Online advertising that pushes malicious software to consumers has increased 325 percent over the past year, Cyphort Labs reported Tuesday.
Malvertising is adding to what is already a significant problem for online advertisers.
Ad fraud will cost global advertisers more than US$6 billion this year, according to the Association of National Advertisers.
Although malicious advertising first appeared on the scene a scant eight years ago, the expanding breadth of online advertising has led to an explosion in its criminal exploitation, the Cyphort report notes.
“If the ad networks don’t control this, then there will be a backlash that will turn into lost revenue,” said David Thompson, senior director of product management at LightCyber.
Malvertising is a hacker magnet, said Ben Johnson, chief security strategist with Bit9 + Carbon Black.
“With very little effort on the attacker’s side, you can get a large number of prospective victims,” he told the E-Commerce Times. “It’s very lucrative and it works. Things that work without a lot of effort are naturally going to be incredibly popular with the bad guys.”
Cybercriminals know a good thing when they see it.
“As with any enterprise, success brings further investment,” said Mark Parker, a senior product manager with iSheriff.
“So, as previous malvertising attacks have seen success, we are now seeing cybercriminals double down on their investments,” he told the E-Commerce Times. They are “innovating to thwart attempts by the advertising networks to detect their infiltrations.”
How It Works
Malvertising campaigns are launched through deceptive advertisers or agencies running ads, or through compromises to the ad supply chain, which includes ad networks, ad exchanges and ad servers, the Cyphort report notes. That results in websites or Web publishers unknowingly incorporating corrupted or malicious advertisements into pages on their sites.
A fake Flash file download automatically redirects users who land on an infected site’s main page to the malware.
“Flash is scary, because it embeds sophisticated logic into the ad, which manipulates your browser as the ad is displayed,” says the Cyphort report.
Attackers can set ads to strike only at particular times and geographies. They can delay a malicious ad until after an ad network examines and approves it, for example, or until the holidays, when Web traffic is high and advertising staffs thin.
Flash delivery of malware is popular with attackers, because placing an ad is easier and requires less effort than finding a vulnerability in a site’s software, according to the Cyphort report.
Very often, attackers will place clean advertisements on trustworthy sites in order to gain a good reputation. They will then insert malicious code or spyware behind the ad for a limited period of time, removing the code once an infection has been launched.
Attackers can trick networks using armored malverts — that is, ads that appear legitimate but can infect users nonetheless, the report notes.
Consumers are the most direct victims of malvertising, as the simple act of clicking on a malicious ad — or in some cases, simply going to a frequently visited site — is enough to infect their computers and files.
However, advertisers and content providers also may suffer consequences, such as lost revenue and besmirched reputations.
“If a user is infected, chances are he or she will have second thoughts about returning to the site,” the report points out.
Legit Sites Targeted
What’s particularly insidious about malvertising is that it can appear anywhere on the Internet — not just in some virtual back alley.
“Attackers have increasingly been targeting news and media websites because it’s a way to avoid blacklists and Web filters,” said Rahul Kashyap, chief security architect at Bromium.
“If you have malware in an ad at a place like CNN or NBC, nobody would expect malware to be there, and you cannot block that site to your users,” he told the E-Commerce Times. “From an attacker’s point of view, this is a sweet spot.”
Making matters worse, it is very difficult for a content provider to police the ads that are served up on a page.
“These ads are issued programmatically, so the person whose page you’re going to doesn’t really have any opportunity to review ads, or understand them, or clean them,” LightCyber’s Thompson told the E-Commerce Times.
It’s also difficult for advertising networks — especially those that use real-time bidding — to combat malvertising. Real-time bidding allows advertisers to bid in real time to show an ad on a page.
“You can wait until the very last second to bid and have the ad shown. Because it’s so fast, it’s difficult for the advertising companies to vet the ad content,” said Jean-Philippe Taggart, a senior security researcher at Malwarebytes.
“We’re seeing a lot of advertising networks that are either unwillingly being roped into pushing malware or, in some cases, turning a blind eye to it,” he told the E-Commerce Times.
As difficult as it is to control malvertising, some advertising networks have been up to the task.
One network took the bold move of tightening up its business relationships, noted Pat Belcher, director of security analytics at Invincea.
“They decided not to allow open registrations from just anybody signing up to deliver ads,” he told the E-Commerce Times.
The network also began to vet its customers to make sure they were legitimate.
What’s more, they began to demand a $5,000 monthly minimum ad buy, Belcher said. “That scared off malvertisers, because those guys are about making money, not spending money.”