If you haven’t already heard of malvertising, it’s one of the latest portmanteaus you’ll hear more about in 2019. Malvertising, or malicious advertising, is a type of online attack in which threat actors hide malicious code within an advertisement as a means to infect systems with malware. It works like any other type of malware, but can be found in ads across the internet — even legitimate websites such as The New York Times and BBC.

While these attacks have been around for several years, the rate at which they’re increasing is escalating, and the threat to the enterprise is getting more challenging to diagnose.

Frank Downs, director of cybersecurity practices at the Information Systems Audit and Control Association (ISACA), recognizes malvertising as the natural evolution of malware in today’s world of higher security.

“Leveraging traditional advertising capabilities, it makes it much easier for a malicious actor to seem legitimate,” he said.

Whether you’re at home, on a mobile device or sitting at your desktop at work, discerning which ads contain malware is difficult — especially compared to attacks such as phishing, where malicious messaging may be easier to detect.

So what can be done to educate both end users and IT decision-makers? Do workable strategies to defend against malvertising exist?

Ad-Blocking Software: The Ups and Downs of the Tried and True

While it’s easy to become discouraged given the perniciously stealthy nature of malvertising, it’s important to remember that ad-blocking software can handle a great deal of these threats by ensuring that most ads are never even presented to the user.

“Solutions exist which range from simple browser plugins, such as AdBlock Plus, to advanced traffic filtering tools,” said Downs.

He went on to single out an open-source, community-led initiative that’s gained some traction among cyber enthusiasts: Pi-hole.

“These devices are cheap, easily configured, community-developed systems which run on small Raspberry Pi devices. They block over 100,000 advertising domains and have gained an avid following online, making them more effective every day,” Downs explained.

However, Pi-hole isn’t for everyone. Most enterprises only need to deploy ad-blocking software and stop users from disabling it. If a valid use case requires a user to access a specific website, the security team should be alerted so they can determine the next course of action. The downside with this option is that it’s cumbersome and not user-friendly, resulting in users calling support teams to complain about how their workflow is negatively impacted.

“The reality is, no amount of user training is going to stop the problem. Enterprise CXOs have enough to concern themselves with,” said Sherban Naum, senior vice president of corporate strategy and technology for Bromium. “Malvertising is a pain that can be easily remedied by isolating the entire session, allowing a user the freedom to surf the web without the risk of compromise.”

Naum said he is seeing more customers taking the isolation route to remove the user from the decision tree when it comes to real-time runtime security.

Where Does the Buck Stop?

This is all practical for the well-informed enterprise, but end-user awareness is critical as malvertising proliferates. As it stands, users generally lack understanding of how ads and malware work together.

While it’s easy to place the onus on ad-blocking software providers, the issue is surrounded by complexity and extends beyond ad blockers. Because legitimate webpages benefit financially from ads, they’re asking users to disable ad blockers to access their site.

“The practice of asking users to disable a security product for their own benefit is troubling,” said Naum. “Ad blocker companies are doing the right thing to block ads, but users are left with making a decision to either maintain the ad blocker or disable it, as most see legitimate, well-known categorized websites as safe.”

What users may not be aware of is that these large sites are fed by hundreds of random servers that aren’t under the control of the top-level domain provider. This leaves users, employees and consumers as the final security decision-makers, which is anything but optimal.

“What would help is if large sites didn’t prompt users to disable security tools but rather let the visitor access the site and focus more on delivering their service than earning revenue on ads,” Naum said.

Return to Security Best Practices to Deal With Malvertising

That’s obviously easier said than done. If the threat of malvertising shows no signs of slowing down, sites that run ads may face the unfortunate dilemma of having to choose between revenue or keeping visitors safe. Until that happens, it’s our responsibility to be informed and do what we can.

To accomplish this, we must come to terms with the fact that we can’t stop the unknown or trust systems that are entirely out of our control. Further, enterprises must stop relying on legacy architectures and systems to identify attacks.

“Once you have accepted that you need to isolate the untrusted, then happy clicking on malware isn’t an issue and cybercrime is less effective,” said Naum. “However, perhaps the best way of looking at this holistically is that there will always be cybercrime and the enterprise needs to focus on what they are doing to ensure their users are not a victim.”

Malvertising is one more threat that will keep your IT decision-makers up at night, but any company with a protection-first mindset should be able to remain ahead of the curve. Security awareness training for the user may yield limited results in stopping this threat, but in cases like this, a security-minded C-suite will always be ahead of the game.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…