Like a Movie Plot: the 3ve Defrauding Scheme

Recently I read about the interesting fraud on digital advertising named “3ve”. It is possible to read about it for example on ArsTechnica here or in a paper by Google and White Ops here. But I kept thinking about this story and how much (at least to me) it resembles a movie plot, something like an Ocean’s movie. So, as the first blog entry of 2019 I have decided to write down a short background of facts and ideas that resembles a movie plot. Obviously, in what follows most technical details are skipped or not completely described, but if interested you can read the articles I mentioned above on the true story.

So here it goes.

We are all used to the advertisements which appear on web-sites and mobile apps pages. Indeed it is quite simple to make little money by reserving space for advertisement on a web-site. These advertisement spaces are used by digital advertising companies. The idea is that when a visitor clicks on an advertisement, the owner of the web-site earns a very small amount of money. But how to get a lot of money out of it?

By now it is a well-known fraud to create web-sites with advertisements and have programs to click on the advertisements. Digital advertising companies have therefore introduced countermeasures to be able to distinguish between a real person and a program.

But as usual, it is possible to have “smart” ideas…

To simulate real “persons” it is possible to:

  • create a web-site with plenty of space for advertisement
  • make a contract with a digital advertising company to place advertisements on your web-site
  • develop a special program which clicks on the advertisements on your web-site
  • rent one or more botnets of Personal Computers (PCs) infested with malware
  • install your program through the malware on these PCs.

This will make it look like as if the owner of the PC has visited your web-site and clicked on the advertisement. In principle you should be paid accordingly.

However there are costs not only due to the rental of the botnet, but also to the special program which must be continuously developed and updated. Indeed digital advertising companies are well aware of this fraud and monitor all clicks on the advertisements to distinguish between a real person and a program. They collect a lot of information on the visitor making the click like: cookies, fingerprint of the browser and PC, navigation on the web-site, language of the user etc. The special program must be able to fake all this information and all checks the digital advertising companies keep introducing.

And this in not all, also anti-viruses sooner or later identify the malware, the special program and clean up the PCs, which requires to start all over again.

Moreover digital advertising companies check also the internet IP address of the PC, its geolocalisation and the time of access to be sure that they are consistent. For example: it is not possible that millions of different “persons” click on the same advertisement connecting from the same unique IP address, or that millions of americans click on an advertisement in Europe in the middle of the night in a language they typically do not understand.

To bypass these checks, it is simpler to adopt the following:

  • set up your own servers (without anti-viruses)
  • run on these servers multiple copies of the special program
  • assign to the servers appropriate IP addresses that mimics a real person including location, timezone, language etc.

This eliminates the need for botnets, related malware and updates due to anti-viruses detection.

But how to get appropriate IP addresses? And here comes the “smart” idea…

First of all, it is necessary to create a few Internet Provider companies, for example one in Europe, one in North America etc., which host the servers and provide also access to internet to some normal companies so to gain business credibility.

The next step requires a short reminder on how internet IP addresses are assigned. Regional Internet Registries like ARIN, RIPE, APNIC, assign blocks of IP addresses to companies which ask for them. A company which asks for IP addresses, is assigned one (or more) Autonomous System (AS) number to which in turn are assigned the blocks of IP addresses.

However if a company closes, goes bankrupt etc. for some time the AS number and the blocks of IP addresses remain assigned to the company but are unused. So here is the trick:

  • identify valid but unused AS numbers and blocks of IP addresses
  • create fake contracts between the companies rightful assignee of the AS numbers and the Internet Provider you have created to fake business credibility
  • assign these AS numbers to the Internet Provider routers (this is called “BGP Hijacking”)
  • assign and fast permute the related IP addresses to the servers running your program.

This way of hijacking IP addresses has been until recently with low chances of detection.

Another way of hijacking blocks of IP addresses is to steal unused IP addresses assigned to active companies, that is to used AS numbers. But in this case there are higher chances of detection due to company checks.

There exists a relative high number of unused AS numbers and unused blocks of IP addresses with different geolocalisation and this makes it possible to fake millions of clicks which will bypass the elaborate checks of the digital advertising companies. In this way it is possible to steal millions of dollars from digital advertising companies.

In a movie plot the story would end here, the money would be collected and the entire operation would be closed down forever.

