When ads go bad: A look into malvertising's malicious growth
Advertisements on the Internet are no longer just a nuisance. They are now also potentially dangerous. Even sticking to widely used and trusted websites can be risky, as the banner ads they contain may be carrying malicious code.
"Malvertising", a combination of "malware" and "advertising", is the technique of using trusted ad networks to deliver malware-loaded advertisements to users on trusted websites. This is not a new technique, but over the last couple of years its use has grown exponentially by cybercriminals because it is so effective.
"Malvertising is a big problem and its return on investment for fraudsters suggests it's not going away anytime soon," says David Kennerley, senior threat research manager at Webroot
Most websites that have advertisements use "ad networks" to manage those ads, giving the site options for what type of ads to deliver to visitors. In a malvertising scenario, a cybercriminal will either hack into an ad network's server or even sign a fraudulent contract with an ad network, posing as an advertiser in order to gain trust. They will then upload a seemingly legitimate advertisement that is loaded with malicious content, such as a Flash or Javascript exploit. The ad network unwittingly adds this malicious ad into its database so that its customers can choose it as one of multiple rotating ads. Or, it can take more of a social engineering approach and appear on your screen based on your browsing habits, which are tracked by tracking cookies.
"Unfortunately, simply keeping to trusted websites no longer means you'll stay safe," says Kennerley. "The outsourced, distributed and chaotic nature of the online advertising industry means that even the world's most popular websites have no visibility on the ad content displayed on their pages or its original source.
In recent months, an additional level of complexity has been employed in these types of attacks: "Fingerprinting", a method of uniquely identifying computers based on meta-data and file dumps. As online advertisers move away from human transactions and toward real-time ad bidding, cybercriminals are finding ways to better target their victims.
Ad networks provide user meta-data to advertisers so that they can better advertise to consumers, but this same data can be used by cybercriminals to identify systems that can be exploited. For instance, if the meta-data reveals that a PC's Adobe Flash is not up to date and a known exploit exists for their version of Flash, they will identify that PC as a target for attack.
With malvertising gaining popularity among cybercriminals, protecting yourself from this type of attack is critically important.
"Internet users should keep their browsers fully patched, with appropriate in-built phishing and malware protection switched on," advises Kennerley. "Browser add-ons should be kept up-to-date, with auto-play turned off; or better yet, disable or remove these commonly exploited add-ons completely. Ad-blocking software is becoming a must and of course a strong endpoint protection product is essential.
With a background in building, repairing, and troubleshooting computers for friends and family as a teenager, Nathan has been working with PCs for nearly 20 years. He is an experienced Advanced Malware Removal Engineer, and on a daily basis, he researches and analyses emerging malware trends and works to keep Webroot's threat detections current.
Want to stay up-to-date on the latest threat trends? Visit the Webroot Threat Blog or download the 2016 Webroot Threat Brief.