Advertisements on the internet are no longer just a nuisance. They are now also potentially dangerous. Even sticking to widely used and trusted websites can be risky, as the banner ads they contain may be carrying malicious code.

“Malvertising”, a combination of “malware” and “advertising”, is the technique of using trusted ad networks to deliver malware-loaded advertisements to users on trusted websites. This is not a new technique, but over the last couple of years its use has grown exponentially by cybercriminals because it is so effective.

According to David Kennerley, Sr. Threat Research Manager at Webroot: “Malvertising is a big problem and its return on investment for fraudsters suggests it’s not going away anytime soon.”

Most websites that have advertisements use “ad networks” to manage those ads, giving the site options for what type of ads to deliver to visitors. In a malvertising scenario, a cybercriminal will either hack into an ad network’s server or even sign a fraudulent contract with an ad network, posing as an advertiser in order to gain trust. They will then upload a seemingly legitimate advertisement that is loaded with malicious content, such as a Flash or Javascript exploit. The ad network unwittingly adds this malicious ad into its database so that its customers can choose it as one of multiple rotating ads. Or, it can take more of a social engineering approach and appear on your screen based on your browsing habits, which are tracked by tracking cookies.

Ad-Website pic

“Unfortunately, simply keeping to trusted websites no longer means you’ll stay safe,” said Kennerley. “The outsourced, distributed and chaotic nature of the online advertising industry means that even the world’s most popular websites have no visibility on the ad content displayed on their pages or its original source.”

In recent months, an additional level of complexity has been employed in these types of attacks: “Fingerprinting”, a method of uniquely identifying computers based on meta-data and file dumps. As online advertisers move away from human transactions and toward real-time ad bidding, cybercriminals are finding ways to better target their victims. Ad networks provide user meta-data to advertisers so that they can better advertise to consumers, but this same data can be used by cybercriminals to identify systems that can be exploited. For instance, if the meta-data reveals that a PC’s Adobe Flash is not up to date and a known exploit exists for their version of Flash, they will identify that PC as a target for attack.

malvertising flow chart

 

In addition to identifying potential victims, cybercriminals also use fingerprinting to identify networks and devices to avoid. For instance, if they choose to target only people in specific countries and avoid people in their own country, they can do so using geolocation data. This technique has also been used to evade security researchers by avoiding networks of security companies, making it more difficult to replicate and research these types of attacks.

With malvertising gaining popularity among cybercriminals, protecting yourself from this type of attack is critically important. “Internet users should keep their browsers fully patched, with appropriate in-built phishing and malware protection switched on,” advised Kennerley. “Browser add-ons should be kept up-to-date, with auto-play turned off; or better yet, disable or remove these commonly exploited add-ons completely. Ad-blocking software is becoming a must and of course a strong endpoint protection product is essential.”

Nathan Wyman

About the Author

Nathan Wyman

Threat Research Analyst

Nathan has been working with PCs for nearly 20 years and joined Webroot’s Customer Support eam in 2013. Now a Threat Research Analyst, he researches and analyzes emerging malware trends.

Share This