Published on November 2nd, 2015 | by Tony Thompson
As traditional advertising goes the way of the dinosaurs, online ads and video ads are becoming the way that advertisers get our attention. Consumer marketing specialists Groupon Works have shown that video ads will receive 57% of consumer Internet traffic and Zenith Optimedia in their Advertising Expenditure Forecasts has stated that the digital ad market will overtake the traditional TV ad market by 2020. And this is borne out by the fact that you can’t go anywhere online without being bombarded by ads or video ads. And video ads can even be set to auto-play now, so there is literally no escape.
The ubiquitous nature of online ads has not been lost on cybercriminals. We are now seeing malware distributed using online ads and video ads as their vector. This new kid on the cybercrime block is known as ‘malvertising’ or malicious advertising and malvertising works well in the threat landscape too. At a recent BlackHat conference, the success rate of malverts was demonstrated by RiskIQ, who pointed to a 260% increase in the use of malvertising in the first two quarters of 2015. Such an effective vector will only continue to be used more and more in the world of cybercrime.
The Why, Wherefore and How of Malvertising
Before we begin, I should mention, malvertising uses legitimate ads. We aren’t talking about spoof ads that are pushed out to unsuspecting or spoof websites. Malverts are ads served up by trusted third party advertising platforms and representing often very well known brands. One such brand was Hugo Boss, which was populated across a number of well-known web portals, such as Huffington Post. The Hugo Boss ad, populated across the huffingtonpost.com news portal contained a type of malware known as ransomware (more on this later) and had the potential to infect millions of visitors to the Huffington Post site.
Malicious ads work in one of two ways. Either they infect you directly with malware, or they take you to a spoof site, usually running an ‘exploit kit’ which then infects you with malware.
One of the big problems with malvertising-based threats is that they are remotely controlled and can be switched off and on again, at will, using a command and control center. This makes it really difficult to detect malverts or trace their origin.
Another major issue is that these ads are usually served up through third party ad networks, which handle massive numbers of ads. These networks are legitimate networks and form the hub of the online advertising process. If a network becomes infected, it can potentially serve up multiple millions of malicious ads across hundreds, even thousands, of legitimate and trusted websites. One such case of this was the infection of Google’s DoubleClick ad network in late 2014. The Google DoubleClick ad network has a potentially massive reach and is used by world-renowned brands like L’Oreal and Citibank. During the malware attack, Google had to remove 350 million ‘bad ads’ from their network. One of the most worrying aspects of this particular malvertising threat, was that it was seamless, i.e. a user didn’t need to click on an ad to be redirected to an exploit kit known as ‘Angler’ which then infected a user with ransomware. Ransomware is a sinister form of malware, which encrypts the content of your hard drive and even network data and Cloud stored data too. Once encrypted, the malware pops up a screen telling you that unless you pay (up to) $1000 in bit coins within 7 days you’ll lose your data.
Most malicious ads use a combination of trust in the brands the ads represent and known exploits, to infect website visitors with malware. Ads (and other images from third parties) are a cute way of initiating a Cross Site Scripting or XSS attack against a user. XSS attacks are one of the most prevalent attack vectors out there – number three on the OWASP top ten, web attack types list. An XSS will utilize vulnerabilities in common software applications such as content management system plug-ins, browsers and Adobe Flash. In fact it was a software vulnerability in Adobe Flash that was behind a major malvertising campaign waged against Yahoo’s ad network earlier this year.
How to Protect Against Malvertising
There are a few ways that the impact of malvertising can be minimized.
The first is remembering to patch software applications, keeping all applications updated is part of a general security strategy that really does help to minimize the impact of all malware, not just malvertising.
Security monitoring and discovery is another essential component of a general security strategy and one that can deal with the methodologies used by malvertising. Threat identification can ensure that an employee navigating to a malware ridden website, won’t end up opening up your whole network to the problem.
As security threats evolve and cybercriminals take advantage of new vectors, being watchful and identifying security problems early on is the way forward in security operations. We can no longer sit back and let end point solutions do the work for us; a holistic and watchful approach is the way forward in modern cyber security management.