One of the terms we didn't include in our advent calendar of definitions was 'malvertising'. This is a term which we felt we could say a little more about, and so we've saved it for this blog.
Malvertising may seem like a scary topic, but it doesn't need to be. This blog includes some simple steps to protect your End User Devices and your networks, so you don't need to be afraid of online adverts.
What is malvertising?
Malvertising, or 'malicious advertising', is when an attacker uses online advertising as a delivery method for malicious activity. It's particularly insidious because it often doesn't require any user interaction - such as choosing to run downloaded files - to cause problems. You can become a victim of malvertising simply by visiting a popular website. Code within online adverts on the website could install ransomware or other malware.
It's a popular method because a single malicious advertisement could be distributed to many publishers and onward to many websites - causing widespread attacks against their users. Ad networks allow advertisers to target online advertisements on features like location and device types; attackers can also leverage this to launch targeted malvertising campaigns. In addition, it can be difficult to attribute malicious activity to malvertising (see Proofpoint.com - The shadow knows: Malvertising campaigns).
Whilst it's difficult to accurately measure the impact of malvertising, we know malicious activity within online advertisements is on the increase. A report from Cyphort stated they saw a “325% increase in malvertising during 2014”. Throughout 2015 Google disabled more than 780 million ads that violated their policies, some of which carried malware. This was an increase from 524 million ads disabled by Google in 2014.
How malvertising works
To understand how to protect against malicious advertising, it helps to understand how it is delivered.
Website owners and mobile application developers, known as publishers, receive payment from advertisers in return for displaying online advertisements. Online advertisements can allow advertisers to run code to display rich media advertisements that incorporate elements like animations, video and scripts. Malicious actors can take advantage of this to deliver malicious content within an online advertisement, without the knowledge of the publisher.
There are different ways for malicious advertisements to be displayed on a publisher's site:
- Publishers can use their own servers to deliver online advertisements.
- Alternatively, publishers can use an ad network. Within ad networks, advertisers can buy the rights to serve an advertisement onto a publisher site.
Whether an attacker compromises a publisher’s server or poses as a legitimate advertiser, the same delivery vector - online advertisements - is used to deliver malicious activity. It is important to note that while publishers are being used in the infection process, they are - like the end user - victims of malvertising. Publishers will suffer reputational damage if their customers get infected from malvertising displayed on their sites.
Embedded malicious code
Malicious advertisements typically do not require any user interaction because they contain embedded code. The user does not need to click on the advertisement as they have malicious code within them. The code can carry out a variety of tasks, such as exploit software vulnerabilities, or silently redirect users to malicious websites that host exploit kits. In this regard, malvertising is similar to drive-by-downloads, in that software is run on a victim’s computer simply by visiting a malicious website.
Exploit kits are automated toolkits or frameworks designed to scan a victim’s device, find software vulnerabilities and then exploit them in order to deliver a malicious payload.
What is the impact of malvertising?
Numerous high profile publisher sites have been victims of malvertising campaigns. In March 2016, visitors to various major publishers including aol.com, bbc.com, nfl.com and nytimes.com received malicious advertisements. The malvertising campaign targeted US users and was delivered through multiple ad networks. Shortly afterwards, a similar malvertising campaign targeted visitors to UK websites.
In both campaigns, the malicious advertisement redirected victims to websites hosting the Angler exploit kit. This can lead to malicious activity such as stealing financial information stored on victims’ machines, or installing ransomware whereby victims’ files are encrypted unless payment is made to the attacker.
Ad blocking is a technology designed to limit (or completely prevent) the display of online advertisements. There are a number of ad blocking solutions that work in different ways. Some ad blockers are designed to block all advertisements (whether legitimate or malicious), whilst others whitelist ‘trusted’ ad networks. It is worth noting that whitelisted ad networks could still be a source of malicious advertisements. Whilst ad blockers can help prevent malvertising from affecting you, they should not be regarded as a security product.
Protecting your devices and networks
The vast majority of malvertising targets unpatched vulnerabilities in web browsers, plugins, and associated internet-facing software on End User Devices. Prompt patching and updating of this software is the most effective mitigation available. For more information on protecting End User Devices within your organisation, see our EUD guidance.
In addition, Cyber Essentials contains five critical controls which can help to reduce the harm from malvertising. We recommend that all organisations consider these controls, and the recommendations in the 10 steps to cyber security.
Wider network security hygiene protections, such as network segregation, web proxying, and least privilege are also useful in minimising the impact of any successful malware infection.
Tech Director for Assurance