Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets

chicksdaddy writes: There's such a fine line between clever and criminal. That's the unmistakable subtext of the latest FireEye report on a new "APT" style campaign that's using methods and tools that are pretty much indistinguishable from those used by media websites and online advertisers. The difference? This time the information gathered from individuals is being used to soften up specific individuals with links to international diplomacy, the Russian government, and the energy sector.

The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.

While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.

Re:What can be done?

[gstoddart]

Honestly? Stop letting arbitrary sites and their 3rd party partners run bloody scripts.

You don't go to an arbitrary website and essentially say "why you seem like a fine, upstanding web-site, by all means please execute some javascript and flash code".

Well, actually, people do it all the time. But it's been a stupid idea for the last 15 years. But for some reason the trust model of the internet continues to be built on doing exactly that.

The solution is to stop trusting the damned internet and letting every site run whatever code they and their ad partners think they feel they should.

Because, let's face it, the internet hasn't really been trustworthy in a VERY long time.

Re:Applications?

[gstoddart]

Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.

Honestly, it has made perfect sense since the late 90s when you could get popup hell ... time and time again, ad networks have been demonstrated to be completely not trustworthy.

From back in the day when your page would get stuck loading because it was waiting for some @)##! ad site to finish loading (remember why Mozilla added the "block images from this site", or the ability to refuse cookies?) ... so popovers, popunders, misdirects, and a pretty long list of bad behavior.

How the hell it's taken this long for people to start realizing this I have no idea. It didn't become true because Snowden said it. It became true almost 20 years ago when ads started to pollute the internet, and hasn't ever stopped being true.

There's a reason many of us have disabled Flash for a VERY long time.

Me, I'd take pretty much anybody who says they work for an internet ad company and lock them in a cage with angry bears before I'd ever do anything so stupid as to trust them. Because you haven't been able to collectively trust them in almost 20 years.

Honestly, internet ads are about as trustworthy as having anonymous sex with strangers in parking lots littered with dirty needles; it's a terrible idea but people keep acting like it's the only way to keep the intertubes working.

Assume every single ad company is going to be lying, malicious dishonest people driven by greed and depraved indifference. Because enough of them are that you should.