Malvertising - You don't even have to click it

Greg Edwards

Malvertising: Malware Infected Online Ads

Cybercriminals are always on the lookout for ways of infecting your computer with malware. It is their job, and they do it well. So well in fact, that cybercrime has hit staggering figures, with PWC reporting in their Global State of Information Survey 2015 that there were 42.8 million security incidents in 2014, an increase of 48% over the 2013 figures.

Online advertising is now big business. Most large brands use it, and market analysts’ eMarketeer reported the global market for online paid media was around $545 billion in 2014 and growing.

On the back of the success and ubiquitous use of online ad marketing is the latest trend in cybercrime, which uses these online ads to spread malware. This new entrant to the cybercrime arsenal is called malvertising.

The success of malvertising was demonstrated at the recent Black Hat USA Conference by RiskIQ who have seen an increase of malvertising use of 260% in the first two quarters of 2015. Such a successful cybercrime vector is here to stay, for the foreseeable future at least.

What is Malvertising and How Does it Work?

Word-Malware.pngMalvertising is a word created from two words, malicious and advertising. As mentioned, cybercriminals are always hunting for new ways (vectors) of getting malware onto your system, and online ads are one of these new entry points. One of the main sweet spots of using online ads to infect machines is that the cybercriminals can use legitimate ads, of companies that you know and trust, on sites that you know and trust. It is this type of social engineering that makes malvertising so successful. 

To become infected by malware via an online ad, you just need to visit a site that has an infected ad running. Some malverts don’t even need you to click on them to get infected, the malicious code being executed silently in the background when the ad runs

Malverts infect you either directly, or by taking you to a spoof site when clicked. Either way, you end up with the same problem, malware infected computers. One of the key things about malverts is that they can go from being benign to harmful in seconds, and it can become next to impossible to trace the source of the malware. In addition, ads are often served up through complex third-party ad networks. If these networks become infected, they can potentially serve up malicious ads across multiple legitimate sites. Even reputable ad networks cannot totally eradicate malware-infected ads. They do check the ads for things such as banned words, prohibited products and so on, but unless they fully scrutinize the underlying code, malware can slip through the net.

Examples of Malvertising

There are a number of very large ad networks that have been affected by malvertising. One of these is Yahoo’s ad network. The Yahoo ad network is massive. They have around 6.9 billion visits per month, so it is a mouth-watering opportunity for cybercriminals.  Yahoo’s network was hijacked in late July 2015.  The cybercriminals used a software vulnerability in Adobe Flash to install the software. Some of the malware they implemented was the dreaded ransomware, which extorts money from anyone unfortunate enough to get infected by it. As soon as Yahoo was informed of the malware intrusion, the ads were pulled. However, this would not help those already infected (possibly over 2 million of Yahoo’s users). The scary part about the Yahoo! malvertising is that you didn't even have to click on or do anything interactively to get infected.  The combination of inadvertantly visiting an infected page and not having the latest patches installed to Flash would get you infected.

Yahoo-Web-Site.png

Google has also had its fair share of malvertising attacks on its ad network. Google announced last year that they’d removed 350 million ‘bad ads’ from their network. Google’s DoubleClick network, which has a massive distributed reach serving ads to millions of websites, suffered a malware attack in late 2014 which targeted users through a seamless (no user interaction) redirection to an exploit kit called ‘Angler’, which then infected their machines with either ad fraud or ransomware –  most impacted users lived in the USA.

How to Protect Yourself from a Malicious Ad

It may seem that something as insidious as an ad displaying in a website can then infect you with no user intervention. There are, however, measures you can take to prevent becoming infected, even if you do stumble across an infected ad. Here are some general ways of protecting you, your data and your finances:

  1. Be vigilant: Some malware laden ads are obvious, like the ones that pop up, saying “you’ve won a $1000, just click here.” Just be aware of these type of ads and that a free lunch is indeed, a rare thing.
  2. Use an ad blocker: Ad blockers prevent ads from loading at all.  Disconnect, Ghostery, Adblock and Pi-hole are a few common blockers.  The pics below show the difference with and without ad blocking on.
  3. Be patched: Most of the malware hidden in these ads rely on software vulnerabilities, something we at WatchPoint Data know a lot about. Patch management and keeping software up to date is an essential, preventative measure that is the first step in keeping your system malware-free.
  4. Be watchful: Even with the most up to date anti-virus software running and everything patched, it may still be possible to become infected. You should consider implementing security monitoring to ensure that any signs of an intrusion are captured. And if the worst does happen, you can quickly close off the problem and recover any lost data or remediate any other security failure points. 

Ad Blocking off:

Yahoo! without ad blocking

Ad blocking on:

Yahoo! with ad blocking

The purple alert boxes in the bottom right are the Ghostery findings. Some sites will have over 100 trackers and ads running! Most of the blockers also block behavioral tracking. Understanding and doing something about cybersecurity risks is the key to protecting your business and your own personally identifiable information.

 

Share this:

Entrepreneur Link

Share

     

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all