Malvertising: What is it and why are you at risk?

June 3, 2018

Sinister advertisements are invading the web, turning the sites you trust into unsafe havens for data mining, masquerading as harmless JavaScript. Some calling it Malvertising, and it lurks in those ads plastered all over the sites you read every day, blending into the web landscape with no visible indication that it is infected with malware that attacks your data. And they’re targeted right at you. Your favorite sites have become unwitting hosts to the nefarious malware that can hold your data hostage.

The scary thing about this new ominous cyber-attack is that it is one of the most clandestine efforts yet. We’re used to seeing ads and chances are we just ignore them, but in the case of malvertising, that may not be enough. Malicious software embedded in ads displayed over a network can attack vulnerable plug-ins in your browser without your engagement. So what can you do to stop these poisonous lookalikes of the ads you love to click or ignore? It starts by knowing the enemy.

Malvertising: How does it work?
Cyber criminals use real-time ad bidding to serve insidious flash or JavaScript to web site visitors. They buy space on the ad networks just the same as legitimate businesses, except the company that they use in the bidding process is nominal, a front that disappears by the onset of their next malicious campaign. The ad networks have become increasingly sophisticated at behavioral profiling, enabling savvy marketers to target their ideal audience through topics and interests, web browsing footprint, demographics, geography, and search terminology-based context. Advertisers use these targeting parameters to serve their ads to the population most likely to use their products and services. Legitimate advertisers use targeting to maximize return on their marketing investment, by omitting those whose characteristics do not match those of their customer base.

Malvertisers use targeting for a much more insidious purpose: they aim at victims they deem to have high value. While a custom home builder may target doctors in upscale suburbs searching for “new construction houses” as that fits the profile of someone likely to purchase one of their luxury properties, a cyber-criminal may target the same group because they will be able to pay a higher price for their ransomed data.

Malvertisements are generally served in one of two manners. In the first method, the malicious ad serves as click-bait. The ad itself is clean, just a harmless piece of animation. However, clicking it drives victims to an insidious landing page where the malicious code resides, infecting the user’s computer with ransomware, backdoor Trojans, or other forms of malware. Within a couple days, the landing page has disappeared, erasing the criminal’s trail from the web.

The aforementioned process requires that victims venture into the shady regions of the web, to sites only known from a 250-pixel square of animation that obscures the URL. It capitalizes on our willingness to engage in risky cyber behavior. We wouldn’t just enter the dark boiler room in an abandoned prison because some flashing sign outside promised to reveal which celebrities had plastic surgery. But we’re all too willing to do so online, because it’s just our data that will get held for ransom or divided up amongst a group of data predators. Though we’re still victims, there is a level of complicity.

That’s why the second method is so dastardly. In this malvertising scheme, it’s the ad itself that is infected. As it sits on the page for you to ignore as a flashy fixture in the crowded internet landscape, it invades your browser and plug-ins, using them as safe passage to your essential information. You don’t have to click; you just have to visit your favorite sites to fall victim to these malicious java applets and Flash objects lurking in the margins. Under the cover of “loading”, they search for vulnerable plug-ins and silently install the malware.

Malvertising: How do you protect your organization?
You can’t just blacklist legitimate web sites that may find themselves unwitting hosts of these fraudulent ads. So, how do you protect your company from the invasion of the ad space snatchers?

Update browser settings to require click-to-play plug-ins: This browser feature requires that you click a play button for an ad or video to run. Depending on which browser you use, this will require that you follow a different procedure within the browser settings. As almost all malvertisements use Flash or Java, disabling these plug-ins is an effective means of protection.

Install anti-exploit software: These programs block the techniques used by cyber criminals, providing an additional layer of browser security for your organization.

Purge unused plug-ins: If you don’t use them, they are just a layer of vulnerability that you don’t need. Since it may be difficult for most users to even ascertain which plug-ins they need, enterprise-wide education and a subsequent audit may be necessary.

Update plug-ins and browsers: These improvements address security needs. Keeping your browser and plug-ins updated will cut down on vulnerabilities.

Disaster Recovery: Make sure your organization has a DR strategy in place that can recover data in the event of data disaster, such as attacks with ransomware, backdoor Trojans, or other forms of malware.

Ad purchasing does not operate under the disciplines of intense cyber security. Until ad networks implement procedures to verify the legitimacy of each buyer, malvertising will infiltrate innocent websites. Cyber criminals will continue to capitalize on user trust of websites and general ignorance to web security. It’s up to you as the enterprise IT professional to make employees understand the risk that unsafe web browsing plays to the organization.