March 13, 2019

Online advertising firm Sizmek Inc. [NASDAQ: SZMK] says it is investigating a security incident in which a hacker was reselling access to a user account with the ability to modify ads and analytics for a number of big-name advertisers.

In a recent posting to a Russian-language cybercrime forum, an individual who’s been known to sell access to hacked online accounts kicked off an auction for “the admin panel of a big American ad platform.”

“You can add new users to the ad system, edit existing ones and ad offers,” the seller wrote. The starting bid was $800.

The seller included several screen shots of the ad company’s user panel. A few minutes on LinkedIn showed that many of these people are current or former employees of Sizmek.

The seller also shared a screenshot of the ad network’s Alexa site rankings:

A screenshot of the Alexa ranking for the “big American ad network,” access to which was sold on a cybercrime forum.

I checked Sizmek’s Alexa page and at the time it almost mirrored the statistics shown in the screenshot above. Sizmek’s own marketing boilerplate says the company operates its ad platform in more than 70 countries, connecting more than 20,000 advertisers and 3,600 agencies to audiences around the world. The company is listed by market analysis firm Datanyze.com as the world third-largest ad server network.

After reaching out to a number of folks at Sizmek, I heard back from George Pappachen, the company’s general counsel.

Pappachen said the account being resold on the dark web is a regular user account (not a all-powerful administrator account, despite the seller’s claim) for its Sizmek Advertising Suite (SAS). Pappachen described Sizmek’s SAS product line as “a sizable and important one” for the company and a relatively new platform that has hundreds of users.

He acknowledged that the purloined account had the ability to add or modify the advertising creatives that get run on customer ad campaigns. And Sizmek is used in ad campaigns for some of the biggest brands out there. Some of the companies shown in the screenshot of the panel shared by the dark web seller include PR firm Fleishman-Hillard, media giants Fox Broadcasting, Gannett, and Hearst Digital, as well as Kohler, and Pandora.

A screenshot shared by the dark web seller. Portions of this panel — access to a Sizmek user account — was likely translated by the Chrome Web browser, which has a built-in page translate function. As seen here, that function tends to translate items in the frame of the panel, but it leaves untouched the data inside those frames.

Crooks who exploited this access could hijack existing ad campaigns running on some of the world’s top online properties, by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system.

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” Pappachen offered.

Pappachen said Sizmek forced a password reset on all internal employees (“a few hundred”), and that the company is scrubbing its SAS user database for departed employees, partners and vendors whose accounts may have been hijacked.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect,” Pappachen said. “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.”

The Sizmek incident carries a few lessons. For starters, it seems like an awful lot of people at Sizmek had access to sensitive controls and data a good deal longer than they should have. User inventory and management is a sometimes painful but very necessary ongoing security process at any mature organization.

Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately.

Pappachen asked KrebsOnSecurity what else could have prevented this. I suggested some form of mobile-based multi-factor authentication option would prevent stolen credentials from turning into instant access. He said the company does use app/mobile based authentication for several of its new products and some internal programs, but allowed that “the legacy ones probably did not have this feature.”

PASSWORD SPRAYING

It’s not clear how this miscreant got access to Sizmek’s systems. But it is clear that attackers have moved rapidly of late toward targeting employees at key roles in companies they’d like to infiltrate, and they’re automating the guessing of passwords for employee accounts. One popular version of this attack involves what’s known as “password spraying,” which attempts to access a large number of accounts (usernames/email addresses) with a few commonly used passwords.

There are technologies like CAPTCHAs — requiring the user to solve an image challenge or retype squiggly letters — which try to weed out automated bot programs from humans. Then again, password spraying attacks often are conducted “low and slow” to help evade these types of bot challenges.

Password spraying was suspected in a compromise reported last week at Citrix, which said it heard from the FBI on March 6 that attackers had successfully compromised multiple Citrix employee accounts. A little-known security company Resecurity claimed it had evidence that Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data.

Resecurity drew criticism from many in the security community for not sharing enough evidence of the attacks. But earlier this week the company updated its blog post to include several Internet addresses and proxies it says the attackers used in the Citrix campaign.

Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018. Citrix initially denied that claim, but has since acknowledged that it did receive a notification from Resecurity on Dec. 28. Citrix has declined to comment further beyond saying it is still investigating the matter.

BRUTE-FORCE LIGHT

If anything, password spraying is a fairly crude, if sometimes marginally effective attack tool. But what we’ve started to see more of over the past year has been what one might call “brute-force light” attacks on accounts. A source who has visibility into a botnet of Internet of Things devices that is being mostly used for credential stuffing attacks said he’s seeing the attackers use distributed, hacked systems like routers, security cameras and digital video recorders to anonymize their repeated queries.

