Trust and ignorance can work hand in hand to produce favorable results – from a cybercriminal’s point of view. That’s why perpetrators are turning to a disturbing new strategy for porting malware on to unsuspecting users: Visitors to reputable, high-profile websites and portals are becoming infected by malicious code that’s distributed by “malvertising“.
What is Malvertising?
Malvertising (a contraction for “malicious advertising”) is the practice of using online ads to distribute malware. Systems are infected by malicious code distributed through third-party advertising content (banners, pop-ups, animations, running scripts, etc.) typically displayed on trusted websites like social media platforms or news services. Users don’t even need to click on an ad to become infected, as the malware copies itself into web browsers and computers automatically – a classic case of the “drive-by download”.
Once in, the malware typically redirects the user to a server that’s been set up by the cyber-attackers. The servers record details about the user’s system and location, then choose the ideal malware option to serve the target with.
It’s a clever tactic and a difficult one to avoid, as many users simply can’t do without visiting at least some of the targeted websites, at some point in their lives. And cyber-criminals are using malvertising to reap significant benefits for themselves.
Malvertising Success Stories
Malvertising has been around for less than a decade, but in that time it’s affected organizations like AOL.com, bbc.com, msn.com, NYTimes.com, and Yahoo! – websites with a user base numbering in the hundreds of millions or more. Last year (2015) Google was forced to disable over 780 million infected ads.
2016 has brought malvertising into the public eye, with high-profile infiltrations of AOL, the BBC, MSN and The New York Times stemming from the “Angler” toolkit which ported exploits through compromised ad servers for vulnerabilities in popular software like Microsoft Silverlight and Adobe’s Flash. Networks owned by AOL, Google, AppNexis, and Rubicon were affected, as well as popular web resources like theweathernetwork.com, realtor.com, and the Newsweek website.
These campaigns were based on the delivery of ransomware to the affected users and represent a potentially huge payday for the perpetrators. Investigations have suggested that cyber-criminal networks are now investing big money in buying up malicious ads and server access – and apparently with good reason.
A Legitimate Face
Sadly, the current state of online advertising is simply contributing to their work. Big name websites such as those being targeted outsource their promotional content through a range of third-party advertising networks. These include legitimate providers such as Google, but also encompass a diversity of ad servers – some more above board than others.
Hiding behind the lure of a trusted URL, these illegitimate servers are free to upload their malicious code onto visitors’ machines, which may automatically connect to dozens of different advertising networks behind the scenes as video streams, banners, and pop-ups appear in the normal course of loading pages from highly trafficked websites.
Site vetting and filtering are hampered, as in many instances companies simply register their names with an ad network then bid to place advertising on the major websites. Conditions for registering tend not to be particularly strict, and the bidding and buying process often takes place automatically.
The “safe browsing” wisdom of avoiding dodgy websites doesn’t apply in the case of malvertising. The perpetrators have turned logic on its head by using reputable household name sites and resources as their medium for delivery. And by automating the process of infection, they remove the need for users to assist them in their actions by clicking on bad links or authorizing dubious downloads.
Malicious ads often use invisible web page components called iframes to do their dirty work. When a victim visits a site hosting infected ads, these elements redirect their browser to a landing page which contains exploits that serve as a pathway for malicious code. This goes on behind the scenes, so users aren’t aware that they’ve been infected until it’s too late. And the host site itself is typically unaware of the presence of malware in its advertising.
Jab And Move
Tracing the source of an infection is no easy task. Administrators of big websites are often as unaware as the victim of the presence of malware in their domain, and may have no knowledge of the kind of ad content being streamed to their site from registered servers at a particular time. So identifying the source of a malware campaign is often difficult – and this leaves the perpetrators free to continue with their activities on other sites and at other times.
With the luxury of remaining hidden – and having access to the demographic and behavioral profiling facilities of sophisticated advertising networks – malvertising practitioners can devote their efforts to configuring search algorithms and laying malware traps for specific types of individuals, agencies, or corporate bodies. This might for example manifest as a site visitor typing a particular search phrase into the engine at one of the host websites, which then triggers the malicious code in an ad on that page to redirect to an exploit page that’s been set up for users making that particular query.
With advertising networks allowing their subscribers to buy targeted promotions for their sites based on geographical locations, demographic identifiers, operating systems and so on, there’s a great opportunity for the malvertising industry to drill down to specific targets.
Investing In Infection
With the global market for mobile advertising alone expected to top $100 billion in spending and account for half of all digital promotion expenditure in 2016, the time is ripe for cyber-criminal networks to invest in this sector. And they’re doing so by blending malvertising with one of the latest trends.
An Expensive Mix
It’s estimated that 70% of malvertising campaigns are dedicated to delivering ransomware as their payload. When you consider that the websites being used as staging posts for malicious ads may record hundreds of millions of hits per day, and that the typical ransom demand for decrypting infected files runs into hundreds or even thousands of dollars for each case – there’s potential for huge financial losses to the victims, and huge gains for the criminals.
Mobile Marketing Opportunities
In 2014, about 16 million smartphones and tablets were infected with mobile malware – a figure that’s on a level with desktop-based infections. With spending on mobile advertising expected to double between 2016 and 2019 (a rise to around 70% of the global advertising budget), we can expect the mobile sector to become the next focus for purveyors of malicious advertising – which is already on its way to becoming the number one threat vector for malware distribution.
Beyond avoiding online activity altogether (clearly not an option, for most people) what can be done to reduce the risk of malvertising infections? Here are some tips:
- Malvertising often seeks out vulnerabilities on a user’s system, so as to exploit them. You can reduce this risk by keeping operating systems, web browsers, security and other software regularly updated and patched.
- Vulnerabilities in programs like Adobe Flash and Java may be used by malvertising to gain access, so disabling these functions if you don’t need them is a good idea. Enabling click-to-play plugins (which won’t run Flash or Java applications in your browser unless you specifically click on them) can also help.
- Using an ad-blocker can filter out much of the unwanted promotional content, and prevent malicious scripts from automatically launching. To some extent this may be hampered by the policy of some big-name websites which rely on advertising revenue to maintain their free services – and insist that visitors turn off their ad-blockers. In such cases, use your discretion.
- An ad management tool is a good investment for mobile users, as the software can scan mobile ads and assist in tracing malicious code back to its source.
- There are anti-exploit programs available, which may act as a last line of defense against any malicious code that manages to break through.
A Coordinated Response
There’s been talk from official bodies like the FBI and Homeland Security of an investigation into the activities of malvertising networks, and such an intervention should be welcomed.
Ultimately though, the problem won’t be fully addressed until there’s a change in policy from the digital advertising sector itself – one that tightens up the operations of ad-serving networks.
Website operators will need to tighten up their practices, too. And there may be a place for an awareness creation effort on the part of employers and public institutions, to acquaint users with the risks they potentially face, and measures they can use to reduce them.
Share this Post