WebRTC Adxploits Over DTLS-UDP: The Latest In A Series of Elegant Exploits
DEVCON Staff research
Maggie Louie CEO, Josh Summitt CTO, Andy Kahl Sr. Data Analyst
(for definitions and technical information look for footnotes markers)
‘Criminal Exploitation of User Datagram Protocol Could Cost Publishers Hundreds of Millions’
What We Know So Far:
Over 25 separate attacks are being deployed using WebRTC over DTLS-UDP
90 percent of the recent attacks are distributed via AppNexus (note AppNexus is a victim in this attack along with the advertisers, publishers and consumers)
4 key brand decoy-ads being used to hide the attack
3 or more AWS STUN servers
188.8.131.52 - found in October 2018
184.108.40.206 - found in April 2919
220.127.116.11 - found in April 2019
Average publisher is being attacked 3 million times per month
$7K in estimated annual losses per small website
$600K + in estimated losses for a large enterprise publisher with 100 sites
$170M + in estimated losses for key newspaper, radio and tv sites in the US
DEVCON researchers have observed a massive surge in a series of attacks that could cost digital publishers hundreds of millions of dollars in intercepted programmatic revenue. While use of WebRTC to deliver exploits has been in practice since early 2018, the recent surge (which started early last month) is a bellwether; cyber criminals have arrived, and they aren’t going anywhere. 2019 has already proven to be the year of more elegant exploits, giving rise to the first use of Polyglot/Stegosploit (f1) to hide attack scripts as part of and image; and now the most recent installment of elegant exploits – WebRTC Adxploits Over DTLS-UDP (f2) bypassing security software that are only monitoring HTTP/TCP communications.
Inside Look at The Code
Normal fraud prevention tools are bypassed by creating a new communication channel in the web browser that is not easily logged or intercepted. WebRTC allows malware to be side chained into the victim’s web browser – and that’s when the innocent looking ad shows its true colors. Malicious URLs seem to spontaneously appear out of nowhere, forcibly redirecting the user to another site with scams, spam, and phishing attempts.
Is This Important And Do I Care?
WebRTC and Polyglot attacks are not symptomatic of a zero-day attack, but they are symptomatic of a significant increase of sophisticated cyber criminals finding opportunity in the ad tech game. It’s a signal that everyone in the ad tech industry and security community needs to take note of. The new frontier is Ad threat.
How much do criminals stand to make off stealing ad spots from publishers? Here’s a breakdown that illustrates why bad actors are so incentivized to hijack ads. Keep in mind these earnings for criminals/losses for publishers is just for the ad revenue. This doesn't take into account additional revenue generated by underlying secondary attacks that earn through resale of stolen data, phishing attacks, crypto mining and so on. With more sophisticated cyber criminals jumping on the bandwagon, it’s just a matter of time before we see a major exploit. ‘Ad fraud’ is no longer an adequate term to define what is happening in the ad tech industry. We need to be talking about this in terms of Ad Threat.
If you’re a criminal, leveraging your Swiss army knife of exploits and obfuscation in a niche area of technology that has very little security, is unregulated, and has built-in digital payment methods is the ultimate ecosystem for exploitation. Where else can you earn money for stealing inventory, while self-funding an attack, and move your money into and out of accounts digitally and (in many cases) anonymous.
As many have acknowledged, simplistic domain blacklisting is not an adequate solution. These ever-evolving, and increasingly sophisticated, dangerous threats require strong defenses to protect revenue and consumers from exposure to attacks. A platform like DEVCON’s cyber security tools, which provides real-time cyber defense, threat intelligence for ad tech and malware, is where the industry needs to move in order to mitigate the existing cyber threats and close these windows of intrusion.
(f1) Polyglot/Stegosploit – a technique for browser attacks theorized by Saumil Shah in 2015 and discovered in the Adxploit echo system by DEVCON researchers February 2019.
(f2) WebRTC (Web Real-Time Communication) is an open-source set of protocols used most commonly for audio and video communication that has support from major technology companies, but hackers aren't using it for video chats - they're using these tools to avoid detection by sending the exploits WebRTC over UDP (User Datagram Protocol) which is stateless instead of TCP (Transmission Control Protocol).