Fake adverts could be used to “remote control” internet browsers on a massive scale – allowing for cheap DDoS attacks, where millions of unwitting web users “attack” target sites.
Simply by buying adverts through legitimate ad networks, researchers from White Hat Security were able to swamp a test website, using adverts which included JavaScript instructions to repeatedly access an image on a target site. For just $2, the researchers were able to knock a server offline with 130,000 connections, in a demonstration at the Black Hat security conference in Las Vegas.
“Online advertising networks can be a web hacker’s best friend,” White Hat said in a statement. “For mere pennies per thousand impressions there are service providers who allow you to broadly distribute arbitrary javascript – even malicious javascript!”
Many ad networks allow JavaScript to be inserted into adverts, White Hat’s Jeremiah Johansen says – and those that do do not inspect the code closely.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen, in an interview with MIT’s Technology Review.”We’re just loading images as quickly as possible.”
Johansen said such attacks are cheap, and easily scalable. At current prices – 50c per 1,000 views, according to Johansen – a million browsers can be “bought” for just $500. “It’s really not that much money to do real damage to real sites on the internet,” he says.
“So why not just do a traditional denial-of-service attack? It’s not persistent. It goes away,” Johansen said in an interview with Dark Reading. “There’s no trace of this – we put the money in the machine, the JavaScript gets served up, and then it goes away. And it’s very, very easy”
Johansen and his colleagues aim to move on to using such adverts to farm out the job of cracking encrypted passwords stolen in data breaches. Johansen says that getting such code in an advert would be “easy”.
Author Rob Waugh /Rob Waugh, WeLiveSecurity/