Common Information
| Type | Value |
|---|---|
| Value |
Malvertising - T1583.008 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may purchase online advertisements that can be abused to distribute malware to victims. Ads can be purchased to plant as well as favorably position artifacts in specific locations online, such as prominently placed within search engine results. These ads may make it more difficult for users to distinguish between actual search results and advertisements.(Citation: spamhaus-malvertising) Purchased ads may also target specific audiences using the advertising network’s capabilities, potentially further taking advantage of the trust inherently given to search engines and popular websites. Adversaries may purchase ads and other resources to help distribute artifacts containing malicious code to victims. Purchased ads may attempt to impersonate or spoof well-known brands. For example, these spoofed ads may trick victims into clicking the ad which could then send them to a malicious domain that may be a clone of official websites containing trojanized versions of the advertised software.(Citation: Masquerads-Guardio)(Citation: FBI-search) Adversary’s efforts to create malicious domains and purchase advertisements may also be automated at scale to better resist cleanup efforts.(Citation: sentinelone-malvertising) Malvertising may be used to support [Drive-by Target](https://attack.mitre.org/techniques/T1608/004) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), potentially requiring limited interaction from the user if the ad contains code/exploits that infect the target system's web browser.(Citation: BBC-malvertising) Adversaries may also employ several techniques to evade detection by the advertising network. For example, adversaries may dynamically route ad clicks to send automated crawler/policy enforcer traffic to benign sites while validating potential targets then sending victims referred from real ad clicks to malicious pages. This infection vector may therefore remain hidden from the ad network as well as any visitor not reaching the malicious sites with a valid identifier from clicking on the advertisement.(Citation: Masquerads-Guardio) Other tricks, such as intentional typos to avoid brand reputation monitoring, may also be used to evade automated detection.(Citation: spamhaus-malvertising) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2016-03-21 | 1 | A Week in Security (Mar 13 – Mar 19) | Malwarebytes Labs | ||
| Details | Website | 2016-03-16 | 16 | A Look Into Malvertising Attacks Targeting The UK | Malwarebytes Labs | ||
| Details | Website | 2016-03-10 | 18 | Exploit Kits 2015: Flash Bugs, Malvertising Dominate | ||
| Details | Website | 2016-03-01 | 8 | Angler Attempts to Slip the Hook | ||
| Details | Website | 2016-03-01 | 1 | Operation Fingerprint: A Look Into Several Angler Exploit Kit Malvertising Campaigns | Malwarebytes Labs | ||
| Details | Website | 2016-02-29 | 14 | De-obfuscating malicious Vbscripts | Malwarebytes Labs | ||
| Details | Website | 2016-02-22 | 1 | A Week in Security (Feb 14 – Feb 20) | Malwarebytes Labs | ||
| Details | Website | 2016-02-16 | 19 | Tech support scammers use subdomain trick to defeat blocking (updated) | Malwarebytes Labs | ||
| Details | Website | 2016-02-09 | 15 | Bedep Lurking in Angler's Shadows | ||
| Details | Website | 2016-02-03 | 0 | Understanding Fileless Malware Infections – The Full Guide | ||
| Details | Website | 2016-01-20 | 0 | Hacking your head: how cybercriminals use social engineering | Malwarebytes Labs | ||
| Details | Website | 2016-01-19 | 2 | A Sneak Peek Inside a Hacker's Toolbox | ZoneAlarm Security Blog | ||
| Details | Website | 2016-01-07 | 9 | Rigging compromise - RIG Exploit Kit | ||
| Details | Website | 2016-01-07 | 9 | Rigging compromise - RIG Exploit Kit | ||
| Details | Website | 2016-01-07 | 6 | Malvertising Campaign via Pop-under Ads Sends CryptoWall 4 | Malwarebytes Labs | ||
| Details | Website | 2016-01-01 | 96 | Virus Bulletin :: VB2014 paper: Notes on click fraud: American story | ||
| Details | Website | 2015-12-29 | 47 | Safe Browsing Scam: From Amazon to Rackspace | Malwarebytes Labs | ||
| Details | Website | 2015-12-24 | 9 | December Dridex variant and the best way to clean it without using Safe Mode and detect it using file and registry auditing | ||
| Details | Website | 2015-12-15 | 46 | The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK | Proofpoint US | ||
| Details | Website | 2015-12-15 | 4 | A DoubleClick https open redirect used in some malvertising chain | ||
| Details | Website | 2015-12-11 | 11 | Security Alert: TeslaCrypt Infections Rise, Hit European Companies | ||
| Details | Website | 2015-12-11 | 9 | Spike in Malvertising Attacks Via Nuclear EK Pushes Ransomware | Malwarebytes Labs | ||
| Details | Website | 2015-12-10 | 0 | Latest Update Patches 78 CVE-classified Flash Security Vulnerabilities - Darknet - Hacking Tools, Hacker News & Cyber Security | ||
| Details | Website | 2015-11-23 | 2 | Holiday Shopping Threat Avoidance | ||
| Details | Website | 2015-10-19 | 3 | A Week in Security (Oct 11 - Oct 17) | Malwarebytes Labs |