Andrej

Andrej Černý: CS student from Czechoslovakia. I study the intersection between malware and media.

Weather.com Has Become the Pawn of A Huge Data Theft Scheme

Wanna know tomorrow’s temperature? Don’t visit weather.com to find out, especially if you’re on a mobile device: the website has been compromised by a malicious advertising (malvertising) attack that is scraping personal information from its mobile users. While its purposes are not yet known, security searchers who have already identified and named this strain of malware — alternatively called “
IcePick-3PC
” or “
eGobbler
” — theorize that it originates from a group of organized criminals who are collecting the information for a future attack, or selling it on the Dark Web.
In this article, I am going to explain what I found, the methodology behind my discovery and what it all means. First, some background.

Background

Whether they know it or not, most mobile users have encountered adware or malvertising on their smartphones and tablets. If you’ve ever been browsing the web only to end up on a page that looks like this, then you know what I’m talking about:
While malicious ads like this one take a variety of different forms — “spin the wheel” contests, surveys, free giveaways and many others — they all have the same purpose, and that’s to punk whoever clicks on them by:
  • Covertly stealing personal information (IP address, type of phone, browser, etc.)
  • Running a payload to take over device functions and install persistent malware
  • Loading a phishing page to harvest sensitive information from the user (credit card number, login credentials, etc.)
While I’d like to think most people are smart enough not to click on an ad like this, some of them obviously aren’t. Last year, a single malvertising campaign reached 100 million users, and there’s no reason attackers would pay for all that exposure unless some fish were biting.
Incidentally, this is when I became interested in the problem of malware in the advertising supply chain, and that’s when I took it upon myself to identify the biggest sources. When starting out, I hypothesized that AdWare mostly spreads through small-to-medium sized publications, and would rarely show up on Alexa 500 sites. 
Boy was I wrong. Here’s how I figured that out.

Methodology

In the beginning, I searched for infected ads by just visiting the same site over and over again in a desktop browser and scanning the session for malware using Wireshark’s advanced malware analysis. This got pretty tedious after awhile, so I decided to switch things up after a week or two.
Using my rudimentary Python skills alongside the Pyshark packet scanner, I wrote a script to continuously launch web sessions and mark suspicious events based on patterns in the source code. All the weird stuff gets exported to a spreadsheet I can review and analyze afterwards, and since I was primarily interested in mobile malware, I altered the user-agent headers sent to the host to identify as a mobile device.
I had a lot more success with this method, and immediately started finding some things that really shocked me — this discovery is just the first. After running my scripts on Weather.com overnight, I woke up to find a significant result. Here’s what I found:

Results

About once out of every thousand sessions (I launched 3,267 in total), a pretty nasty advertisement would load from one of several ad servers. In this instance, the origin was Sizmek, through the AppNexus network:
“serving-sys.com” is a URL associated with Sizmek’s third-party services
When I went to replicate the result in a normal web browser, it looked normal enough — at least for the first few seconds. But then I was redirected to a phishing page typical for IcePick-3PC:
Based on its code and behavior, this page was obviously carrying the
IcePick-3PC
malware, sometimes referred to as ‘
eGobbler
’, which has been written about by security publications from ThreatPost to SCMagazine and Cyware. When it was first discovered in 2018,
IcePick-3PC
was pretty generic adware that would forward users to a phishing page for a “free giveaway”. But recently,
IcePick-3PC
changed tactics. Now — to quote Binary Defense:
if a user stumbles upon a webpage that has a compromised third-party library, the malware runs checks. These checks consist of who the user agent is, the type of device they are operating on, the level of battery it has, and the device’s motion and orientation. After these checks are verified, the malware will connect the infected device to a remoter peer prior to transferring the device’s IP address.
Here’s the scary part: researchers also believe that this malware is being used by an organized crime ring either to prepare for an enormous future attack on targeted users, or to sell collected information on the dark web. So anyone who has visited weather.com from a mobile device in the past few months is now vulnerable to future malicious activity down the road.

Analysis

The whole point of this article is to protect Internet users. I really didn’t expect to find something this awful on an Alexa 500 site like Weather.com, which — based on public stats from similarweb.com — got about 102.6 million visits a month on average, over the past six months. At the rate this ad was showing up (about 1 in 1000 visits as already mentioned), it’s been displayed to at least 53,560 visitors in the last month. And that’s just one malicious ad. Other data showed up in my research which I didn’t have the time to follow up on, and infected ads are a dime a dozen.
On the one hand, it’s completely understandable that websites — who depend on third-party advertising to make revenue — fall victim to new malvertising attacks. On the other hand, the fact that this malware has been known about for some time means it’s already on multiple common vulnerability lists (CVEs), so there’s really no reason this should be happening. Either Weather.com hasn’t done anything to protect its users, or its paid someone who has no idea what they’re doing.

Conclusion

Weather.com is not the only website vulnerable to malicious advertising, and I highly doubt it’s the only one running
IcePick-3PC
either. This particular ad was delivered by AppNexus, but I’ve found similar incidents through AdRoll and other networks. All of this indicates a depressingly systemic flaw in the system of programmatic advertising that the Internet depends on: while individual publications may be responsible for what happens to their users, AdTech companies are higher up the chain, and they should be a hard barrier against bad code.
Either they’re not aware that this is happening, or they don’t care enough to do anything about it. After all, AdWare doesn’t tend to make headlines — but maybe it should. If it did, networks like AppNexus might be inspired to work harder against well-studied malware, and publishers might look for a solution to prevent hackers from using their platforms as a feeding frenzy for personal data. Well, here’s my shot at making that happen.

Tags

Topics of interest