Although it’s difficult to say just how prevalent malvertising is, it’s clear that it’s a growing threat.
Invincea, an endpoint security firm, blocked 2.1 million malicious advertisements in the first six months of 2015. RiskIQ stated that the number of bad ads counted in that period was an increase of 260% from the previous year. We may not know just how big it is, but it’s big.
And it’s doing a lot of damage. In June of 2015, Invincea estimated that malvertising could do a billion dollars in damage by the end of the year. And with the very low entry cost to the field, there’s reason to believe that the prevalence of malvertising will only increase in the coming years.
With all of that in mind, this guide which will help you understand what malvertising is, why it’s so popular, where it’s hiding, and what you can do about it.
What Is Malvertising?
“Malvertising” is a portmanteau of “malicious advertising.” In short, malvertising is the practice of using online ads to infect computers with various types of malware.
Interestingly, the infection doesn’t always require a click on the advertisement – just seeing the malicious ad can infect your computer without any indication that anything has gone wrong (unless you have an anti-exploit solution, as shown in the video below).
This is accomplished by the insertion of special scripts within an ad that run as soon as the ad is shown to a user; this is known as a “pre-click” infection. “Post-click” infection is also possible, and ads that redirect the user to an infected site that downloads malicious files to their computer remain an effective way of delivering malware.
What kind of payload do these malvertisements carry? It can be anything from adware to a piece of code that attempts to change the settings on your home router. Exploit kits are common payloads in malvertisements, and will open up your computer to any other type of malware that a cybercriminal wants on your hard drive. Ransomware, botnets, and banking/financial information theft programs are also often delivered. You may remember Kyle and Stan, one of the payloads delivered in 2014.
Why Is Malvertising Getting So Popular?
The huge increase in the incidents of malvertising is easily explainable: it works, and it works really well.
One of the reasons that it works so well is that it can effectively infiltrate highly trusted websites. Third-party ad networks sell ads to big sites like eBay, The Weather Channel, Rotten Tomatoes, and MakeUseOf, and those websites display the ads. If a malvertiser can figure out a way to get a malicious ad accepted by an ad network, it could be distributed to a huge number of websites before it’s caught.
Many of the transactions between advertisers and ad networks are done programmatically, with humans only peripherally involved, increasing the chance that a malvertiser can slip a malicious ad by the security systems of the ad networks. Websites often don’t even know what ads will be shown on their sites, removing one more level of potential detection – they leave it up to the ad networks, who are in charge of the security of the ads.
Even highly trusted ad networks, like Google’s DoubleClick, have distributed malicious ads. One method that malvertisers use to get their ads into these trusted networks is by buying ad space for benign ads first; once they’ve established a reputation as a legitimate advertiser, they’ll start adding malware-laden ads. Because they’re under less scrutiny than new advertisers, they have the chance to slip these malvertisements by the network for a while before they get caught.
A newer method of getting malvertisements published is just-in-time malware assembly, which includes innocent-looking components of code in the ads that are downloaded separately to a victim’s computer before being assembled and compiled into the malware payload. This payload can then run or download additional components to complete the assembly. This is especially difficult to detect.
Adware can also be installed via malicious browser add-ons and extensions, which many users aren’t careful about. This adware can trigger further infections through the use of malvertisements delivered directly to the user’s browser.
Where Do Malvertisements Hide?
Unfortunately, you can find malvertising absolutely anywhere. Of course, shady streaming and torrent websites are dangerous, but because of how third-party ad networks operate, infected ads can be spread to a wide variety of otherwise very trustworthy sites at high speed. While there are sites that are more likely than others to infect you with malware, you can be hit at any time with one of these ads.
And because many pieces of malware can be delivered without a user clicking on an ad, malvertising is a very stealthy medium. However, RiskIQ’s research showed that in 2015, the most common form of malvertising was through fake software updates, especially for Adobe’s Flash plugin. They can also be spread through fake virus and malware warnings, though the prevalence of that particular method has decreased. (The alert below looks legit, but be sure to hit the link in the previous sentence to make sure you know how to spot a fake one.)
This is why it’s difficult to protect yourself from malvertising – it strikes fast and can come from just about anywhere.
How to Protect Yourself
The steps for protecting yourself from malvertising are very similar to the ones you need to take to protect yourself from any other type of malware.
Disable Flash and Silverlight
Adobe’s Flash and Microsoft’s Silverlight are often targeted by cybercriminals for exploitation because of their well-known security vulnerabilities. If you’re running either of these plugins in your browser, you should disable them right away, or at least turn on click-to-play so that you’re prompted to approve the use of the plugin before it starts.
And then, of course, you should only approve the use of Flash or Silverlight if you’re confident that the site you’re on is clean and that the plugin isn’t being requested for an ad (if you’re using Amazon Prime on Safari, for example, you’ll need to use Silverlight to stream videos). Flash and Silverlight aren’t the only insecure plugins, though, so be sure to read up on which ones you should disable or restrict.
Block Ads and Scripts
It’s a controversial practice, but right now it’s the best way to protect yourself from malvertising. If an ad is blocked, it can’t infect you with a malware payload (at least as far as we know). Blocking scripts will help, too, as they’re often the tool embedded in the malvertisement that delivers the payload.
Unfortunately, even whitelisting trusted domains might not be a good idea because of how third-party at networks work. There have been reports of malvertisement infections on the LA Times, Yahoo, Comcast, Answers.com, and many other big-name sites. You just never know where it’s going to pop up next.
Use Antivirus Software
At this point, if you’re not using antivirus software, you’re pretty much asking to get infected. There are tons of great antivirus options out there (here’s our latest article on great antivirus options for Mac), and they’re all working to protect you from malvertising and other malware vectors.
Install the software, make sure it’s always running, and keep it updated. It’s that simple. If you want something specifically for keeping yourself safe from exploits, check out MalwareBytes’ Anti-Exploit software.
The Next Wave of Malware
Malvertising isn’t exactly new, but its popularity is growing extremely fast, so we’re likely to see a lot more of it in the coming years. And no matter how you feel about ad blocking, it’s currently the best way to stay safe. With the ingenuity of cybercriminals out there, though, that may not remain effective for long.
Are you worried about malvertising? Has it made you start using ad or script blockers? Have you had any direct experiences with malvertisements? Share your thoughts below!