Malvertising: What You Need to Know

Malvertising: What You Need to Know

malvertising ThumbCybercriminals use many techniques to compromise systems and networks. Some use phishing emails that contain malicious attachments. Others abuse protocols like RDP to access vulnerable systems. And then there are those who leverage online banner ads to prey upon unsuspecting users. How does this last form of attack work? Is there anything that organizations can do to counter it?

This article explores how malvertising works and identifies key defense strategies for businesses.

What Is Malvertising and How Does It Work?

A portmanteau of “malicious advertising,” malvertising refers to criminals using web advertisements under their control to infect users’ systems. These ads don’t usually give themselves away as malicious to the ordinary web user. They look like any other ad. Per Malwarebytes Labs, the malicious ads also don’t appear just on shady websites to which users are infrequent visitors. More often than not, criminals place these ads on well-known websites to maximize their exposure and prey on visitors’ trust that the website will be safe.

Malvertising attacks are possible because of the way online advertising works. Large websites, which are prime targets of malvertising, rely on third-party vendors and software to schedule, display, and track response to their ads. These external specialists re-sell advertising space and provide potential advertisers with software through which they can upload their ads. Advertisers must bid and win the right to display their ads to a certain number of people, but those costs for criminals have historically been quite low.

To their credit, third-party vendors are aware of criminals submitting ads, and they do try to filter out malicious ads. But criminals are aware of these methods and so design the ads to avoid detection. They also sometimes spend time cultivating a good reputation among third-party vendors that they can later leverage it to distribute malicious advertising campaigns.

By abusing the software provided by the large websites and sold by third-party vendors, criminals can conceal code within an otherwise normal advertisement and upload it for dissemination on a scale that matches their investment.

As noted by Trend Micro, that advertisement can ensnare a user via one or two ways. In the first scenario, the ad appears as a pop-up or alert in order to trick users into installing malware on their computers. For the second scenario, the attackers leverage drive-by download techniques to automatically expose a user to the ad’s malicious content whenever the hosting web page loads.

Either method usually redirects the user to a server controlled by the attackers and exposes him or her to an exploit kit. That software package then scans the user’s computer for known vulnerabilities for which it has exploit code. Assuming it finds a weakness, it exploits the code to download info-stealing malware or ransomware onto the victim’s computer.

Malvertising doesn’t just affect users, either. Businesses on whose websites the ads are running also lose out because victims of malvertising are likely to associate an infection not with a compromised ad or the hosting ad network but the particular website from which they were infected. Such a perception can diminish the reputation of the website owner and degrade its business. At the same time, the Wall Street Journal found that malvertising costs the advertising industry $1.1 billion to investigate and remove offending ads.

The infection chain described above works because of certain weaknesses built into the online advertising community. The Center for Internet Security explains that because large websites rely on advertising networks consisting of ad resellers, it’s difficult if not impossible to thoroughly analyze each ad. Even then, most ads won’t receive too much scrutiny unless someone has filed a complaint against it. Additionally, many websites use dynamic advertising where ads are constantly changing. This property makes it difficult for security researchers to pinpoint a particular ad as malicious.

Malvertising: Then and Now

Attackers have been using malvertising for at least 10 years. As reported by Fast Company, the first documented attack campaign occurred in 2007/2008 when bad actors abused an Adobe Flash campaign to target visitors to MySpace, Excite, and Rhapsody. Some users who visited The New York Times website fell victim about a year after that. Malvertising picked up considerably in the years that followed, with Cyphort detecting a 325 percent increase between June 2014 and February of this year. This digital threat sustained its momentum thereafter, affecting a wide range of websites from The Huffington Post and Yahoo! to adult content publishers. Security firm Invincea even found evidence that bad actors had used malvertising to conduct a digital espionage campaign against three military-industrial companies in that span of time.

Malvertising continues to evolve to this day. Part of this innovation has to do with how attackers bring users to servers under their control. According to Confiant, a threat actor known as the Zirconium Group perpetrated what was arguably the biggest malvertising campaign in 2017 when they bought an estimated one billion ads throughout the year. By that time, the prevalence of exploit kits was in decline, so Zirconium designed its malicious ads with forced redirects that brought users to websites hosting fraudulent schemes or malware. Overall, Confiant believes that this single campaign was present on 62 percent of ad-monetized websites each week.

Malvertising actors have also begun incorporating new payloads into their campaigns. For instance, Trend Micro researchers observed pages with malicious ads containing embedded scripts for Coinhive along with another cryptocurrency miner in January 2018. This campaign, in part, contributed to a 285 percent increase in the number of Coinhive miners observed by Trend Micro on January 24.

Later in 2018, Check Point discovered a malvertising campaign leveraging thousands of compromised WordPress websites to redirect victims to IP address 134.249.116.78, otherwise known as ‘Master134.’ This IP address, in turn, redirected its traffic to hibids10[.]com, a domain that belongs to the AdsTerra ad network and is sold to advertising resellers.

The security firm found something troubling about this particular infection campaign:

… Although we would like to believe that the Resellers that purchase Master134’s ad space from AdsTerra are acting in good faith, unaware of Master134’s malicious intentions, an examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cyber criminals, and thus enables the infection chain to be completed. In short, it seems threat actors seeking traffic for their campaigns simply buy ad space from Master134 via several Ad-Networks and, in turn, Master134 indirectly sells traffic/victims, to these campaigns via malvertising.

Ultimately, Check Point believes that AdsTerra must have turned a blind eye to the operation either by choice in order to maximize financial gain or unknowingly due to a lack of adequate verification technology.

How to Defend Against Malvertising

Check Point’s findings lead directly into how malvertising can be stopped. Advertising networks can tackle the problem head-on with better ad scanning and the imposition of greater barriers for advertisers to submit online bids. In the meantime, organizations can defend themselves by looking for suspicious redirects, iframes, and other code in advertisements hosted on their websites. This process, however, can take up a lot of time and effort if done manually, especially if organizations are dealing with numerous ads on their sites.

In addition, security teams must operate on the assumption that some attacks will get through despite whatever attempts are made to block malvertising or the threats downloaded through this technique. Accordingly, they should implement network traffic analysis technology that can identify suspicious activity that results from malware installed by malvertising. If they can’t block it from entering their organization’s network, they should make sure they can detect resulting network traffic before it completes is assigned malicious task.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin