If Video Killed the Radio, Will Malvertising Kill Your Website?

If you’re an internet user, you’ve almost certainly seen a pop-up ad congratulating you for winning a prize and enticing you to click on a link to claim it. In reality, there’s nothing to celebrate regarding these often malicious ads — it’s likely that the only prize to be claimed is malware. This type of scheme is known as malvertising. For online businesses, these malicious advertisements could put both the company and its customers at risk.

‘Internet Advertising Is Broken’

The domains with which your website connects often retrieve advertisements. What do those ad-delivering networks have to do with the security of business websites? It comes down to analytics, big data and the mechanisms used to generate revenue. In fact, the same techniques that news sites leverage to generate revenue through advertising can result in complex, easily exploitable web applications. These advertisements are often installed through adware, but they can also be created by nefarious actors.

“Internet advertising is broken,” declared The Wall Street Journal. “It abuses users, starves publishers of revenue and creates unprecedented levels of fraud for advertisers.”

A recent survey conducted by Positive Technologies found that 94 percent of online banks have application vulnerabilities that criminals could use to obtain sensitive financial records and personal information. In addition, 87 percent of the 135,000 websites monitored by security firm CyberScanner were found to be vulnerable.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, as quoted in The Register. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Sophisticated attackers can leverage these vulnerabilities to their benefit, but with the widespread availability of cybercrime-as-a-service, an easily accessible and affordable distributed denial-of-service (DDoS) attack can wreak havoc across the internet.

What’s Going on Behind the Scenes?

Legacy systems are a big part of the problem. Detection-based web security technologies don’t always know what to look for because websites are frequently added to and removed from whitelists and blacklists. That leaves businesses largely unaware of and vulnerable to direct attacks and emerging threats. As a result, most businesses don’t know what vulnerabilities they are maintaining on their own sites.

Google recently announced a ban on crypto-mining extensions from the Chrome Web Store in an effort to protect users. While this initiative is admirable, security risks extend beyond the current cryptomining craze. Businesses are creating risks for themselves and others from their own “trusted” sites. While much of security is focused on monitoring and controlling the online behavior of visitors to websites, cybercriminals are weaponizing trust.

A recent report from Menlo Security revealed that while practitioners are closely monitoring behavior and user activity, the greater risk comes from the background sites. The authors noted that “every time a user visits a website, that site calls on an average of 25 background sites for content — say, to fetch the latest viral video from a content delivery server or grab ads to display from an ad-delivery network.” While most antimalware solutions focus on the domains that users click on, they largely ignore these calls to background sites, according to the report.

Mitigating the Threat of Malvertising

Since we are only in the nascent stages of technological advancement, it’s unlikely that malware will kill your website — but it does pose serious security risks.

Chrome’s ScriptSafe is one tool that controls what is loaded when an end user visits a website. Other tools are available to help organizations better control what types of websites employees may access while at work.

But what can online businesses do to mitigate the risks that their own websites are creating through their trusted backdoors? It might sound like a broken record, but website owners need to ensure that their servers are running the latest software updates. To protect against cross-site scripting and reduce the injection of malicious code through “trusted” sites, businesses should leverage content security policy technologies.

Zurkus is an influential writer covering a range of security topics with a focus on mitigating risks to businesses. Her...