Fake adverts could be used to “remote
control” internet browsers on a massive scale – allowing for cheap DDoS
attacks, where millions of unwitting web users “attack” target sites.
Simply by buying adverts through legitimate ad networks, researchers from White Hat Security were
able to swamp a test website, using adverts which included JavaScript
instructions to repeatedly access an image on a target site. For just
$2, the researchers were able to knock a server offline with 130,000
connections, in a demonstration at the Black Hat security conference in
Las Vegas.“Online advertising networks can be a web hacker’s best friend,” White Hat said in a statement. “For mere pennies per thousand impressions there are service providers who allow you to broadly distribute arbitrary javascript – even malicious javascript!”
Many ad networks allow JavaScript to be inserted into adverts, White Hat’s Jeremiah Johansen says – and those that do do not inspect the code closely.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen, in an interview with MIT’s Technology Review.“We’re just loading images as quickly as possible.”
Johansen said such attacks are cheap, and easily scalable.
At current prices – 50c per 1,000 views, according to Johansen – a
million browsers can be “bought” for just $500. “It’s really not that
much money to do real damage to real sites on the internet,” he says.
“So why not just do a traditional denial-of-service attack?
It’s not persistent. It goes away,” Johansen said in an interview with Dark Reading.
“There’s no trace of this – we put the money in the machine, the
JavaScript gets served up, and then it goes away. And it’s very, very
easy”
Johansen and his colleagues aim to move on to using such adverts to
farm out the job of cracking encrypted passwords stolen in data
breaches. Johansen says that getting such code in an advert would be
“easy”.
No comments:
Post a Comment