May 7, 2018 By Kacy Zurkus 3 min read

If you’re an internet user, you’ve almost certainly seen a pop-up ad congratulating you for winning a prize and enticing you to click on a link to claim it. In reality, there’s nothing to celebrate regarding these often malicious ads — it’s likely that the only prize to be claimed is malware. This type of scheme is known as malvertising. For online businesses, these malicious advertisements could put both the company and its customers at risk.

‘Internet Advertising Is Broken’

The domains with which your website connects often retrieve advertisements. What do those ad-delivering networks have to do with the security of business websites? It comes down to analytics, big data and the mechanisms used to generate revenue. In fact, the same techniques that news sites leverage to generate revenue through advertising can result in complex, easily exploitable web applications. These advertisements are often installed through adware, but they can also be created by nefarious actors.

“Internet advertising is broken,” declared The Wall Street Journal. “It abuses users, starves publishers of revenue and creates unprecedented levels of fraud for advertisers.”

A recent survey conducted by Positive Technologies found that 94 percent of online banks have application vulnerabilities that criminals could use to obtain sensitive financial records and personal information. In addition, 87 percent of the 135,000 websites monitored by security firm CyberScanner were found to be vulnerable.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, as quoted in The Register. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Sophisticated attackers can leverage these vulnerabilities to their benefit, but with the widespread availability of cybercrime-as-a-service, an easily accessible and affordable distributed denial-of-service (DDoS) attack can wreak havoc across the internet.

What’s Going on Behind the Scenes?

Legacy systems are a big part of the problem. Detection-based web security technologies don’t always know what to look for because websites are frequently added to and removed from whitelists and blacklists. That leaves businesses largely unaware of and vulnerable to direct attacks and emerging threats. As a result, most businesses don’t know what vulnerabilities they are maintaining on their own sites.

Google recently announced a ban on crypto-mining extensions from the Chrome Web Store in an effort to protect users. While this initiative is admirable, security risks extend beyond the current cryptomining craze. Businesses are creating risks for themselves and others from their own “trusted” sites. While much of security is focused on monitoring and controlling the online behavior of visitors to websites, cybercriminals are weaponizing trust.

A recent report from Menlo Security revealed that while practitioners are closely monitoring behavior and user activity, the greater risk comes from the background sites. The authors noted that “every time a user visits a website, that site calls on an average of 25 background sites for content — say, to fetch the latest viral video from a content delivery server or grab ads to display from an ad-delivery network.” While most antimalware solutions focus on the domains that users click on, they largely ignore these calls to background sites, according to the report.

Mitigating the Threat of Malvertising

Since we are only in the nascent stages of technological advancement, it’s unlikely that malware will kill your website — but it does pose serious security risks.

Chrome’s ScriptSafe is one tool that controls what is loaded when an end user visits a website. Other tools are available to help organizations better control what types of websites employees may access while at work.

But what can online businesses do to mitigate the risks that their own websites are creating through their trusted backdoors? It might sound like a broken record, but website owners need to ensure that their servers are running the latest software updates. To protect against cross-site scripting and reduce the injection of malicious code through “trusted” sites, businesses should leverage content security policy technologies.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today