This article originally appeared in Security Intelligence on December 3, 2018.
Although Black Friday and Cyber Monday are behind us, consumer scams are likely to continue surging through the coming month. Malicious actors know that online retail spikes during the holiday season, so they increase their efforts to spread ad malware rather than good cheer.
Cautious consumers might be on the lookout for malicious apps and websites, but another tactic that cybercriminals will likely leverage extensively is malvertising — ads embedded with malware. Retailers also tend to prioritize customer experience over data security, so it’s important to understand how to avoid malvertising scams and prevent opportunistic threat actors from affecting your network during the holiday season.
Recognize the Risk
According to a Black Friday digital fraud report from RiskIQ, “Some fake apps contain adware and ad clicks or malware that can steal personal information or lock the device until the user pays a ransom. Others encourage users to log in using their Facebook or Gmail credentials, potentially exposing sensitive personal information.” In fact, the researchers from RiskIQ found that the brand names of the five leading retailers were frequently used in malicious and fraudulent mobile apps.
With virtually every retailer promoting online shopping deals, the internet is a hotbed of opportunity for scams. Jerome Dangu and Jack Cohen Martin, co-founder and CPO, respectively, of antimalvertising firm Confiant, said they uncovered what appeared to be the initial attack in an ongoing malvertising campaign on Nov. 12. During the course of discovery, Confiant blocked over 5 million malvertising impressions on the Google Play store meant to impersonate legitimate app downloads.
Because the ads were served in a top-tier exchange, more than 300 million bad impressions were served to publishers in just over a 48-hour period, Dangu and Cohen Martin explained. By comparison, the Zirconium group, named by Confiant as 2017’s largest malvertising operation, created and operated 28 fake ad agencies to distribute malvertising campaigns and was responsible for 1 billion impressions over the course of a full year.
Malvertising can target specific companies, but this particular campaign went after iOS users and used two domains and two types of payloads.
“One family of landing pages was more focused on fake offers from Amazon gift cards and Walmart, in differing denominations and variations,” Dangu explained.
How to Spot an Ad Malware Scam
The scam is essentially a way for an attacker to retrieve user data and resell it. Users are often delivered to fraudulent landing pages where they are asked different types of marketing questions about things like their insurance or interest in electronics.
“The attacker is getting an affiliation share on these forms that get submitted, but you can never get out of this loop of forms,” Dangu explained. “Users could enter their data forever until they finally realize it’s a waste of time and they aren’t getting an iPhone for a dollar.”
Because malicious actors have become increasingly sophisticated, the fraudulent landing pages they use appear legitimate.
“They are exploiting the user’s trust by creating malicious landing pages that adopt the same color scheme as Facebook or Google, for example. It’s important for users to make sure they are where they think they are and check the full URL address,” Cohen Martin said.
All Eyes on Mobile
In monitoring malicious traffic over the last year, Confiant saw one major change from the previous years that saw surges in malware and malvertising campaigns on browsers.
“Mobile is used more and more,” Dangu said. “Attackers are targeting more mobile through scam approaches, which is disturbing for publishers.”
In one case, ads were redirecting users to get them to subscribe to adult dating sites, and the cybercriminals were getting a cut on those subscriptions. Mobile sites tend to have more ads, and because of that density, it is more difficult to identify a scam.
“Because of the nature of business, the ads are being digitally placed there, and it is hard to get 100 percent visibility into what is going on,” said Dangu. “Service providers and exchanges need to do their part to prevent these types of risks from being available.”
How to Avoid Malvertising Scams
Given the evolution of scammer’s methods, it’s important to remember that if a deal seems too good to be true, it probably is.
“Consumers should be wary of deals and go directly to sites they trust,” said Mike Bittner, digital security and operations manager of The Media Trust.
Bittner also emphasized the responsibility of brands to identify all the code executing on their websites and mobile apps.
“Chances are high that online companies only know a small fraction of the 50–95 percent of code in their digital assets provided by third parties,” he said.
Security leaders can help protect their employees by integrating a holiday retail scam identification practice into their regular security awareness training program. They can also defend networks by deploying artificial intelligence-enabled software to flag anomalous behaviors that could potentially represent a breach.
Consumers have a choice when visiting e-commerce sites. Although it’s advisable to rely on trusted, reputable brands with strong ratings, cybercriminals are eager to exploit that trust by visually replicating those very brands. Staying cautious and fully aware of your online navigations will help you to remain safe during the holiday season and all year long.