May 7, 2018 By Kacy Zurkus 3 min read

If you’re an internet user, you’ve almost certainly seen a pop-up ad congratulating you for winning a prize and enticing you to click on a link to claim it. In reality, there’s nothing to celebrate regarding these often malicious ads — it’s likely that the only prize to be claimed is malware. This type of scheme is known as malvertising. For online businesses, these malicious advertisements could put both the company and its customers at risk.

‘Internet Advertising Is Broken’

The domains with which your website connects often retrieve advertisements. What do those ad-delivering networks have to do with the security of business websites? It comes down to analytics, big data and the mechanisms used to generate revenue. In fact, the same techniques that news sites leverage to generate revenue through advertising can result in complex, easily exploitable web applications. These advertisements are often installed through adware, but they can also be created by nefarious actors.

“Internet advertising is broken,” declared The Wall Street Journal. “It abuses users, starves publishers of revenue and creates unprecedented levels of fraud for advertisers.”

A recent survey conducted by Positive Technologies found that 94 percent of online banks have application vulnerabilities that criminals could use to obtain sensitive financial records and personal information. In addition, 87 percent of the 135,000 websites monitored by security firm CyberScanner were found to be vulnerable.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, as quoted in The Register. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Sophisticated attackers can leverage these vulnerabilities to their benefit, but with the widespread availability of cybercrime-as-a-service, an easily accessible and affordable distributed denial-of-service (DDoS) attack can wreak havoc across the internet.

What’s Going on Behind the Scenes?

Legacy systems are a big part of the problem. Detection-based web security technologies don’t always know what to look for because websites are frequently added to and removed from whitelists and blacklists. That leaves businesses largely unaware of and vulnerable to direct attacks and emerging threats. As a result, most businesses don’t know what vulnerabilities they are maintaining on their own sites.

Google recently announced a ban on crypto-mining extensions from the Chrome Web Store in an effort to protect users. While this initiative is admirable, security risks extend beyond the current cryptomining craze. Businesses are creating risks for themselves and others from their own “trusted” sites. While much of security is focused on monitoring and controlling the online behavior of visitors to websites, cybercriminals are weaponizing trust.

A recent report from Menlo Security revealed that while practitioners are closely monitoring behavior and user activity, the greater risk comes from the background sites. The authors noted that “every time a user visits a website, that site calls on an average of 25 background sites for content — say, to fetch the latest viral video from a content delivery server or grab ads to display from an ad-delivery network.” While most antimalware solutions focus on the domains that users click on, they largely ignore these calls to background sites, according to the report.

Mitigating the Threat of Malvertising

Since we are only in the nascent stages of technological advancement, it’s unlikely that malware will kill your website — but it does pose serious security risks.

Chrome’s ScriptSafe is one tool that controls what is loaded when an end user visits a website. Other tools are available to help organizations better control what types of websites employees may access while at work.

But what can online businesses do to mitigate the risks that their own websites are creating through their trusted backdoors? It might sound like a broken record, but website owners need to ensure that their servers are running the latest software updates. To protect against cross-site scripting and reduce the injection of malicious code through “trusted” sites, businesses should leverage content security policy technologies.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today