Modern Malvertising and Malware web-based exploit campaigns presented at AppSecCalifornia 2015

by Arian Evans, James Pleger,

Summary : 1. What are the top web-based exploit campaigns we see highly skilled, organized fraudulent actors using to target/exploit people via web app campaigns?
We break this down and surprisingly it's not things like XSS. We see more fake software brand impersonation & software updates, followed by fake AV updates, followed by sophisticated and targeted malware exploit campaigns.
2. What new vendor do we see these coming through? Exploits and abuses leveraging the complexity of the web ad network ecosystems, that wind up on all of our websites, and then compromise our users and may even exploit our websites.
3. What tricks do they use (like toolbars that dynamically load exploit code, then dump it, so there's no trace)
4. Example campaign - we can walk through a recent example campaign but if it's a new one we would have to keep this part of the presentation private, and ideally unrecorded. The folks we're identifying use any information they can get on folks like ourselves finding them to adapt and hide from us.