If you’re an internet user, you’ve almost certainly seen a pop-up ad congratulating you for winning a prize and enticing you to click on a link to claim it. In reality, there’s nothing to celebrate regarding these often malicious ads — it’s likely that the only prize to be claimed is malware. This type of scheme is known as malvertising. For online businesses, these malicious advertisements could put both the company and its customers at risk.

‘Internet Advertising Is Broken’

The domains with which your website connects often retrieve advertisements. What do those ad-delivering networks have to do with the security of business websites? It comes down to analytics, big data and the mechanisms used to generate revenue. In fact, the same techniques that news sites leverage to generate revenue through advertising can result in complex, easily exploitable web applications. These advertisements are often installed through adware, but they can also be created by nefarious actors.

“Internet advertising is broken,” declared The Wall Street Journal. “It abuses users, starves publishers of revenue and creates unprecedented levels of fraud for advertisers.”

A recent survey conducted by Positive Technologies found that 94 percent of online banks have application vulnerabilities that criminals could use to obtain sensitive financial records and personal information. In addition, 87 percent of the 135,000 websites monitored by security firm CyberScanner were found to be vulnerable.

“Web applications practically have a target painted on their back,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, as quoted in The Register. “A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

Sophisticated attackers can leverage these vulnerabilities to their benefit, but with the widespread availability of cybercrime-as-a-service, an easily accessible and affordable distributed denial-of-service (DDoS) attack can wreak havoc across the internet.

What’s Going on Behind the Scenes?

Legacy systems are a big part of the problem. Detection-based web security technologies don’t always know what to look for because websites are frequently added to and removed from whitelists and blacklists. That leaves businesses largely unaware of and vulnerable to direct attacks and emerging threats. As a result, most businesses don’t know what vulnerabilities they are maintaining on their own sites.

Google recently announced a ban on crypto-mining extensions from the Chrome Web Store in an effort to protect users. While this initiative is admirable, security risks extend beyond the current cryptomining craze. Businesses are creating risks for themselves and others from their own “trusted” sites. While much of security is focused on monitoring and controlling the online behavior of visitors to websites, cybercriminals are weaponizing trust.

A recent report from Menlo Security revealed that while practitioners are closely monitoring behavior and user activity, the greater risk comes from the background sites. The authors noted that “every time a user visits a website, that site calls on an average of 25 background sites for content — say, to fetch the latest viral video from a content delivery server or grab ads to display from an ad-delivery network.” While most antimalware solutions focus on the domains that users click on, they largely ignore these calls to background sites, according to the report.

Mitigating the Threat of Malvertising

Since we are only in the nascent stages of technological advancement, it’s unlikely that malware will kill your website — but it does pose serious security risks.

Chrome’s ScriptSafe is one tool that controls what is loaded when an end user visits a website. Other tools are available to help organizations better control what types of websites employees may access while at work.

But what can online businesses do to mitigate the risks that their own websites are creating through their trusted backdoors? It might sound like a broken record, but website owners need to ensure that their servers are running the latest software updates. To protect against cross-site scripting and reduce the injection of malicious code through “trusted” sites, businesses should leverage content security policy technologies.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…