Malvertising

@stopmalvertising

@stopmalvertisin

Malvertising is defined as the use of online advertising to spread malware (malware + advertising). Sans Institute first reported malvertising in flash-based ads back in late 2007. The most popular vector (in the wild) at that time, was the client-rendering of Adobe SWF files that contained maliciously coded ActionScript . Trusted Source also warned digital marketing companies (early 2008) that they needed to be more cautious of the content that they were delivering through their ad networks.

To be clear: malicious ads are delivered by ad networks with whom websites have made advertising agreements. In most malvertising attacks neither the host website nor the ad network is aware of the danger—either because the malicious ad is well-disguised or because one or both have been compromised by attackers.  –Max Eddy SecurityWatch

MALVERTISING: UP CLOSE AND PERSONAL

My first experience with malvertising  occurred on a mild weekend morning in September 2009, while browsing The New York Times (NYT). Before I realized what was going down; I helplessly watched a pop-up screen flash before my eyes claiming that my computer was  infected. Though I did not click on any ad at the NYT website, the rogue ad simply hijacked my computer and redirected my browser to a porn site. In 2012 I ran into another malicious ad at the NewsNow.co.uk website that automatically redirected me to a rogue site telling me that I urgently needed to renew my drivers. Whoa boy, that was a nasty one too…

Considering that I have only been compromised by malicious ads twice in a six year period; it could have been far worse than it was. But, consistent back-ups and the use of imaging saved what could have been an intolerable mess. For people who rarely back-up or never back-up at all, malvertising immediately spells disaster.

Curious about how an advertisement gets published? malvertising

TIPS For Publishers

Negative effects: brand damage, blacklisting by search engines, and support costs.

Thoroughly vetting prospective partners’ references and credentials should be at the top of your list. Prior to allowing any ad content to appear on your site, you should conduct a quick background check with the Malvertising Research Engine and Google’s Safe Browsing Diagnostic Tool.

Use WHOIS and ROBTEX to find out the domain age, country, how many domains exist on the same IP, and if the domain resides behind a privacy shield.

In a nutshell: Publishers need to take control of their website and secure it.This includes checking out and monitoring all ads that are placed on the site.

SOCIAL ENGINEERING IS AN ADS BEST FRIEND

It is easy to create a fake company or corporate identity on the Internet. An advertising network using Internet search engines for online reputation research, can easily fall prey to padded and bolstered search results.That sexy CEO guy running that billion dollar corporation looks stellar on LinkedIn and Twitter, but alas, he could be the neighborhood lingerie thief.

MARKETING PEOPLE WEAR ROSE-TINTED GLASSES

When cybercriminals plan a malvertising campaign, they are always looking for the weakest link in your marketing chain.This can involve anyone from your front office crew, down the chain to the sales intern who went all lollie-gaga over Sexy CEO.

Sexy CEO knows exactly how to leverage your trust to his advantage. He’s highly adept at scoping out your infrastructure to see if it plays naughty or nice. If naughty, he’ll think twice; if nice, he’ll toss the dice.

Cybercrime’s malvertising tactics tend to launch attacks over the weekend when IT resources are low, defense updates are waiting to be applied and an attack is less likely to be noticed. – [Source]

MALVERTISING, A RISING INTERNET THREAT

According to Symantec’s 2013 Internet Security Threat Report, Volume 18, in 2012, drive-by Web attacks increased by one third (possibly).

Malvertisers have infamously developed exploit kits, such as WebAttacker, Poison Ivy, and Blackhole, for display malvertising. These kits enable those who aren’t as technically gifted to easily enter the cracking ecosystem. WebAttacker, for instance, is a “‘bundled’ hack tool” that uploads client side exploits to a server, recognizes the users’ browser (& serves one of a number of exploits depending on the browser), and downloads a Trojan Horse that then logs keystrokes or opens up backdoors.

The exploit kits typically rely on vulnerabilities in popular software like Java and Adobe to attack users,who don’t always install the latest patch. Kit developers are quick to find and manipulate these exploits, and with a low cost of entry (a few hundred to thousand dollars, based on whether you DIY or request extra customization) and so many unsuspecting or disinterested hosting partners, it is easy for them to begin to enter the pay-per-install malware world. As you might expect, these kits have also been optimized for use on mobile platforms and browsers. —Ad Monsters

DRUMROLL; CONCLUSION TIME

It’s time for marketing departments everywhere to remove their rose-tinted glasses.The malvertising landscape in marketing mode may be hovering on a precipice, with absolutely no clue that suave, sexy CEO finds your current infrastructure rather nice.

To counteract and minimize the threat of malvertising – get your IT department involved from the get-go.Use the New Advertiser Risk Evaluation for onboarding new advertisers and ad agencies.

Everybody has to make a buck now and then. But, be sure re-inspect sexy CEO and always keep a security expert on board for all ads that run on your network (website).This blog post only manages to kick a tiny dent in the malvertising intel-fabric. If you want to know more, follow this expert on malvertisin (Kimberly), otherwise known as  @StopMalvertisin on Twitter.

Have you ever been struck down by malvertising? Have any ideas to add? Post it here – I’m listening 🙂

 

 

  • Thanks for writing about this. For publishers, the key is to have a plan on how to quickly identify and shut down the possible source once malvertising is in the system. We write a lot about this at AdMonsters: http://www.admonsters.com/topic/malvertising

  • Tech

    Which just shows the necessity of running ad-blocking and flash-blocking plugins in your browser.

  • Tech

    Which just shows the necessity of running ad-blocking and flash-blocking plugins in your browser.

  • Michel Plungjan

    I was attacked on my iPad via a twitter link to Daily Mail – I had a discussion how to see if it was the iPad that had been thwarted or the site it went to: http://apple.stackexchange.com/questions/53997/how-do-i-examine-my-ipad-for-malware but nothing came of that discussion. There is no protection on the iPad for this. No adblocking or such

    • Malvertising happens so fast – that marketing needs to get IT to giddy up 🙂
      I think you can use getcocoon.com on the ipad. Maybe noscript too – another Firefox addon.