Malvertising: when ads attack

Like it or not, advertising is a fact of life on the internet. As the primary source of income for huge publishers and social media platforms, it can be tough to avoid. The best ads are engaging, amusing and informative – and even at its very worst, advertising is rarely more than mildly irritating. But what if the omnipresent power of online advertising was harnessed by cybercriminals?

Malicious advertising, or malvertising, is something far worse than an annoying commercial. It’s a form of online attack that uses advertising as a platform for malware, and it can infect users of any website that features ads. A scary prospect, no doubt – but by understanding malvertising, it’s possible to ensure maximum protection, and minimise the risk if and when malvertising strikes.

So what is malvertising?

Malvertising is a nasty combination of malicious software and legitimate ad platforms. You’re probably familiar with the various types of banner ads that appear on websites – but these ads are rarely selected by the sites that display them. Instead, advertising networks manage vast numbers of ads across countless sites, with individual ads automatically served to users based on a range of criteria.

A malvertising attack seeds malicious ads – that is, ads that either link to malicious content or execute malware directly – in places where users expect to see valid adverts. In other words, the attackers leverage the popularity of established websites and the reach of advertising networks. And this is why malvertising can be so grimly effective: it exposes malware-riddled ads to huge numbers of users, without even needing to compromise the websites where they appear.

But the most frightening malvertising variant is known as “pre-click”. Unlike “post-click” malvertising, which requires the user to click a banner before any malware can execute, pre-click malvertising runs script automatically – a “drive-by download” that’s triggered simply by the user viewing a malicious ad.

How malvertising works

The malware element of malvertising often exploits flaws in software like Adobe Flash or Microsoft Silverlight, with the payload varying from relatively basic viruses and Trojans to various types of ransomware, spyware and keyloggers. Malvertising can also use cross-site scripting (XSS) to inject malicious code into the victim’s browser.

Very often, malvertising attacks are based around exploit kits. These are packages or repositories of tools that can be used to target and exploit computer systems, even by someone with limited knowledge of hacking or malware.

Exploit kits are sold in criminal circles, and can even be licensed for long-term use. Prominent kits include Blackhole, reportedly used in malvertising attacks affecting Spotify in 2011 and the Los Angeles Times in 2012. Another popular exploit kit, Angler, has been used in numerous malvertising attacks since surfacing in 2013.

In a malvertising scenario, an exploit kit like Blackhole or Angler is hosted on a server controlled by the attacker. Once a user has been redirected to this server by a malicious ad, their computer is analysed by the kit. Any vulnerabilities are then ruthlessly exploited, potentially giving the attacker access to the victim’s system and the opportunity to deliver even more malware.

Malvertising: how dangerous it can be

When malvertising takes hold on a high-traffic site, it can be exposed to millions of users. For the attackers, the malvertising effort is worthwhile even if just a tiny fraction of these visitors are infected.

A notable attack in 2014, for example, affected major news sites via the Google DoubleClick and ZEDO networks, infecting an estimated 600,000 or more computers with the CryptoWall ransomware. It’s also estimated that this attack generated over $1 million in ransom payments.

Large-scale attacks like this are especially disturbing, both in terms of the number of users affected, and the way trusted sites can have that trust weaponised by the infiltration of malicious ads. There’s also the fact that web banners, by their very nature, are designed to invite clicks, making them the perfect vehicle for a malware attack.

But how does malvertising even get online?

The threat of malvertising raises an obvious question: why don’t advertising companies do more to detect and block malicious ads? The truth is that ad networks and publishers go to great lengths to stamp out malvertising wherever they can. Unfortunately, the attackers’ tactics are often highly sophisticated and difficult to counter.

Attackers will often place “clean” ads on a network to gain a legitimate reputation, and only start linking to malware much later. Cybercriminals have also been known to use false or stolen identities to sign up for ad networks, and stolen credit cards to pay.

The huge volume of ads passing through the networks makes it virtually impossible to thoroughly vet each one. Processes for placing ads are largely automated, and investigation of individual ads is often based on complaints. This means malicious ads can remain undetected for days, weeks or even months – and by the time they’re flagged, it’s too late for the infected users.

Since it’s only triggered under specific circumstances, malvertising can be very difficult to observe, identify, replicate and research – and sophisticated exploit kits such as Angler make malicious ads even harder to detect. Angler constantly generates new URLs, making it extremely challenging to track down the sites where malware is being hosted. The exploit kit can also detect whether the target system is a virtual machine, so security experts have a tough time analysing it from the relative safety of a VM.

How to prevent malvertising

Of course, the first line of defence against malvertising is strong antivirus and antimalware software. An up-to-date, real-time antivirus system should prevent the execution of unauthorised software and ensure that malvertising is blocked from delivering its payload.

Continuing the “up-to-date” theme, it’s equally critical to ensure you’re running the latest versions of all your software, since malvertising exploits security gaps in older operating systems, browsers and plugins. Certain software with notorious vulnerabilities, like Flash, is often best avoided altogether (this is one of the main reasons Flash usage has dropped in recent years).

Then there’s the controversial issue of ad blocking. While publishers and owners of ad-supported sites obviously aren’t fans, ad-blocking software sidesteps malvertising by blocking ads altogether. However, with ad blockers so unwelcome on ad-supported platforms, many sites now require ad-blocking plugins to be deactivated before any content can be viewed.

Aside from ad blockers, content-filtering software in general can help in the fight against malvertising. Browser plugins that provide protection include NoScript for Firefox, which blocks Flash, JavaScript and Silverlight, helping to prevent malvertising and XSS attacks.

As one of the leading providers of online advertising services, Google is at the forefront of combating malvertising. The company has created a guide to anti-malvertising to help publishers, ad operators and users educate themselves and prevent malvertising whenever possible.

It’s a serious threat, but you shouldn’t be too paranoid about malvertising. Apart from the occasional bit of annoying hard sell, there’s nothing to fear from the vast majority of web banners – and with up-to-date software and security, you should be able to avoid ill effects from any malvertising you encounter. With that said, it’s also vital to be aware of the risks, and continue to push for higher standards of security throughout the online marketing industry.