In real life it is not easy to keep such a big operation unnoticed. Indeed sooner or later digital advertising companies would wonder why a certain web-site generates so many clicks and they will start to investigate and “follow the money”. From the technical point of view, after a deeper investigation it would turn out that the visits to that web-site all come from the same Internet Provider and that most of the companies which are “customers” of the Internet Provider are actually closed or bankrupted. Moreover, companies that monitor traffic on all their used and unused IP addresses, will easily detect if some addresses have been hijacked.

In the real case of 3ve, after having managed to defraud the digital advertising companies of $29M, some of the culprits have indeed been caught and apprehended.

AutoCAD malware

Recently I have paid some attention to AutoCAD and similar software. Not that I use them or that know much about them, but it definitively striked me both the complexity and the amazing features that some of these applications have. But with complexity, large number of features and dimension of code, come also vulnerabilities, even security vulnerabilities.

A few days ago I noticed this article (here a less technical summary) about AutoCAD malware, which has been around for more than 10 years. The purpose of this malware can be twofold: just another malware infecting channel, or more likely, a very targeted attack channel. Indeed CAD software is used for designing buildings, bridges, tunnels, roads etc., and some blueprints can be worth millions. Companies have taken notice of this, and security features have been introduced in the applications.

But the issue which does not seem to be appreciated enough (I have no statistics though, so I can be wrong on this) is the patching process (and this is not limited to CAD software but applies to other specialised software as for example digital audio or gaming). It seems to me that some of these applications are seldom updated (one needs to download/buy a new version) or that security patches are bundled together with new functionalities which can come at a cost, at least after the initial few years of support.

In my opinion, in an ideal world security patches should be provided for free to anyone until the program is supported. Obviously this can have economical impacts on the company producing the software and could require changes in the way software is built, sold and distributed (costs again).

Da Multics a Meltdown e Spectre

Ultimamente ho dedicato del tempo alle vulnerabilità Hardware di quest’anno, principalmente Meltdown e Spectre nelle loro molteplici varianti.

Non ho aggiornato questo blog, ma ho pubblicato tre articoli dal titolo “L’Hardware e la sicurezza IT” sulla rivista online ICTSecurity. In questi articoli sono ripartito dagli anni ’60, in particolare da Multics, quando l’architettura e le funzioni di sicurezza dell’Hardware sono stati inizialmente disegnati, per arrivare a Row Hammer, gli attacchi alla Cache, Meltdown e Spectre.

Adesso ho sicuramente le idee un po’ più chiare sul significato ad oggi di queste vulnerabilità, anche se mi è molto meno chiaro cosa possano comportare nel futuro.

Meltdown and Spectre bugs should help improve IT Security

Yes, I want to be positive and look at a bright future. Everybody is now talking about the Meltdown and Spectre bugs (here the official site). I think that these Hardware bugs at the end will help improve the security of our IT systems. But we should not underestimate the pain that they could cause, even if it is too early to say this for certain since patches and countermeasures could be found for all systems and CPUs or, at the opposite, there could appear unexpected exploits.

The central issue is that IT and IT Security in particular, depend crucially on the correctness of the behaviour of the Hardware, first of all of the CPUs. If the foundation of the IT pillar is weak, sooner or later something will break. Let’s then hope that the Meltdown and Spectre bugs will help design more secure IT Hardware and, in the long run, improve IT Security as a whole.

Rowhammer, SGX and IT Security

I am following with interest the developments of the Rowhammer class of attacks and defenses, here there is one of the latest articles. (As far as I know, these are still more research subjects than real-life attacks.)

Already at the time of the Orange Book (or more correctly the “Trusted Computer System Evaluation Criteria – TCSEC”) in the ’80s, it was clear how important the hardware is in building the chain of trust on which IT Security relies.

Rowhammer attacks follow from a hardware security weakness, even if this weakness is also a hardware strength: the increase in density and decrease in size of DRAM cells, which allows to build memory banks with lower energy consumption and higher capacity. Unfortunately this allows the near-location memory bit-flipping that can give rise to a total compromise of the IT system, that is a Rowhammer attack. It is true that there exist memory banks with Error Correction Codes (ECC) which make the Rowhammer attacks quite hard, but these memory banks are more expensive, a little slower and available only on high-end server computers. One can look at it as a hardware feature which carried within an unexpected security weakness.

As it turns out, it seems very hard to find software measures which can detect, block or prevent Rowhammer attacks. Many different software defences have been proposed, but as of today none is really able to completely stop all Rowhammer types of attacks. A hardware weakness seems to require only hardware countermeasures.

