-Length: 20

------------------------------------------------------------------
GET /dp/B006596HUC/?tag=conshomgarvar-20 HTTP/1.1 // request to amazon using an affiliate id, game over
Accept: */*
Accept-Language: en-US
Connection: Keep-Alive
x-flash-version: 11,2,202,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.amazon.com

HTTP/1.1 200 OK
Date: Fri, 01 Jun 2012 16:20:31 GMT
Server: Server
x-amz-id-1: 0NX7W235169WKP4TZ3D5
p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC "
x-frame-options: SAMEORIGIN
x-amz-id-2: rSCvAcCbhoCS+ofniG5M0DZDB3bMY/mjZhnowEdTXvk3BTweCfPw1UoODVrXZCAR
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Type: text/html; charset=ISO-8859-1
Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue, 01-Jan-2036 08:00:01 GMT
Set-cookie: session-id=176-4249818-9170718; path=/; domain=.amazon.com; expires=Tue, 01-Jan-2036 08:00:01 GMT
Set-cookie: UserPref=fyG2emcg8AGmjd5hBs/xlsRUdz58jxKO6c/4Bmc7RO7Udec+o+eyNYHpabDenGo3i3rTW+PdRhKBCiB41uU/DI4FzaFNsbhbdggJoOGIGc4T0Tb/aS5VzYLHap8aqHGMr7vT/eBqIm6QxUdab5Nj7SeL/JxwYPyt/tjCzxJm596k3mVAWPTvGgWVLqc9hnQTUWbmWxAkH8iTm+RF3In1MoZOfyUeKyhqftHIju1qoNrVdlXFWtrS944JCJS267FAT96WUJnRb0RdGlS+bYB1KN3O5pYjsaDNTGOOqf7iPZbLBJb7PoHK8Tt4rSRrJNWElt0gsCgasmN15ySn7BzgZnP2PKH9qpIgVcHi6TK2ml1BRjinks4wpeNNEzYI8jrV1Q7GLMQNyYXt829DUdOL/AkO/l40knUmIFsh7+KBg7oMQIy8axUUNNeTZUw64KNcvXb5oGMEp/E=; path=/; domain=.amazon.com; expires=Fri, 08-Jun-2012 16:20:31 GMT
Transfer-Encoding: chunked

------------------------------------------------------------------

The Amazon affiliate id responsible for cookie-stuffing from ad #2 is “conshomgarvar-20”. It cycles through a few others, but not as many as ad #2 (which involves several redirect domains, better targeting and at least a dozen affiliate ids). I’m not sure why these guys use so many redirects, I have seen as many as twenty redirects in other attacks. Perhaps it is an attempt to throw off other archaic forms of fraud detection?

Why are these advertisers allowed to do this?

Fortunately there already exists some mitigation to prevent attacks like these: normal advertisers like you and I are simply not allowed to upload our own Flash creative into the Google network. Google and the large online advertising networks have fairly rigid templates defined, and whatever it is that we want to advertise simply has to fit within those guidelines or it is a no go. This works out really well until someone manages to jump over this barrier and into the trusted advertiser zone.

When elevated to this privilege, it appears that advertisers are allowed to construct creative that depend upon a third party beyond the control of Google. So if you were allowed to take a look at Google’s threat model for this scenario, you would see an arrow in one of their data flow diagrams that shoots out of trusted territory and into the unknown.

The request from the creative in ad #2 to www.dogsvscats.info for an image that may have seemed fairly harmless at ingestion time (and probably served up an actual image when it was reviewed) was the dependence upon a third party. Once the ad was up and running on the Google network, all the attacker had to do was change the location of the image (the 302s we saw from the packet trace) and Voilà: enter a powerful cookie-stuffing machine.

How to mitigate this further?

Pushing the advertisers highlighted today out of the trusted zone (or simply closing their accounts) will solve the immediate problem of these two advertisers in the short term. Removing the privilege of being allowed to depend on a third party for content as a trusted advertiser would act as mitigation over the longer term. This seems like a fairly draconian step, for there are legitimate scenarios amongst trusted advertisers where this works out really well. In which case, mitigation has to be that of monitoring the ads with the consequence of a rapid takedown in the event of an infraction (a huge undertaking!).

« »