This article originally appeared in Security Intelligence on November 27, 2018.
Many longtime internet users will remember receiving pop-up ads warning that their computers were infected with a virus. In nearly all cases, the ad’s specific claims were bogus; the purpose was to scare users into paying for a questionable tech support service or to drive them to a site that would actually infect them with malware.
While browser-based pop-up blockers have largely killed off that particular scam, malicious advertising — or malvertising — is still causing serious damage. Purveyors of malvertisements use an increasingly broad range of techniques to insert malware into ads that run across the web on large advertising networks.
How Malvertising Works
In most cases, threat actors create fake advertisements laden with malware and try to slip them past security checks at large ad networks. These infected ads can then sneak malware onto a web user’s computer, even if he or she doesn’t click on the ad. These so-called drive-by downloads are particularly effective against users who don’t regularly update their software.
The cost of malvertising is huge: A report from ad verification vendor GeoEdge estimated that the threat costs the online advertising industry more than $1.1 billion a year, and anticipated the cost rising another 20–30 percent in 2019.
Know Your Malvertisers
A lack of transparency in the digital ad supply chain “makes loading malicious ads through legitimate ad networks rather painless,” said Alex Calic, strategic technology partnerships officer for The Media Trust, a vendor of digital advertising and app security products. “The sheer number of ads and the large number of digital partners, many unknown to each other, along the supply chain make tracing the malicious code back to the correct offending party extremely difficult.”
It’s tough for ad brokers to keep up with the threat actors, added Jason Hong, associate professor at Carnegie Mellon’s School of Computer Science.
“It’s a cat-and-mouse game. Ad networks need to scan ad submissions for malware, but it can be really hard because attackers have a really strong economic incentive to keep innovating new ways of spreading malware.”
Call in Back-Up
The online advertising industry needs more processes to check submitted ads, added Corey Nachreiner, chief technology officer (CTO) of network security vendor WatchGuard Technologies.
“There are many web tools and frameworks that can help ad brokers escape or remove certain types of web code, such as JavaScript,” he said. “The brokers simply need to check the HTML ads being submitted to them, and make sure they only have clean content and don’t try to invisibly redirect to any off-site source.”
Ad brokers can also require more information from new customers as a way to validate them, he added. But attackers can hide malware in images and other elements, meaning that security teams may need to do more than simply scan the ads.
“Malvertising campaigns regularly slip under the radar of the advertising networks because they typically aren’t spotted until the first victims speak out, by which point it’s already too late,” said Gavin Hill, vice president of product and strategy for cybersecurity vendor Bromium. “Concealing malware within objects or images within the site, or forcing redirects for certain users, makes it extremely difficult for the advertising networks to spot malicious adverts being delivered.”
Using sophisticated tools to hide the malware in the ads, attackers can create highly targeted malvertising campaignsthat fuse cybercrime and targeted marketing, Hill added.
“It’s all too easy for cybercriminals to exploit networks for their own gain,” he said. Threat actors can “deliver malicious code to vulnerable users that don’t suspect a thing.”
Broaden Your Thinking
Hill called for a holistic approach to fighting cybercrime by understanding “how the vast cybercrime economy operates.” Hong agreed.
“It really needs to be an entire community effort in combating malvertising,” he said. “Ad networks are the front line and need to improve their malware detection capabilities. We also need to hit the attackers’ finances, too, making it harder for them to monetize.”
To protect themselves from malvertising, consumers should prioritize patching. Users need to keep their software up to date to protect against malicious ads targeting known vulnerabilities.
“On end-user client side, patch, patch, and patch,” said Oliver Münchow, security evangelist with cybersecurity prevention firm Lucy Security. “And beware of the risks associated with downloads and clicks.”
In the end, maintaining your patching cadence and implementing only necessary and heavily vetted browsing tools should be a part of any routine security program. But keeping an extra eye on malvertising strategies and expanding knowledge of threat campaigns overall should help solidify another wall of the data security fortress.