Entrenched: Why the Sinosphere’s scam sinkhole is here to stay.

(8 Minute Read)

7 September 2024 / Written by Joe

<aside> 🗞️ TL;DR. I put a downer on your morning/afternoon/evening by arguing that my own experience from malvertising aligns with recent publications on scams. Both point to formidable economic and political factors in south-east Asia that will perpetuate the scam problem through the rest of the 2020s.

</aside>

Something I love about working in the technical cybersecurity domain are those rare, but impactful moments when - often seated in front a screen full of code - you unearth an insight into the world of your adversary that gives you a jolt like a bucket full of water to the face. Something that makes you step away from the desk, take a walk, and digest that your opponent’s world is really quite different than you thought and that their malicious activity is driven by forces and motivations that you’d never even considered.

This last happened to me in late Summer last year when I was leading a team of talented detection engineers at HUMAN Security tasked with combatting malvertising on the web. We were documenting - in forensic technical detail - the attack-chain of our most formidable adversary, codenamed “TI-24”. We had reasonable confidence that the code we were looking at was operated by a commercially motivated threat actor who, though of unknown identity, was located in China or it’s wider south-east Asian sphere of influence. Owing to it’s obvious sophistication, TI-24 concerned me - as the person responsible for ensuring our malvertising defences held firm day-to-day - far more than any of the other 20 or so campaigns that the team had on our radar at that time.

To briefly explain, the success of a malvertising campaign often boils down to this crisply defined attacker goal:

use your code inside an ad on a website to forcefully navigate your victim’s web browser away from the page they’re viewing and to a subsequent location of your choice.

Whilst simple in it’s formulation, executing that task is deeply complex, not least because stopping you from doing exactly that is a problem upon which a highly competitive industry of anti-malvertising vendors has grown over the last 5-10 years. You’re code is being watched, by people like me.

As I worked with our reverse engineers to peel back the layers of TI-24 I felt a growing sense I was privy to something unusually impressive. TI-24’s anonymous authors had hidden the ‘kaboom’ moment, the triggering of the browser redirect, behind a complex web of obfuscation, misdirection and guile. Akin to the way that a seasoned house burglar might innocuously ‘case out’ at a target street multiple times to analyse each property’s vulnerabilities before selecting possible targets, TI-24’s code performed a full suite of spot checks of a prospective malvertising target before even taking a second look:

Not an ad on a mobile phone browser using a mobile carrier connection? Too easy for defenders to replicate in their lab systems, forget this ad and move to the next.
Running inside an ad where the tell-tale signs of malvertising defence code are subtly visible? Bail ASAP. "Nothing to see here, honest."

And so on and so forth. TI-24 meticulously selected which internet users to abuse, considering only those whose browsing environments were akin to poorly lit houses with no security camera, little street traffic and an unlocked window out of view of the street.

The pièce de résistance of TI-24's attack was its kaboom moment. Only once all the layers of pre-checks had been passed and the redirect was “a go” was the eventual redirect URL - that is where on the web they decided to push the unsuspecting user - loaded from their server into the browser. With that location embedded deep inside an innocuous looking image file, the final step was to yank it out with an excuisitely crafted steganographic code routine that misused the browser’s canvas API and bounced the user immediately to the destination page TI-24 had chosen.

It was chef’s kiss code. As the antipodean hosts of Risky Business, the podcast that tops my must-listen list each week, would say: “you don’t gotta hand it to them, but you kinda do”. It sums up well the begrudging admiration people in our profession occasionally find ourselves feeling observing the creativity of the adversaries we spend our time trying to counter, even while knowing that they really are bad people. It raised a question in my head that refused to budge for the next few months:

What possible return justifies the considerable time and effort (not to mentioned the cost of buying ads) to build such a technically impressive campaign? Where are these users being redirected to?

Freshly motivated to understand more, I decided to follow the rabbit hole and see where these redirects, when successful, were leading their victims.

The answer? Scams, scams and more scams.

Two scam types featured to the exclusion of nearly all others: impersonation scams, most often featuring faked but convincing warnings from Microsoft (or Apple if they identified you as a Mac user) about malware infecting your computer with a (scammer-operated) number to call to fix it and investment scams, commonly featuring a made-up news article promoting some celebrity endorsed crypto-investment scheme that supposedly mints millionaires by the thousand with no expertise required.