This source noticed that the automated system used by the IoT botmasters typically will try several dozen variations on a password that each target had previously used at another site — adding a “1” or an exclamation point at the end of a password, or capitalizing the first letter of whole words in previous passwords, and so on.

The idea behind this method to snare not only users who are wholesale re-using the same password across multiple sites, but to also catch users who may just be re-using slight variations on the same password.

This form of credential stuffing is brilliant from the attacker’s perspective because it probably nets him quite a few more correct guesses than normal password spraying techniques.

It’s also smart because it borrows from human nature. Let’s say your average password re-user is in the habit of recycling the password “monkeybutt.” But then he gets to a site that wants him to use capitalization in his password to create an account. So what does this user pick? Yes, “Monkeybutt.” Or “Monkeybutt1”. You get the picture.

There’s an old saying in security: “Everyone gets penetration tested, whether or not they pay someone for the pleasure.” It’s kind of like that with companies and their users and passwords. How would your organization hold up to a password spraying or brute-force light attack? If you don’t know, you should probably find out, and then act on the results accordingly. I guarantee you the bad guys are going to find out even if you don’t.


29 thoughts on “Ad Network Sizmek Probes Account Breach

  1. The Sunshine State

    “monkeybutt” in plain text or take the same thing and encode in Base 64 which is “bW9ua2V5YnV0dA==”

    Which one is a better password? I don’t see why more people are doing this.

    1. Tim Villa

      Perhaps because it’s pretty much impossible to remember? I’d say that’s why.

      And if you’re going to put it in a password manager, then you might as well use a decent passphrase to begin with.

      1. The Sunshine State

        I disagree with you if you take a phrase you always remember like “TheSunshineState” , then it’s just a matter of imputing the data in a Base 64 encoder to obtain the same password over and over again which is pretty simple because it’s always the same

        The password strength of doing this is incredibly strong if you go over 10 charters so a attacker doing a brute force or dictionary attack would be extremely hard if the website uses a strong hash along with the use of salt.

        1. Ben

          Wrong. If you choose a simple password, and then do “something clever” to it to make it look random, it’s still a bad password.

          It can help against basic online attacks like is described in this article, however as soon as some service you use has their password database stolen (it happens ALL THE TIME) you’re hosed. It would just be one more transformation rule among many that the crackers apply to their wordlists, especially if a lot of people start doing it.

          As a rule of thumb: if your password would be weaker if an attacker knows how you came up with it, then it’s not a good password.

          It’s simpler AND easier to do one of these instead:

          * Use a password manager
          * Use a randomly generated diceware phrase
          * Come up with a long gibberish sentence (if you have trouble remembering diceware)

      2. EstherD

        Ah, no. You should forget you ever read anything about “correctbatteryhorsestaple” on XKCD, and opt for a *completely random* 15-18 character password.

        1. Ben

          The “correct horse battery staple” thing is just fine. It’s just that most people completely missed the point of the comic.

          You are supposed to pick 4-6 words AT RANDOM. For example, using actual physical dice and a Diceware word list. If you do it correctly it’s as strong as a fully random password of about twice as many characters as the number of words you select.

          If you do it wrong and pick a common phrase, you’re correct, it’s crap.

          https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase

    2. Readership1

      The longer password is better, because it is longer. Randomness, or the appearance of randomness, has less importance in password cracking than length.

      I’ll quote myself from 27 Nov. 2018:

      Randomness in a password’s characters only has a marginal effect on difficulty to crack it, because it frustrates a dictionary-based attack. But that’s it.

      The best password is long and easy to remember, so you’ll be able to use it without jotting it down.

      Here’s why a long password beats a complex one:

      https://math.stackexchange.com/a/1934499

    3. Nathan

      Common permutations are easy to account for if you are trying to crack a dictionary password, and encoding something in base 64 is a one-to-one translation that offers no gain in entropy. Basically “bW9ua2V5YnV0dA==” is *exactly* as hard to guess as “monkeybutt” if you are including base 64 encodings of your guesses as well, and why wouldn’t you?

      There is an important difference between encoding and encryption. Encoding offers no gain in entropy. It’s a one-to-one and onto transformation. It’s invertable, so given an *encoded* string, it is trivial to get the non-encoded string back (granted it helps to know what the encoding was).

