Pay $2 shipping to receive your free iPhone! |
Abstract
Running searches on crt.sh revealed an odd-looking subdomain. My curious visit was rewarded with the promise of a free iPhone, if only I paid a $2 shipping fee... what a bargain! Closer investigation unfortunately showed that a subdomain takeover had taken place and now served thousands of SEO spam pages, each including a large obfuscated JavaScript file. Coordinating cleanup of any compromised subdomains was easy, understanding the obfuscated JavaScript was more challenging. In this talk, we will show how subdomain takeovers are used to host SEO spam pages. We find they are used to distribute 16KB of scrambled JavaScript, which we will deobfuscate. We learn how it bypasses Safe Browsing filters, uses a range of browser fingerprinting techniques and ultimately serves up "get instant prize" malvertising or other malware to unsuspecting visitors. We discover why dynamic execution failed to effectively identify the behaviour of this script and how attempts to use standard JS deobfuscation tools were thwarted by its anti-deobfuscation and anti-debugging techniques. Speaker Bio: Andy joined Rokt, an e-commerce marketing technology start-up, as a JavaScript developer almost 10 years ago. His role evolved quickly into full-stack web app development and as the company grew he started getting involved with Cloud infrastructure and Dev(Sec)Ops pipelines. For the last 6 years 'Sec' has taken the forefront and Andy now manages the Security team, where he is responsible for application, infrastructure and endpoint security controls. |