FOCUS MODE
EXTRACT IOC
Threat Research

Decoding ScamClub’s Malicious VAST Attack

Securonix

The Fingerprint Information Inside the Attacker Environment Variable:

The data encapsulated within this variable is delimited by ‘|’. It undergoes partial concealment through various techniques, including base64 encoding, md5 hashing, and string obfuscation. The attacker employs additional characters to obscure the string, and the data’s order undergoes constant permutation.

Crucial fingerprint:

  1.  IP Address  
  2. Country Code
  3. Hostname of the client’s location
  4. Site ID (Hostname + ID)
  5. Timestamp of the tag’s request
  6. Ad Exchange Server
  7. Browser Name
  8. Browser Version
  9. Operating System
  10. Hash of the Timestamp + IP + Salt
  11. Bid ID
  12. X-RTB ID 

It’s noteworthy that not all data elements may be present at all times. Figure 4 illustrates instances where certain data is absent, denoted by ‘||’ without accompanying information. This variability in data completeness adds an additional layer of complexity to the fingerprinting process, making it more challenging to predict the exact structure and content of the embedded information.

Advantages:

  1. Important Fingerprint data The Malicious script will use this information later within the fingerprint functions.
  2. Block Testing Environment If this variable is absent, it indicates a test environment, and the script won’t render.

The Fingerprint functions used in the malicious script:

  1. IP Address Consistency: The script checks whether the IP address associated with the current request matches the one stored in the fingerprint data.
  2. Time Differential: Time is a critical factor in AdTech security. The script enforces a stringent time constraint, allowing only requests with a time difference of less than 60,000 milliseconds (or 60 seconds) to proceed. This temporal validation acts as a defense against reproducing the attack.
  3. Timezone Synchronization: Recognizing the significance of timezone information, the script ensures that the timezone in the current request aligns precisely with the one recorded in the fingerprint data.
  4. Location Fingerprint Verification: comparing the location data embedded in the fingerprint data with the dynamically retrieved current location. This meticulous check ensures that the location information remains consistent.
  5. Anti Debug Verification: Strengthening the script’s resilience, an anti-debug function has been incorporated. This function actively detects and thwarts debugging attempts, adding an additional layer of defense against reverse engineering and analysis

If the script encounters failures during execution, it will proceed to perform additional fingerprint functions, such as verifying security vendors.

If the script passing those functions, the script will send a POST request to the malicious ad server with more fingerprint data like:

1. IFrame Presence Check:
This method involves checking whether the ad is displayed inside an iFrame. If the ad is detected within an iFrame, it serves as an indicator that the script is operating in a specific environment. This check helps the attacker distinguish between real-world ad-serving scenarios and potential test environments or controlled setups.

2. WebGL Fingerprinting:
WebGL is a JavaScript API that allows for rendering interactive 2D and 3D graphics within a web browser. By extracting WebGL-related information, such as supported extensions and renderer details, the attacker gains insight into the capabilities and configurations of the user’s browser. This information can contribute to creating a unique fingerprint for the user’s device, enhancing the script’s ability to identify and track users.

3. OS Touch Event Check:
This method involves determining whether the user’s operating system supports touch events. The presence or absence of touch events can be indicative of the device’s nature (e.g., mobile or desktop). This information aids in refining the user’s device profile, allowing for more targeted and specific fingerprinting.

4. DOM Data Fingerprinting:

Fingerprinting based on Document Object Model (DOM) data involves extracting and analyzing various attributes and properties of the DOM. This can include details about the structure of the webpage, the presence of certain elements, and other unique identifiers. By comprehensively examining the DOM, the attacker can create a distinctive fingerprint that contributes to the overall identification of the user’s browsing environment.

These additional fingerprinting methods showcase the attacker’s sophisticated approach to gathering diverse and granular information about the user’s device and browsing context. Each method contributes unique data points to the fingerprint, enhancing the script’s ability to create a robust and distinctive profile for targeted identification and tracking within the ad tech ecosystem.

The malicious ad server utilizes this data to determine whether to redirect the client to the scam page.

ScamClub Malicious Video Campaign

Several months back, ScamClub initiated their assault through video VAST campaigns.

Source: https://www.geoedge.com/decoding-scamclubs-malicious-vast-attack

Tags: SCAM, BROWSER, MOBILE