      And the long password vs. random password argument (getting off topic from your post now): grammatically correct English has about 4 bits of entropy per word according to some studies, which is pathetic! Random word choices have up to 12 bits per word according to some studies (xkcd assumes this number for any word), which can get you a pretty strong and easy to remember password with four random words. Random characters have about 7 bits each, but you can cram a ton of them together in a short password. Neat. Why not go long and random with a password manager?

      tl;dr, get a password manager.

      1. Nathan

        Correction to my previous comment: random words drawn from all of the English language have a TON of entropy per word, but you are pretty likely to get words that are hard to remember or spell. Random common words give you about 12 bits of entropy per word, depending on how you define “common”. Much lower than all words, but much easier to remember, and you can string several together.

        Still, fully random long passwords are best. Use a password manager.

      2. Paul

        Wouldn’t adding a salt to the password and then transforming it be sufficient? For instance, HASH(correcthorsebatterystapleXYZ)? If that’s a valid assumption then you could use a password manager to save the salts, which you can change instead of the passwords.

        1. Nathan

          If by “hash” you mean convert to Base 64, then you are only gaining whatever entropy the salt gives you by itself. I guess the first point I am trying to make is that 1-to-1 conversions like encoding in Base 64 don’t gain you anything.

          If you mean using passwords you can remember while storing random salts with a password manager, I guess that could work. Why not just use the password manager outright though? I think if you have a short salt this could leave you vulnerable to the password spraying approach mentioned in this article, e.g. if you reuse the same password with a different salt, then anybody who knows the base password has gotten a long ways toward factoring a hash that they might have for some other account of yours.

          Basically when in doubt, random is your friend. An 18-character random password drawn from all letters, numbers, and symbols gives something like 126 bits of entropy, or 4e37 guesses for a 50% chance of finding your password. At 1e16 guesses a second (peta-Hertz guess rate, so somebody is throwing serious money at this problem), that gives you 1e15 years until you hit the 50% mark. Granted you could guess right on the first try, but its extraordinarily unlikely.

    4. JB

      Would it make it more random? Sure. Will you get anyone to use it in a business setting? Not likely.

      You’re not going to get anyone beyond tech people remotely interested in that. Try selling it to your accounting or HR group. We are here to educate and help businesses stay safe. You’ll get laughed, if not run out of a room suggesting that to employees. MFA and password managers are the best bet for the time being.

  2. 31337_PWNER

    Good catch.

    Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018 [!!!]. Citrix initially denied that claim [!!!], but has since acknowledged that it did receive a notification from Resecurity on Dec. 28 [!!!]. Citrix has declined to comment further [???] beyond saying it is still investigating the matter.

    1. Quid

      Their public relations spokesperson should be sacrificially fired, after replying with such stupidity, even if being hurried and pressured into a statement by the press or others. They should have bought time, with a BS statement such as:

      At Citrix, we take security related matters very seriously. We cannot comment a this time as the matter is currently under review.

      Then they could scramble to do what they should have done in the first place! Like look into any security-related notifications whether reported via the outsourced Filipino/Indian customer service center, a sales rep or any other mode of contact.
      They probably have no formal method in place to deal with such notifications or the process is so onerous, no one can penetrate, like when the teen that first reported the Facetime vulnerability to Apple.

      1. Anon404

        Do you actually believe the PR person who delivered the statement unilaterally approved that statement for release? Doubtful. It was likely approved by someone higher up than PR.

  3. EstherD

    And all those “world’s top online properties” wonder why those of us who are security conscious choose to block ALL ads, not just those that violate our privacy.

  4. K.Holt

    We used to do a “super randomized complex password” scheme, like rolling your face on the keyboard for password gen (ie. W3BW$hs#$YuK), but honestly all we found out is like said above, it only actually thwarts standard dictionary attacks. For brute-force the 16 character password “Ihaveapassword4!” is just as complicated as “H58ccE$lao%g1v*z” because they both follow the same convention of “At least one upper and lower case, at least one number and at least one special character”. The horrible part is that when we insisted on those “complex” passwords, all it really did is make people write them down more and leave them in places around their office.

    Password length is really the only real method you’ll get decent security with. I’m turning more now to using those same requirements, but also turning the password length requirements up to 20 or 24. So I suggest my users to just think of some words that they could remember, string em together, throw in some capitalization, numbers and season with special characters. Makes it much more memorable and less likely for someone to write it down on a post-it note and tape it to their monitor *facepalm*.

