Wanna know tomorrow’s temperature? Don’t visit weather.com to find out, especially if you’re on a mobile device: the website has been compromised by a malicious advertising (malvertising) attack that is scraping personal information from its mobile users. While its purposes are not yet known, security searchers who have already identified and named this strain of malware — alternatively called “ ” or “ ” — theorize that it originates from a group of organized criminals who are collecting the information for a future attack, or selling it on the Dark Web. IcePick-3PC eGobbler In this article, I am going to explain what I found, the methodology behind my discovery and what it all means. First, some background. Background Whether they know it or not, most mobile users have encountered adware or malvertising on their smartphones and tablets. If you’ve ever been browsing the web only to end up on a page that looks like this, then you know what I’m talking about: While malicious ads like this one take a variety of different forms — “spin the wheel” contests, surveys, free giveaways and many others — they all have the same purpose, and that’s to punk whoever clicks on them by: Covertly stealing personal information (IP address, type of phone, browser, etc.) Running a payload to take over device functions and install persistent malware Loading a phishing page to harvest sensitive information from the user (credit card number, login credentials, etc.) While I’d like to think most people are smart enough not to click on an ad like this, some of them obviously aren’t. Last year, a single malvertising campaign , and there’s no reason attackers would pay for all that exposure unless some fish were biting. reached 100 million users Incidentally, this is when I became interested in the problem of malware in the advertising supply chain, and that’s when I took it upon myself to identify the biggest sources. When starting out, I hypothesized that AdWare mostly spreads through small-to-medium sized publications, and would rarely show up on Alexa 500 sites. Boy was I wrong. Here’s how I figured that out. Methodology In the beginning, I searched for infected ads by just visiting the same site over and over again in a desktop browser and scanning the session for malware using Wireshark’s advanced malware analysis. This got pretty tedious after awhile, so I decided to switch things up after a week or two. Using my rudimentary Python skills alongside the Pyshark packet scanner, I wrote a script to continuously launch web sessions and mark suspicious events based on patterns in the source code. All the weird stuff gets exported to a spreadsheet I can review and analyze afterwards, and since I was primarily interested in mobile malware, I altered the user-agent headers sent to the host to identify as a mobile device. I had a lot more success with this method, and immediately started finding some things that really shocked me — this discovery is just the first. After running my scripts on Weather.com overnight, I woke up to find a significant result. Here’s what I found: Results About once out of every thousand sessions (I launched 3,267 in total), a pretty nasty advertisement would load from one of several ad servers. In this instance, the origin was Sizmek, through the AppNexus network: “serving-sys.com” is a URL associated with Sizmek’s third-party services When I went to replicate the result in a normal web browser, it looked normal enough — at least for the first few seconds. But then I was redirected to a phishing page typical for IcePick-3PC: Based on its code and behavior, this page was obviously carrying the malware, sometimes referred to as ‘ ’, which has been written about by security publications from ThreatPost to SCMagazine and Cyware. When it was first discovered in 2018, was pretty generic adware that would forward users to a phishing page for a “free giveaway”. But recently, changed tactics. Now — to quote : IcePick-3PC eGobbler IcePick-3PC IcePick-3PC Binary Defense if a user stumbles upon a webpage that has a compromised third-party library, the malware runs checks. These checks consist of who the user agent is, the type of device they are operating on, the level of battery it has, and the device’s motion and orientation. After these checks are verified, the malware will connect the infected device to a remoter peer prior to transferring the device’s IP address. Here’s the scary part: researchers also believe that this malware is being used by an organized crime ring either to prepare for an enormous future attack on targeted users, or to sell collected information on the dark web. So anyone who has visited weather.com from a mobile device in the past few months is now vulnerable to future malicious activity down the road. Analysis The whole point of this article is to protect Internet users. I really didn’t expect to find something this awful on an Alexa 500 site like Weather.com, which — based on public stats from similarweb.com — got about 102.6 million visits a month on average, over the past six months. At the rate this ad was showing up (about 1 in 1000 visits as already mentioned), it’s been displayed to at least 53,560 visitors in the last month. And that’s just one malicious ad. Other data showed up in my research which I didn’t have the time to follow up on, and infected ads are a dime a dozen. On the one hand, it’s completely understandable that websites — who depend on third-party advertising to make revenue — fall victim to new malvertising attacks. On the other hand, the fact that this malware has been known about for some time means it’s already on multiple common vulnerability lists (CVEs), so there’s really no reason this should be happening. Either Weather.com hasn’t done anything to protect its users, or its paid someone who has no idea what they’re doing. Conclusion Weather.com is not the only website vulnerable to malicious advertising, and I highly doubt it’s the only one running either. This particular ad was delivered by AppNexus, but I’ve found similar incidents through AdRoll and other networks. All of this indicates a depressingly systemic flaw in the system of programmatic advertising that the Internet depends on: while individual publications may be responsible for what happens to their users, AdTech companies are higher up the chain, and they should be a hard barrier against bad code. IcePick-3PC Either they’re not aware that this is happening, or they don’t care enough to do anything about it. After all, AdWare doesn’t tend to make headlines — but maybe it should. If it did, networks like AppNexus might be inspired to work harder against well-studied malware, and publishers might look for a solution to prevent hackers from using their platforms as a feeding frenzy for personal data. Well, here’s my shot at making that happen.

Chain

Alongside

Discovery

SimilarWeb

AT&T’s Ad Exchange is Overrun With Data Stealing Malware

Read My Stories

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Weather.com Has Become the Pawn of A Huge Data Theft Scheme

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

AT&T’s Ad Exchange is Overrun With Data Stealing Malware

06/06/2018: Biggest Stories in the Cryptosphere

10 Ways Fake News is Killing The Economy : From Anti-Vaxxers To The Stock Market

10 Reasons to Use PPC Advertising for Your Independent Film

10 facts about Mobile Rewarded Surveys

AT&T’s Ad Exchange is Overrun With Data Stealing Malware

06/06/2018: Biggest Stories in the Cryptosphere

10 Ways Fake News is Killing The Economy : From Anti-Vaxxers To The Stock Market

10 Reasons to Use PPC Advertising for Your Independent Film

10 facts about Mobile Rewarded Surveys

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps