The cybercriminal is a trickster. They like to find new and novel ways of infecting our computers, to stay one step ahead of the game at all times. The Internet has afforded the cybercriminal all sorts of opportunities to wreak havoc and now they are taking advantage of the Internet yet again, this time in the form of ads run across sites of all types. This type of attack vector is known as ‘malvertising’.
Why Choose Ads as a Vector?
Malvertising isn’t particularly new. The first ‘in-the-wild’ example of an ad carrying malware was around 2007. But it has only been in the last two years that malvertising has really taken off, with a reported 325% increase in malicious ads according to a study by Cyphort.
One of the reasons for this increase is likely down to the massive increase in online marketing budgets to replace traditional marketing. Online ads are everywhere. In 2015 digital advertising took almost 35% of the total marketing spend, which topped out at around $590 billion; a lot of effort and money is going into building a brand presence online and we are all very used to seeing online ads and videos. This then is a natural move for cybercriminals to take advantage of this massive network to distribute malware.
How Does Malware Get into the Ad Network?
One of the reasons that malvertising is such a dangerous and successful form of cyber-attack is down to the way it gets into the ad network. Ads are usually placed onto websites through a centralized bidding system. Companies like Google AdSense and MediaNet reach many hundreds of millions of users across the globe. An advertiser uses these central systems to serve up their ad onto the relevant websites, on their behalf. The hacker can use this same ad distribution service to get their malware directly in front of multiple millions of victims.
Malvertising is successful because they use legitimate ads, served up from legitimate ad networks, onto legitimate websites. It all looks perfectly normal, until you get infected. The most common method used to infect malware into the ad network is to firstly place a legitimate ad through the network. The ad network checks the ad, which at that point is malware free and so gets passed out across the websites associated with the service. The cybercriminals can then remotely update the ad injecting the malware. The same process can be used to disinfect the ad and so make tracing the cybercriminals very difficult.
How Do You Get Infected With Malware From An Online Ad?
Once the malware is in the ad (which can be static or video) and on a website there are two ways that a user can become infected:
- A direct download of the malware. Here the ad would trick you into downloading the malware – this is the less effective method of infection as it requires user interaction.
- A ‘drive-by-download’. This is quickly becomnig the method of choice of the cybercriminal for malware infection via online ads. This involves a silent redirection to an exploit kit, the kit often being the Angler exploit kit. Drive-by-downloads work by redirecting the user to another website which contains the exploit kit. The redirect is hardly noticeable, but it is enough for the exploit kit to do its work. The most worrying thing about this method is that the user doesn’t have to click on the ad, they just have to land on the page showing the ad and they’ll be silently redirected to the spoof site containing the exploit kit.
Both methods rely on software vulnerabilities. The malware works by exploiting flaws in browsers and software such as Adobe Flash, which are then used to run malicious code.
Post Infection: Examples of Malvertising
Most recently ads have been used to serve up the infamous and insidious, ‘ransomware’, which extorts money from users after encrypting all of their files. A recent example of a ransomware attack being successfully perpetrated through malicious ads was one, which infected sites such as the BBC and The New York Times. This attack was sent out from a number of different ad networks, including Google, and used a flaw in Microsoft Silverlight to install the malware via a drive-by-download.
In a massive malvertising attack on Google’s AdSense network, Google had to remove over 350 million ‘bad ads’ to clean the network up. This attack also used the Angler exploit kit, which used vulnerabilities in computer software to infect the machine.
Another example of a major malvertising attack was in 2015, when Hugo Boss ads were infected. This attack was based on a Flash vulnerability in which a Flash exploit kit was packaged into the advert itself, rather than redirecting the user to a spoof site containing an exploit kit. It ended up on very high profile sites, like Huffington Post before being spotted.
What’s Next in the World of Malvertising?
The total number of malware pieces is increasing, year on year, according to AV Test who keeps records on malware releases. In fact 2016 is expected to see more malware than ever before. And all that malware needs an efficient conduit for delivery, so you can therefore expect malvertising to continue to be a popular vector for malicious software infection.
In a 2015 report by Ofcom, it found that mobile devices have overtaken laptops as the method of Internet access. As more people use mobile devices to access websites you can expect malvertising to target mobile users. McAfee has also suggested that mobile malware will become a major threat in their McAfee Labs February 2015 Threat Report. And malware exploits like the Google Play Store infection carried out using the popular Durak game demonstrated how effective malware focused on mobiles could be. This exploit used pop up ads to inform a user they have been infected with malware. The ad encouraged them to click a link, which took the user to a spoof site where they were then actually infected. This exploit infected millions of devices with malware, which then exfiltrated login credentials. Expect mobile ad delivery to become a major malware infection route.
How Can You Stop an Ad Based Malware Infection?
All malicious ads are based on the exploit of vulnerabilities in software running on the target machine. You can help prevent a malware infection via an online ad by:
- Removing or disabling Adobe Flash in the browser. Malicious ads can use vulnerabilities in Flash to install malware. This may affect some websites functionality, but HTML 5 is starting to replace Flash.
- Removing or disabling Java. However again, many websites rely on java for functionality.
- Patching software, especially browsers, as exploit kits use this type of vulnerability to install malware.
- Using ad blockers, especially used in an Enterprise setting can be effective.
- Implementing threat detection and alerts, which can help prevent a disaster if an employee has navigated to a site containing malicious ads.
- Making sure you have a robust BYOD policy so that mobile devices can’t be used as an entry point for infection into the organization.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.