Is there a passing day without news of a new online threat? It could be a classic example of confirmation bias. But the cost and technical requirements of powerful malicious software is falling. It is also becoming easier to locate and purchase this software online, using equally untraceable payment methods.
This is why we are seeing a rise in advanced malware reaching our computers.
We’re also seeing greater variance in the methods of malware delivery. Aside from increases in phishing, spear phishing, vishing and SMiShing campaigns, security researchers have noted a significant rise in malvertising.
What Is Malvertising?
Malvertising is the process of injecting malicious advertisements into a webpage via legitimate advertising networks. They have a particular allure for attackers. As adverts are displaying almost uniformly throughout the internet, malefactors can push their attacks toward “high value targets,” affecting almost anyone, anywhere. Malvertising campaigns often go unnoticed, providing a reasonably high return for those injecting the ads, as well as carrying the potential to expose millions of unsuspecting users to the malware itself.
It can be hard to judge the scale of malvertising. It is silent, and doesn’t come with other common red-flags we train ourselves to spot. Vadim Kotov, Senior Security Researcher at Bromium echoes this:
“The continued rise of malvertising is also of note, as it became so rapid and high-impact, largely due to its attacks on high-profile websites. Drilling down further, this year alone, there were malvertising attacks on more than a quarter of the Alexa 1,000. This class of attacks is fascinating as it represents a perfect symbiotic relationship between two discrete technologies that end up producing such detrimental effects.”
If malvertising is all around us, how can we steer clear of it? As you’ll see from the list we’ve put together: with difficulty. But you can at least verse yourself in some of the more common online locations where you’re likely to run afoul.
Common sense tells us to avoid the sketchier side of the internet. Think about the sites you’d normally consider to host malware or be privy to a malvertising campaign. I’m sure you’ve included some of the following:
- Varied pornographic sites
- Sites offering other NSFW/NSFL content
- Sites offering free software
- Sites offering cracks/keygens/warez
- Sites offering Flash games
- Streaming sites
- Torrent sites
- Sites using “unreliable” TLDs, hosted in “questionable” countries
- Sites offering coupons, savings, and questionnaires
- Online dating sites
- Betting sites
I’m sure you can think of more, but as a quick list of places you’d consider somewhat untrustworthy, we’ve covered the bases. Some are obvious — pornographic, NSFL (Not Safe For Life), cracks, Flash games — and should always be visited with caution. Users may well visit the other sites listed and have a perfectly acceptable time, with no security issues in sight.
And herein lies the problem. By its very nature, malvertisers can inject malicious content into anyone of these “sites of ill-repute.” Correspondingly, extremely popular sites traditionally considered “trustworthy” can also be affected, as can any site containing the following containers for advertisements:
- In-text or in-content advertisements
- Web widgets
Malvertising can be particularly potent and extremely stealthy. A user may not even have to engage with the advert (other than have it flash upon the screen) to pick up an infection, though most malware is delivered through false software updates and false malware warnings.
Trustworthy Site Breaches
The infected adverts can be injected into any network, so there aren’t really any genuinely “safe” sites. There are actually numerous examples of major sites, of varying industries, succumbing to malvertising, many of them within the past few months.
Over 1bn Users
Back in March, security researchers Malwarebytes announced they’d been tracking a particular campaign as it dynamically traversed various internet outlets, culminating in malicious advertisements seen on:
- MSN.com – 1.3b monthly visits
- NYTimescom – 313.1m
- BBC.co.uk – 290.6m
- AOL.com – 218.6m
- my.xfinity.com – 102.8m
- NFL.com – 60.7m
- realtor.com – 51.1m
- theweathernetwork.com – 43m
- thehill.com – 31.4m
- newsweek.com – 9.9m
The Pirate Bay
Malwarebytes again observed a live malvertising campaign when extremely popular torrent site The Pirate Bay was struck. The adverts injected into the site redirected unwitting users to landing pages for the Magnitude exploit kit, where they were then infected with the heavyweight and notorious Cerber ransomware. Malwarebytes senior security researcher John Segura explained a little about the sudden uptick:
“Magnitude EK is one of those exploit kits we don’t hear about as much in comparison to others such as Angler EK or Nuclear EK. Its unique URL pattern makes it easy to spot from the clutter of network traffic captures because it uses chained subdomains typically ending in a shady Top Level Domain like pw (Palau Pacific island)… Perhaps this increased activity is due to the fact that Magnitude EK is the third exploit kit to leverage the latest Flash Player vulnerability (CVE-2015-7645) recently patched by Adobe.”
The Pirate Bay has experienced a number of setbacks throughout the past few years, and this was compounded early last week when the major browsers of Google Chrome, Mozilla Firefox, and Safari declared they would be actively blocking the site. Firefox users reported receiving a message stating “This web page at thepiratebay.se has been reported as a web forgery and has been blocked based on your security preferences.”
While the Safe Browsing Site Status of “dangerous” was momentarily removed, it has now been reinstated, pointing to ongoing issues. You can check the status of The Pirate Bay and any other site using Google’s Safe Browsing technology.
We traverse the internet from extremely popular and well respected news outlets, through the world of torrents and file sharing, into the second largest pornography site in the world. xHamster, who reportedly accumulate half a billion hits per month (wow!) was party to a massive malvertising campaign, again focused on installing the Angler exploit kit.
In this case, to lower the chance of detection, the attackers had programmed the redirection chain (where the advert redirects to a malicious landing page) to only execute once per IP, meaning if you weren’t caught out on your first visit, you were potentially safe on your return.
Unluckily for xHamster and its users, this is the second time the massive porn repository has been targeted by a malvertising campaign, with the second attack echoing the first.
Why Is Malvertising on the Rise?
Malvertising is on the rise for a number of reasons, starting with the monumental reach of the ad-networks serving the countless infected websites, and the low cost, maximum return nature of serving malware via this method.
There are other explanations, too. The networks serving advertisements throughout the internet are largely automated, with only peripheral human involvement. This means attackers can easily take a chance in the hope their infected ad makes it through the security systems of an internet advertisement network. Equally, this automation means a majority of websites are unaware of exactly what will be displayed on their site, removing themselves from the selection process – and further distancing themselves from potentially malicious content.
The system itself can be further gamed by persistent malvertisers. Instead of attempting to slip their malicious ads into an existing trusted network, they build their own legitimate reputation. Once the major ad-networks accept this growing positive reputation, the malvertisers can begin to insert malicious content, granting themselves some breathing space before their activities are discovered.
So… How Do I Stay Protected?
It looks like a mammoth task. The malvertisements are seemingly everywhere, but there are a few precautionary steps you can take:
- Disable Flash and Silverlight. Both of are frequent targets for attackers, both frequently contain security vulnerabilities.
- Use script management add-ons. As most ads and scripts are automatically implemented, you can use add-ons such as Ghostery and RequestPolicy to control what’s loaded within your browser.
- Use and update your antivirus. I know, this isn’t really that proactive, but it will catch more things than it misses, and it’ll definitely catch more than a net with a massive hole in it.
Until there is a monumental shift in how the internet is funded, ads will continue to be served as part of our day-to-day browsing. Massive ad-networks aren’t going to disappear unless there is a viable alternative, inclusive of those existing advertising behemoths. They certainly won’t want to relinquish their profits. And while each of the major ad-networks will be actively addressing the malvertising menace, there is still a major emphasis on self-protection.
Do you think there should be a major shift in how the internet is funded? Or should ad-networks work harder to ensure they are malicious-content free? Let us know what your thoughts below!