Malvertising: Can It Be Stopped?

Posted By Denis Shokotko on Jan 19, 2017 | 0 comments

Yet another threat to users’ safety is becoming increasingly prevalent — malicious advertising or malvertising. Malicious advertising itself isn’t new, but recently, its use has become alarmingly widespread: last year, there have been almost twice as many instances of malicious advertisements than there were in 2015. Of the 80 million sites analyzed by researchers in 2015, 19,000 pages were found to be infected; in 2016, nearly 30,000 such pages have been found. The total number of pages checked was the same for both periods.

So, what exactly is malvertising, and what makes it so dangerous?

The history of malvertising

The first cases of malvertising were discovered around late 2007 to early 2008. At that time, attackers exploited a Flash vulnerability (and even today, Flash is loved by hackers due to a large number of security “holes” in it).

In 2009, after the online version of the New York Times had malware posing as advertisements inserted into its pages, the site was forced to suspend the serving of third-party ads, and even published advice to help readers avoid the threat.

By 2010, malicious browser advertisements grew to such proportions that an interdisciplinary group was formed to combat them.

Since 2015, in addition to desktop and laptop browsers, malvertising has also begun targeting the browsers of mobile devices.

Most frequently, attacks target sites with large volumes of daily traffic, enabling attackers to infect as many devices as possible. For example, Huffington Post, The Daily Mail, NYTimes, LATimes, and other major news portals have fallen victim to malvertising attacks at various times. Attackers’ traditional “favorite” targets have been file-sharing sites and BitTorrent trackers. Problems were seen on large forums and at IT help desks. Not even giants like Yahoo and Forbes have been able to escape malvertising attacks.

How it works

Malvertising refers to the practice by which an attacker hides malicious software in advertisements. Typically, what appears to be a simple banner or text ad actually triggers an exploit, infecting the user’s computer with various kinds of malware. Specialized scripts can filter out and target users running vulnerable software, redirecting them to pages that distribute malicious software. Sometimes, it’s not even necessary to click an infected advertisement to be affected. Scripts inserted into the page are automatically run when the page loads.

Attackers have turned to these methods of viruses spread since the traditional methods involving phishing emails, torrent trackers, and pornographic sites have become problematic. First, these methods have begun to arouse suspicion among users; and second, these methods make it more difficult for the attackers to “catch” employees of major companies in their nets, so to speak. After all, these users are obviously not going to download torrents and watch porn on the company-owned computers they use while on the job. How, then, can attackers reach this “audience”, one which is of such high interest to them? They’ve found a solution in advertisements.

Tools already exist to facilitate attacks on specific companies that interest criminals. This possibility exists thanks to the precisely targeted advertising platforms offered by search engines. (In the search, one can specify a particular region of users, a field of interest, and/or advertising section.) When an employee of a particular company visits the site, he/she is shown the “correct” advertisement, containing a built-in malicious payload (usually spyware) which automatically infects the user’s computer. As a result, the malware affords the attacker access not only to the infected device but also to all the company’s computers connected to it.

In the case of private users, the malware is most often a trojan that attempts to extort money out of the user or steal his banking information.

Can malvertising be dealt with?

Search engines are, after all, not required to monitor malware activity. However, because the majority of search engines’ revenue comes from advertising, it is not profitable for them to compromise themselves by serving malicious content, thereby driving away the business of respectable advertisers. According to a statement from Google, it is the job of more than 1000 of the company’s employees to rid their servers of infected advertisements. But despite their efforts, there is still an excessive amount of malicious pages that appear in search results.

Hackers use different tricks to penetrate legitimate, initially safe platforms. For example, attackers buy recently expired domains belonging to advertising networks. Site owners then unknowingly place malvertisements on their sites, thinking that they’re working with the domain’s old owner. Because malicious advertisements can appear on any kind of site, the threat is rarely noticed in time.

Another trick used by attackers is to earn a reputation as an honest, legitimate advertising agency. For some time, attackers publish normal, uninfected advertisements. Only later they begin to include malware in the ads. To avoid raising questions with advertising networks, malware is removed from the advertisements after a certain period of time, and they become safe again. The average lifetime of a targeted page ranges from ten minutes to four hours, so reacting to the malicious pages’ appearance in time is difficult. Additionally, hackers often change the malware’s hash or checksum, which further complicates the detection and removal of malicious ads.

While advertising networks and search engines are looking for ways to get rid of malicious ads, ordinary users can do something to protect themselves, too. Here are some simple tips to reduce the threat posed by malvertising:

1. Use a browser that can detect sites containing malvertising.
2. Install antivirus software that can detect and eliminate malware.
3. One of the best and simplest ways to protect yourself is to block advertisements entirely by installing a good ad blocker.
4. Often, Adobe products like Flash Player and Adobe Reader are targeted by malware. The company is engaged in ongoing efforts to patch security vulnerabilities, but hackers are always finding new ones. So, if you can’t do without these programs, it’d be worth your while to at least keep them updated.
5. Disable Flash and Silverlight plugins in your browser; if you need them on certain sites, enable them manually.
6. Require companies that serve third-party advertisements on their sites to verify their safety.

Only through the combined efforts of search engines, employees of advertising networks, and ordinary users can the threat posed by malvertising be overcome.