If you’re an internet user, you’ve almost certainly seen a pop-up ad congratulating you for winning a prize and enticing you to click on a link to claim it. In reality, there’s nothing to celebrate regarding these often malicious ads — it’s likely that the only prize to be claimed is malware. This type of scheme is known as malvertising. For online businesses, these malicious advertisements could put both the company and its customers at risk.

‘Internet Advertising Is Broken’

The domains with which your website connects often retrieve advertisements. What do those ad-delivering networks have to do with the security of business websites? It comes down to analytics, big data and the mechanisms used to generate revenue. In fact, the same techniques that news sites leverage to generate revenue through advertising can result in complex, easily exploitable web applications. These advertisements are often installed through adware, but they can also be created by nefarious actors.

“Internet advertising is broken,” declared The Wall Street Journal. “It abuses users, starves publishers of revenue and creates unprecedented levels of fraud for advertisers.”

A recent survey conducted by Positive Technologies found that 94 percent of online banks have application vulnerabilities that criminals could use to obtain sensitive financial records and personal information. In addition, 87 percent of the 135,000 websites monitored by security firm CyberScanner were found to be vulnerable.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, as quoted in The Register. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Sophisticated attackers can leverage these vulnerabilities to their benefit, but with the widespread availability of cybercrime-as-a-service, an easily accessible and affordable distributed denial-of-service (DDoS) attack can wreak havoc across the internet.

What’s Going on Behind the Scenes?

Legacy systems are a big part of the problem. Detection-based web security technologies don’t always know what to look for because websites are frequently added to and removed from whitelists and blacklists. That leaves businesses largely unaware of and vulnerable to direct attacks and emerging threats. As a result, most businesses don’t know what vulnerabilities they are maintaining on their own sites.

Google recently announced a ban on crypto-mining extensions from the Chrome Web Store in an effort to protect users. While this initiative is admirable, security risks extend beyond the current cryptomining craze. Businesses are creating risks for themselves and others from their own “trusted” sites. While much of security is focused on monitoring and controlling the online behavior of visitors to websites, cybercriminals are weaponizing trust.

A recent report from Menlo Security revealed that while practitioners are closely monitoring behavior and user activity, the greater risk comes from the background sites. The authors noted that “every time a user visits a website, that site calls on an average of 25 background sites for content — say, to fetch the latest viral video from a content delivery server or grab ads to display from an ad-delivery network.” While most antimalware solutions focus on the domains that users click on, they largely ignore these calls to background sites, according to the report.

Mitigating the Threat of Malvertising

Since we are only in the nascent stages of technological advancement, it’s unlikely that malware will kill your website — but it does pose serious security risks.

Chrome’s ScriptSafe is one tool that controls what is loaded when an end user visits a website. Other tools are available to help organizations better control what types of websites employees may access while at work.

But what can online businesses do to mitigate the risks that their own websites are creating through their trusted backdoors? It might sound like a broken record, but website owners need to ensure that their servers are running the latest software updates. To protect against cross-site scripting and reduce the injection of malicious code through “trusted” sites, businesses should leverage content security policy technologies.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read