To make the situation even more intriguing, the hardware-based Intel SGX security enclaves can be mixed-in in this scenario. Intel SGX is a hardware x86 instruction-set extension which allows to securely and confidentially execute programs in an isolated environment (called a “security enclave”). Nothing can directly look into a SGX security enclave, not even the Operating System, to the point that data can be computed in it even on systems controlled by an adversary (but SGX security enclaves are not immune from side-channel attacks). Rowhammer attacks cannot be performed from outside against programs running in a SGX security enclave. Vice-versa, a SGX security enclave in some conditions can run, without been detected, a Rowhammer software to attack the hardware and programs running on it. Overall it seems that Intel SGX security enclaves can provide extremely interesting IT security features but at the same time can also be abused to defeat IT security itself.

All of this becomes more worrisome when thinking of Virtual Machines and Cloud Services.


Complexity, abstraction and security

Reading news like this one, I wonder how we could improve managing IT security or just be able to keep up with the current development of IT. I see two main trends:

  • complexity: IT systems are getting more complex at a very high speed; every system should connect with every other, should provide an incredibile number of features to different users, should run on many different platforms, and so on
  • abstraction: to be able to manage this complexity, the approach is to abstract the programming and managing level of IT: programming can take advantage of existent modules and just connect them appropriately at the functional level, providing also functionalities to monitor and manage the IT system themselves (for example it is now possible to deploy entire applications or virtual infrastructures just with a couple of “clicks”).

But what about security? Even if each component is “secure” (according to some definition of this word), how can be evaluated the “security” of the current and future IT systems?

There is no doubt that IT security in the last years has been a difficult subject, but I believe that in the next future we’ll need some new approaches and tools to be able to tackle the management of IT security due to the ever increasing complexity of IT systems.

A Practical Look into GDPR for IT – Final Part 3

I have just published here the third and last article of my short series on the EU General Data Protection Regulation 2016/679 (GDPR) for IT.

In this final article I discuss a few points about the managing of data breaches and of the IT measures required to satisfy the citizens’ rights on their personal data managed by IT systems.

On Manufacturing, IoTs and IT Security

Since many years we are quite used to the fact that products, of any kind, contain digital and electronic components. The process of manufacturing products and integrating digital and/or electronic components is by now quite well established and robust. The most important requirements to the digital / electronic components is that they perform their tasks correctly, effortlessly and that they are reliable. Security is mostly perceived as safety for example from electric shock or from the behaviour of the product induced by the digital / electronic components. It is not important that the digital component has features which are not used by the product, or that it has been designed for other purposes as far as it performs correctly as a component of the product.

But the scenario changes dramatically if the digital component is connected to a network, in particular Internet. In this case the product becomes part of the “Internet of Things” (IoTs). Then the security perspective changes completely. For example, those unused features of the digital component, if not correctly configured and managed, can be abused and become a serious security threat. What bad can be done with a washing machine connected to Internet? Difficult to say, but if out of imagination one can always try to join the washing machine to a botnet for distributed denial of service (DDoS) attacks.

So the manufacturer should also take care of the full IT security of any digital / electronic component embedded in its products. This means that even unused features must be configured, managed and updated.

But this is not all. The interaction between components in a product can create new type of security threats, which can be considered like side-channel threats and attacks. The abuse and misuse of digital components can be quite inventive, for example recently in the news I have noticed the following:

  • how to use a scanner to communicate through a laser mounted on a drone with a malware on a PC (see eg. this article)
  • how a smartphone or laptop’s ambient light sensor can be used to steal the browsing history from the device (see eg. this article)
  • how to install malware on a Smart TVs using the DVB terrestrial radio signals (see eg. this article)

and others concerning light-bulbs, surveillance cameras etc.

Typically in IT security one has first to describe clearly what are the threat scenarios and based on these to evaluate the risks and the security measures needed to mitigate these risks. In the case of IoTs it seems very difficult to imagine all possible threat scenarios due to the interaction between embedded digital Internet-connected components and the other product’s components.

Even more difficult is to imagine how, in the current markets, manufacturers of products like lightbulbs, refrigerators, television sets and more or less anything else one can imagine, can devote time and money to the security of embedded digital components produced by someone else, which should just work, cost as little as possible and not be maintained.

PS. Products like cars, airplanes etc. in regulated sectors, should constitute a welcome exception to this, thanks to the very stringent safety concerns and rules that apply to them.

PPS. Also of interest is this, just appeared, Microsoft whitepaper on Cybersecurity Policy for IoTs.