Malvertising: The latest threat affecting millions

Here's a scary number: 1.3 billion. That's the monthly traffic of msn.com, which was hit by a malvertising campaign earlier this year. Here's an even scarier number: 70%. That's the estimated amount of malvertising campaigns that deliver ransomware as a payload. What's 70% of millions and millions of page views that cycle through the most popular websites each day? Far too much.

All this is to underscore the very real danger of malvertising. One of the basic tenets of cybersecurity is user awareness. If you practice safe browsing habits, you can protect yourself from a number of threats, but malvertising is a different beast. It hits you without your knowledge, often lives on reputable sites, and most of the time, delivers one of the most dangerous forms of malware today. You could still be vulnerable, even if you practice safe internetting!!

What is malvertising?

Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. You could be researching business trends on a site like NYTimes.com and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the “right” malware for you.

Growing problem

Instead of trying to trick people into visiting malicious sites malvertising purposefully targets legitimate websites with high traffic. In the less than 10 years since it's been on the scene, malvertising has impacted major websites with traffic in the hundreds of millions (if not billions), including Yahoo!, NYTimes.com, bbc.com, msn.com, and AOL.

And, the problem's only getting worse. In 2015, Google disabled more than 780 million bad ads, a nearly 50% increase over 2014. According to RiskIQ, in just the first half of 2015, malvertising increased 260% compared against all of 2014.

How it works

The problem is simple; malvertising has gone unchecked because of the current lax conditions and low barriers for entry to ad networks. In order to advertise online, businesses merely sign up with a network and then bid in real time to have their ads appear on popular websites. However, not all advertising networks have strict criteria for advertisers. Not only that, but buying advertising space is increasingly being transacted automatically. Ad sellers don't always know the buyers, and some ad platforms allow newcomers in cheap.

Criminals have done such an efficient job of “plundering the ad ecosystem,” that the FBI, Department of Justice, and Homeland Security have pledged to get involved. Yet even with some gatekeeping in place, cybercrooks can easily pull the wool over the ad networks' eyes by serving up good ads for awhile before switching to ads that contain malicious code.

Having Mission Impossibled the ad networks, bad actors move on to their real targets: you. Their infected ad often uses an iframe, or invisible webpage element, to do its work. You don't even need to click on the ad to activate it—just visit the webpage hosting the ad. (Hence the term “drive-by download.”) The iframe redirects to an exploit landing page, and malicious code attacks your system from the landing page via exploit. The exploit kit delivers malware—and 70% of the time, it's ransomware.

How to avoid malvertising

Plainly, if you use the Internet, you can't avoid malvertising. But you can protect against it. Here are a few ways to batten down the hatches and brace yourself against malvertising.

1. Practice safe browsing

It won't protect you against malvertising living on reputable sites, but it will decrease your odds of getting hit with the veritable wall of crap ready to greet you from the shadier side of the Internet.

2. Get your IT management on board and work with them

IT managers often have their ears to the street and are aware of emerging vulnerabilities and trends. Identify trusted sites and block the other ones you don't need access to. There will always be an inclination for personnel to bring their private browsing habits to work with no ill-intent, but 'business only' restrictions are not unreasonable and much easier to enforce.

3. Tighten up vulnerabilities on your computer.

Malvertising is simply a vehicle for finding security flaws hiding elsewhere in your system. Keep your software patched, update your operating system, run the latest browsers, and remove any software (especially Flash or Java) that you don't use or need.

4. Download an ad blocker

Ad blockers can filter out a lot of the malvertising noise, stopping dynamic scripts from loading dangerous content. However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content.

5. Enable click-to-play plugins on your web browser

Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A good bulk of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will offer excellent protection.

6. Run an effective anti-exploit program

When all else fails, a good anti-exploit program can shield browser, OS, and software vulnerabilities, catching any of the riff-raff that makes it through your defenses.

So unless you'd like to become an Internet recluse, it looks like, for now, there's not much you can do to avoid malvertising altogether. But with the right protections in place, you can still beat bad ads.

Now is a good time to review what we have in place for your company, what your management history is showing regarding your vulnerabilities, and strategize for the future.

 

 

 

Article originally appearing:

https://blog.malwarebytes.com/101/2016/06/truth-in-malvertising-how-to-beat-bad-ads/

Written by Wendy Zamora with Malwarebytes

 
© Copyright 2014 Nate Roane, All rights reserved.