Advertising is the life blood of the internet. Some of the world’s biggest and most influential tech companies earn a large chunk of their revenue through harmless and safe advertisements, but some of the most successful cybercriminals also rely on advertising.
When good ad networks are tricked into delivering malware, it’s known as malvertising. Malvertising is often confused with adware, which is illegitimate software that displays ads and redirects searches to ad sites — neither are what you might call safe advertisements.
The Good News and Bad News About Malvertising
The ad verification company GeoEdge reported last year that automatically redirecting malvertising attacks cost $1.13 billion per year, and that figure is rising. The organization noted that pre-click attacks constitute around half of all malvertising attacks.
Malvertising uses legitimate advertising networks to spread malicious code, often on legitimate websites. The attacks tend to have three stages: First, the attacker needs to fool the advertising network and violate their terms of service without getting caught. Second, they need to create or modify some malware payload that exploits a technical vulnerability. Finally, the attacker’s ad will typically need to socially engineer users into taking actions that compromise their own security and/or that of their organization.
Malvertising takes a very special skillset that most cybercriminals don’t possess. Namely, the attacker has to be extremely skillful at advertising. They must understand the methods, tools and skills required to get people to engage with ads and also know how to bypass security systems.
Malvertisers also have to act quickly. Once they start victimizing a user, the clock is ticking on the victim reporting the attack, the ad network shutting the threat down, and the exploited vulnerabilities being patched. The window of opportunity is often measured in months or even weeks.
This is a different from most malware attacks, where cybercriminals can continue exploiting the long tail of unpatched systems for years. With malvertising, even if vulnerabilities are inconsistently patched, ad networks will shut down the delivery system — that’s the good news.
The bad news is that malvertising campaigns are, by their very nature, almost always brand new.
How to Spot a Malicious Advertising Attack
How can you tell which ads are safe and which may contain threats? Effective malvertising usually offers giveaways or gift cards, which can make people click because they think they’re getting a great deal. And malvertisers have an advantage over legitimate advertisers: They don’t have to actually deliver on the deals they promise, so they can offer fantasy products or amazing deals — anything to get the user to click or visit a site.
Pre-click malvertising attacks, or “drive-by downloads,” don’t even require user action. By simply visiting a website, a user can inadvertently download malware from a malvertising script. Post-click malvertising, on the other hand, tricks the user into clicking on what look like safe advertisements, but the clicking action downloads malware or re-directs the browsing session to a malicious site.
Not all websites are created equal when it comes to the risk of malvertising. Users are far more likely to encounter malvertising on gambling, pornographic, dating or streaming sites or through torrenting. Because malvertising is simply a delivery method for malicious code, the attack itself could manifest as anything from garden-variety malware to more complex viruses or ransomware. Malvertising cybercriminals often go after financial information like credit card data or other banking credentials, but they could also be looking to access an organization’s network.
Recent Malvertising Developments
A major malvertising event hit the news recently after a massive hijacking of more than a billion sessions during a six-week crime spree through August and September. The pre-click malvertising campaign was perpetrated by a threat group called eGobbler, and it redirected victims to sites that were designed to impersonate users’ mobile carriers. In reality, the sites were packed with malicious payloads, and the main objective of the campaign appears to have been stealing credentials.
Another campaign, Ghostcat-3PC, sought to infect web publishers in the U.S. and Europe with malware that hijacked browsing sessions. The campaign quickly evolved its methods and pushed out four different versions of the malware over a period of just a few months.
Malvertising can be extremely lucrative, so expect to see more major attacks like these in the years to come. Fortunately, there are steps users and enterprises can take to help defend against malicious advertising attacks.
How Users Can Protect Against Malvertising
Successfully defending against malvertising requires cooperation between users and security professionals. To that end, here’s what individual users can do:
- Find the “click to play” option on your browser and turn it on. That option turns off automatic downloading and execution of plug-ins. Once this feature is activated, you’ll be asked if you want to download and install a given item every time.
- Use a paid ad-blocker for any personal systems that could be used to access company resources. Paid offerings will likely be more effective than free ones.
- Install a reputable antivirus tool on your device.
- Don’t click on offers that look too good to be true.
- Avoid accessing shady websites, especially on work-connected devices.
How Organizations Can Defend Networks From Malicious Ads
To safeguard against malvertising, organizations should bolster their general defenses against malware and remain watchful for social engineering tactics like phishing attacks. Specifically, companies should do the following:
When it comes to malvertising, we must expect the unexpected. Effective advertising brings results, and that’s why malvertising will remain an effective way of attacking systems. Stay prepared with the right tools and training to protect yourself and your organization from these malicious ads.
I write a popular weekly column for Computerworld, contribute news analysis pieces for Fast Company, and also write special features, columns and think piece...