Blog

By Marvin Marin and Andrew Paulette With the dramatic rise in internet access and use over the past decade, it is easier than ever for companies to reach an audience in the millions with advertisements for their products and services.  To monetize this opportunity and help keep websites “free,” advertising networks offer thousands of ads to websites based on their demographics.  While these ads are normally harmless, malicious actors have found methods to target advertising networks and submit ads embedded with malicious code.  Because of the techniques and consequences of this “malvertising,” this form of malware delivery offers a unique set of challenges to websites, advertising networks and end users, and it deserves special consideration. Malvertising impacts users by serving malware on reputable sites via advertising content.  Malicious code is first embedded into an advertising network via ads to be used on websites across the internet.  While some advertising networks may screen their advertisements for malicious code, skilled attackers can employ stealth tactics to hide their malware from these detection systems.  Once the attacker has paid a small fee for the right to display their advertisements within the ad network, they can define the demographics of their intended audience (their target) and wait for vulnerable users to be redirected to the malware. In 2014 alone, the security firm Cyphort estimated that malvertising attacks rose 325%.  The ease of distributing a malvertisement coupled with the ability for it to be installed without the user knowing it give a malicious actor the equivalent of a hunting blind to work from.  It’s not uncommon for professional brands to be used in these types of attacks, either.  For example, YouTube and Reuters have been victims and unwitting distribution points of malvertisements. A malvertisement attack occurs when a user goes to a website that hosts the malvertisement. The “ad” will display, and in the background a JavaScript or Flash-based ActionScript will covertly route the browser to a different location where it will download a rootkit or other malicious content.  The user will not be aware of the infection.  The malware could then take whatever action the creator wanted, including remote control of the device, encryption and ransom of the user’s PC, or stealing information such as logon credentials or account numbers.  The ability for this compromise to occur with stealth and either pre- or post-click (or with no click at all!) makes it particularly insidious. Here are some high-level recommendations to avert malvertising:

• Adblocking software will not block every piece of advertising but can dramatically reduce the attack surface. When choosing a product, however, research whether the product whitelists certain ad providers, as those advertisers will be ‘trusted’ by the adblocking software and permitted to show you their ads.
• When performing normal everyday functions, log in to your system using a non-administrator account. Many drive-by downloads and installers will fail if you don’t have sufficient access rights to install and execute software.  In security circles this is called least privileges.
• Avoid using Flash and Java. Uninstall if possible.  If you have to run them, make sure to only install and use the most current patched version.
• Maintain your web browser at the current patch level.
• Enable security settings on your browser. For example, “Warn me when sites try to install add-ons” in Firefox.
• Use anti-virus and anti-spyware/anti-malware software, especially ones that can detect potential malicious websites that you are attempting to visit.

Industry also has a vested interest in policing itself, as revenues will decline as more users adopt adblocking software. Additionally, reputable companies will avoid employing advertising networks that have been caught hosting malvertising to avoid damaging their brands. Malvertising is more than just an information security problem for users; it goes to the heart of e-commerce as it threatens people’s ability to access content freely and with minimal risk.