Malvertising: More than a Nuisance

By: Krista V. | Cyber Threat Intelligence Analyst, NJCCIC

Malicious advertising, more commonly known as malvertising, has been around since at least 2007 but has quickly ascended on the list of everyday Internet threats due to the prevalence of online advertising in today’s digital media environment, where consumers expect free content in exchange for exposure to advertising. Malvertising simply involves hackers injecting malicious code into digital advertisements that, in turn, infect computers and mobile devices of unsuspecting victims visiting legitimate, reputable websites. Malvertising is not only increasingly effective at infecting users, but easy for cybercriminals to execute and difficult for investigators to determine who is responsible. Malicious actors are able to maintain their anonymity using a variety of obfuscation tactics, facilitated by the decentralized online ad marketplace where ads are sold using automatic trading programs. Recently, there have been numerous malvertising incidents affecting millions of Internet users; in fact, malvertising has consistently increased year over year since at least 2012, with a 325 percent jump from 2014 to 2015.

How does it Work?
Malvertising infections typically happen one of two ways: the victim clicks on a malicious ad on a webpage or pop-up window, while the other technique does not require any action on behalf of the user other than visiting the infected website, known as a ‘drive-by download’. Hackers are able to inject advertisements with exploit kits (automated tools used to identify exploitable vulnerabilities on user devices and download malware accordingly), then pay to have it displayed on a large number of popular websites. A key factor in the success of malvertising is the existence of vulnerable, unpatched software on the end-user’s device that is easily exploited by the malicious code contained within the ad. Once a computer is compromised, the user can be targeted for identity theft, financial fraud, or infected with additional malware such as ransomware. Ransomware is malware that attempts to extort money from victims by restricting access to a computer system or files. For more information on ransomware, read the NJCCIC report titled, “ Ransomware: Lucrative Cybercrime Tactics Rapidly Evolving.”

Recent Malvertising Incidents
Earlier this month, Forbes.com and Realtor.com websites hosted malicious advertisements from a third-party advertising service that redirected users to the Neutrino and Angler exploit kits. These are two of this year’s most prevalent and sophisticated exploit kits that exploit Flash, Java, Silverlight, and various browser vulnerabilities in almost 40 percent of victims. To learn more about how exploit kits work, read the NJCCIC report titled, “Exploits Kits: A Prevailing Vector for Malware Distribution.”

Also this month, the dating website Match.com was targeted in a malvertising attack delivered over ad networks aimed mainly at UK users of the site. This attack followed a similar malvertising incident in August against the sister website, PlentyOfFish.com. This attack used Google-shortened URLs that directed users to sites hosting the Angler exploit kit. The exploit kit injected end-users with CryptoWall ransomware and the Bedep Ad-Fraud Trojan.

Last month, MSN was hit by a large exploit kit malvertising campaign. The MSN web portal was used to post malicious advertising code meant to deliver the Angler Exploit Kit onto users’ computers and download ransomware. The malvertising infected users who simply browsed on MSN news, lifestyle, or other sections, sites that host millions of visitors every month. It is believed that the attackers were the same ones that targeted Yahoo and other popular sites including Drudge Report, Weather.com, and eBay.

Also in August, Yahoo users were reportedly targeted in one of the biggest malvertising attacks after cyber actors bought advertising space on the company’s websites to deliver malicious advertisements. The campaign exploited an Adobe Flash vulnerability to install the malware, which contained a combination of ad fraud and ransomware programs. Previously, in January 2014, as many as two million Yahoo customers may have received malware that turned their computers into Bitcoin miners after exploiting a Java vulnerability. 

What can you do?
Unfortunately, the conventional wisdom of avoiding suspicious websites is not enough to prevent an infection. Users can be exposed to malvertising via any website with advertisements, particularly those in multi-site ad networks that allow advertisers to buy slots across many major websites. Websites that run third-party ads can do little to protect their users due to their lack of direct control over the content. As with almost all cyber threats, the first line of defense against malvertising is ensuring all operating systems, applications, web browsers and plugins are up-to-date with the most recent security patches, in addition to a comprehensive strategy to defend against malware. This includes a reputable anti-virus tool that is set to auto-update and conduct real-time scanning of Internet traffic, as well as user training and awareness of how to identity and respond to potential infections.

Additional countermeasures to mitigate malvertising:

  • Implement URL filtering to prevent access to known and potentially malicious sites.
  • Consider using an ad-blocker browser extension or software.
  • Implement an application whitelist, which only allows the computer to run approved programs.
  • Install an additional anti-malware tool to supplement antivirus software in identifying and removing the most current malware strains.
  • Utilize a sandbox environment to run scans of URLs.