What’s worse than a malvertising campaign? One that hides in plain sight and manages to target more than 1 million users each day.

According to The Inquirer, collaboration between security firms Trend Micro and Proofpoint has largely turfed the malvertising campaign known as AdGholas. Still, it’s worth taking a look at some of its finer points, such as the potential impact for enterprises as malvertising goes mainstream.

Out of Sight, Into Networks

As noted by Softpedia, security professionals first discovered AdGholas back in October 2015 when they were investigating two less sophisticated threats called GooNky and VirtualDonna.

Security pros discovered the malvertising campaign was displaying its malicious advertisements on legitimate sites, such as The New York Times, The Verge, PC Mag and Ars Technica, through 22 different ad networks. It was also filtering victim machines to ensure it only infected those that matched specific criteria.

For example, the malware was designed to discriminate against users who might be security researchers. It did so by using information disclosure bugs to discover information about a user’s system when he or she clicked on an infected ad.

Ideal Targets for a Malvertising Campaign

Users who had what the attackers wanted — OEM logos such as Lenovo, Dell or HP on their PC system pages along with Nvidia or ATI drivers installed — were redirected and infected by Angler or Neutrino exploit kits.

Those with customized or aftermarket machines, meanwhile, were steered away from malicious landing pages. The goal: Infect average, nontechnical users who might not recognize the signs of system compromise.

According to SC Magazine, this malvertising campaign also leveraged the highly advanced technique of stenography to hide malicious code in ad images themselves, making it even more difficult for security firms to track down infected sites and ad networks.

No surprise, then, that the attack was hitting more than 1 million client machines per day at its height, infecting 10 to 20 percent of those based on system information. All in all, a big success for the bad guys.

The End User Explosion

While AdGholas fell apart after security companies got wise and warned ad networks, there’s a critical warning here for enterprises: End users are a huge risk. Why? Because nine times out of 10, they have exactly what mega malvertising efforts are looking for: stock PCs that contain a number of key infection points.

Better still, there are thousands connected to the same IP address, which suggests entire departments outfitted with easily compromised desktops that are used by employees who depend on IT experts to ensure their devices remain safe and secure. With staff regularly surfing legitimate websites for both personal and professional use — sites compromised by the likes of AdGholas — 1 million marks per day starts to look conservative.

Divide and Conquer

As noted by TechRepublic, malvertising defense isn’t impossible. The combination of updated PCs, decent ad blockers and anti-exploit programs can significantly reduce the chance of corporate compromise.

It’s also worth taking things a step further. With crooks now targeting stock machines that enterprises purchase by the truckload, even small tweaks to these PCs can weed them out of ideal candidate pools and instead make them potential threats to mega malvertisers.

With a combination of solid end user analytics and responsive IT, enterprises can divide and conquer the potential of malicious ad campaigns.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…