Maverick internet cop Chrome 64 breaks rules to thwart malvert scum

Google bans forced redirects used by Zirconium to infect Macs, PCs with nasties

By Thomas Claburn in San Francisco


The largest malvertising campaign in 2017 involved 28 fake ad agencies, which were used to generate about one billion ad views across 62 per cent of ad-supported websites, according to publishing security biz Confiant.

By malvertising, we mean ads that try to trick people into installing fake Adobe Flash updates, bogus antivirus packages, scareware, and other software nasties that are actually bits of malware or ransomware that hijack Macs and Windows PCs.

The campaign was, Confiant claims, run by an organization dubbed the Zirconium group that was supported by a shell company incorporated in Scotland with partner organizations based in the Seychelles.

In an email to The Register, Confiant chief technology officer and cofounder Jerome Dangu said his biz came up with name Zirconium as a riff on the diamond-themed name of the shell company at the heart of the campaign.

"Typical established malvertising groups, like the Kovter Group, operate sporadically, running highly evasive campaigns for a few days and then disappearing," he said. "Zirconium was live for the whole year, running campaigns on multiple tier-one ad platforms at once."

Dangu said Zirconium's campaigns were eventually shut down after its malicious activities were uncovered.

Rule breaker

At some point on Tuesday or shortly thereafter, Google is scheduled to release Chrome 64 to its stable channel, bringing with it an unorthodox defense against the Zirconium group's favored attack technique "forced redirects," in which ads make browsers open unwanted websites.

"Under the hood, [the attack technique] is as simple as top.window.location = 'http://malicious...' but there are variations like an <a target="_top">link that gets clicked automatically in JavaScript," explained Dangu. "To protect this code from detection, malvertisers rely heavily on evasion techniques like JavaScript fingerprinting."

The goal of fingerprinting is to separate potential victims from security researchers and bots and other automated systems trying to detect malicious activity.

As Google explained last November, "in Chrome 64 all redirects originating from third-party iframes will show an infobar instead of redirecting, unless the user had been interacting with that frame."

The pop-up blocker in Chrome will also try to stop websites from abusive interface practices like disguising third-party websites as play buttons or creating transparency overlays to hijack clicks.

According to Dangu, Google is flouting web standards by changing redirect behavior.

"Chrome is actually breaking the web standards by blocking forced redirects," he said. "The Chrome team calls this class of features 'Interventions' – they benefit the user experience but contradict the standards. Other browsers haven't shown signs that they will follow suit."

Crooks forced to used forced redirects

In his blog post, Dangu explained the addition of stronger security mechanisms among all the major browser makers over the past few years has made exploit-based malvertising less effective.

So those conducting malvertising campaigns have been making more use of forced redirects to conduct affiliate fraud and to serve malware. Often, these schemes involve social engineering, to trick victims into clicking somewhere or granting permission without realizing it, says Dangu.

Zirconium, said Dangu, managed both supply and demand: it drove netizens to pages displaying its network's dodgy ads. It created fake ad agencies to buy traffic from legitimate ad platforms and then resold the traffic to affiliate marketing platforms that he said don't ask too many questions.

Dangu said as with other cybercrime operations, he expects it will be difficult for authorities to do much given the byzantine corporate structure of the operation.

And he said malvertising is getting worse. "Chrome's change is a direct reaction to the deterioration of the security environment for ad monetized websites," he said. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Here you go, cloudy admins: Google emits NATty odds 'n' sods

Google Cloud Next Incremental titbits aimed at time-poor techies

Surprising no one, Google to appeal against European Commission's €4.34bn Android fine

We'll just take our time here

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama

Project Zero would have been all over this – yet it remained under wraps

Iron Mike Pence blasts Google for its censor-happy Dragonfly Chinese search engine

Wait until the Veep finds out what Apple is doing for them

Neil Young slams Google, after you log in to read his rant with Google or Facebook

Heart Of Gold meets Piece Of Crap

Nutanix shares briefly wobble over Google server appliance fears

What if someone else owns someone else's computer?

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Google shaves half a gig off Android Poundland Edition

Always believe in Go ...

Google to build private trans-Atlantic cable from US to France

Bandwidth is better, down where it's wetter, take it from me!

Cookie clutter: Chrome saves Google cookies from cookie jar purges

Privacy bod says 'remove all' function not living up to its name – netizens stay logged into Chocolate Factory