    And if you really want to get fun, see if what you are putting your passwords in allows you to use a space in your passwords. It really ups the level of “complexity” when you do because alot of brute force for whatever reason doesn’t seem to check for the spaces.

    1. Password123

      Complex passwords almost always result in people writing them down on sticky notes and hiding them in “super secure places” like under their keyboards. Or, digital sticky notes that come natively with Windows. I remember my boss was sharing his screen with me not too long ago and he closed his browser which showed his desktop. All of his passwords for all accounts were on sticky notes… and this was a very large information security company. I still laugh at that. I can maybe see a password-protected Excel spreadsheet that is also encrypted (if you’re going those lengths, why not get a password manager? I digress…), but everything on sticky notes? Really? The worst part is, he isn’t the only one. We’re only as good as our cyber hygiene.

      1. SkunkWerks

        “why not get a password manager?”

        To put it simplest: most people don’t understand what encryption is/is for.

        What I usually tell people is: use words, sure, but randomly generate them. Caltrop them with random bits too if you can manage it. The longer the better- if the system will let you, anyway.

        Then we invariably get into password managers and the value of encryption, because- as I said- most people don’t really know what that means.

        They see no difference in value between keeping passwords in a Word document and keeping them in an encrypted vault.

  5. Alexander

    Brian, I sent you a direct message on Twitter. I hope you read it

    🙂

  6. ChrisSuperPogi

    “Best practices in this space call for actively monitoring all accounts — users and admins — for signs of misuse or unauthorized access. And when employees or vendors sever business ties, terminate their access immediately..”

    Well said!

    Pappachen’s inquiry on “what else..” becomes mute and academic if the governance is not practiced very well.

    My $0.02

  7. Billy Farmer

    OK, I want to use a password manager.
    What should I look for in features.
    And, what should I avoid?
    Thanks

    1. SkunkWerks

      Depends on what you’re comfortable with/want.

      This is always a balancing act between security and convenience.

      Probably the first fork in that road is: do I use an “online” password management system, or do I keep an encrypted vault offline?

      Both approaches have pros and cons. An online vault is simpler, more accessible, but you have to reckon with whether or not you trust the people keeping it, and even then you have to accept a certain degree of risk there.

      You could keep a vault offline, but that puts the burden of file management entirely on you.

      The next most important featureset is probably the sorts of credentials you’re allowed to use for access to the manager/vault. Many are now offering some form of 2FA, as an example.

    2. Readership1

      I strongly advise against password managers, both because of complexity and trust issues.

      Anything connected to a website is insecure. Anything kept on an Internet-connected device is insecure. All major password managers were recently found to leak memory to other apps, where your passwords could wind up online.

      Consider your coworkers and loved ones, who will pick up the pieces when you die. It’s inevitable.

      Anything too complex will mean tremendous headaches and heartaches for them. Keep it simple enough for them.

      I’m a big fan of just storing my personal passwords in an old address book on my desk. Every few months, I make a photocopy of any updates and new credit, bank, and ID cards, put in an envelope, and leave it in my bank’s deposit box.

      I’ve never lost a password or had technical issues with this method. It is impervious to hacking and fire, as well. And it’s very easy for my family to get, when I’m gone.

      For work, I just use a password-protected spreadsheet that I keep in an off-line computer. It’s hackable, but you’d have to be on-site to try. And if you’re already on-site breaking in to stuff, there are bigger concerns than some stupid passwords.

      Every month, I’ll print out a copy to keep in our office safe, accessible to myself and my partners.

      Complexity is the enemy of convenience. You’re only as secure as the system you choose to follow regularly, so keep it convenient.

  8. Ed Amiryar

    Thank you for the article, good read. It made me think about the less ways to take advantage of this though. i.e. all major US mobile carriers (as far as I know) have special “*” or “#” dialing sequences that when dialed, will forward all calls. A phishing attack could either convince people to dial a sequence or possibly even a well crafted link could cause people to click it and attempt to dial, essentially forwarding all their calls, and with at least a few of the major MFA implementations I’ve seen, phone calls are usually a secondary option for the SMS # on file.

    The other means is the new VoIP features from carriers like TMobile. TMobile’s “DIGITS” feature lets you use an app to login to your phone number, which gives access to inbound/outbound calling and SMS. So simply compromising ones TMobile account in a phishing attack would give an attacker the ability to 1. Turn on DIGITS if not already enabled and 2. essentially have full access to any # on the account via the DIGITS app.

    I’m not knocking digits by any means, I think it’s an innovative technology. We just need to look at attacks, both technical and social, from all angles.
    -Ed

Comments are closed.