Maverick internet cop Chrome 64 breaks rules to thwart malvert scum

The largest malvertising campaign in 2017 involved 28 fake ad agencies, which were used to generate about one billion ad views across 62 per cent of ad-supported websites, according to publishing security biz Confiant.

By malvertising, we mean ads that try to trick people into installing fake Adobe Flash updates, bogus antivirus packages, scareware, and other software nasties that are actually bits of malware or ransomware that hijack Macs and Windows PCs.

The campaign was, Confiant claims, run by an organization dubbed the Zirconium group that was supported by a shell company incorporated in Scotland with partner organizations based in the Seychelles.

In an email to The Register, Confiant chief technology officer and cofounder Jerome Dangu said his biz came up with name Zirconium as a riff on the diamond-themed name of the shell company at the heart of the campaign.

"Typical established malvertising groups, like the Kovter Group, operate sporadically, running highly evasive campaigns for a few days and then disappearing," he said. "Zirconium was live for the whole year, running campaigns on multiple tier-one ad platforms at once."

Dangu said Zirconium's campaigns were eventually shut down after its malicious activities were uncovered.

Rule breaker

At some point on Tuesday or shortly thereafter, Google is scheduled to release Chrome 64 to its stable channel, bringing with it an unorthodox defense against the Zirconium group's favored attack technique "forced redirects," in which ads make browsers open unwanted websites.

"Under the hood, [the attack technique] is as simple as top.window.location = 'http://malicious...' but there are variations like an <a target="_top">link that gets clicked automatically in JavaScript," explained Dangu. "To protect this code from detection, malvertisers rely heavily on evasion techniques like JavaScript fingerprinting."

The goal of fingerprinting is to separate potential victims from security researchers and bots and other automated systems trying to detect malicious activity.

As Google explained last November, "in Chrome 64 all redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user had been interacting with that frame."

The pop-up blocker in Chrome will also try to stop websites from abusive interface practices like disguising third-party websites as play buttons or creating transparency overlays to hijack clicks.

According to Dangu, Google is flouting web standards by changing redirect behavior.

"Chrome is actually breaking the web standards by blocking forced redirects," he said. "The Chrome team calls this class of features 'Interventions' – they benefit the user experience but contradict the standards. Other browsers haven't shown signs that they will follow suit."

Crooks forced to used forced redirects

In his blog post, Dangu explained the addition of stronger security mechanisms among all the major browser makers over the past few years has made exploit-based malvertising less effective.

So those conducting malvertising campaigns have been making more use of forced redirects to conduct affiliate fraud and to serve malware. Often, these schemes involve social engineering, to trick victims into clicking somewhere or granting permission without realizing it, says Dangu.

Zirconium, said Dangu, managed both supply and demand: it drove netizens to pages displaying its network's dodgy ads. It created fake ad agencies to buy traffic from legitimate ad platforms and then resold the traffic to affiliate marketing platforms that he said don't ask too many questions.

Dangu said as with other cybercrime operations, he expects it will be difficult for authorities to do much given the byzantine corporate structure of the operation.

And he said malvertising is getting worse. "Chrome's change is a direct reaction to the deterioration of the security environment for ad monetized websites," he said. ®