According to a report by Statista, we witnessed over 5.6 billion malware attacks from over 678 detected malware types in just one year. Most internet users have evolved to be smart enough to identify or be cautious about suspicious activities and phishing attempts. However, in many ways, cybersecurity is a cat-n-mouse game with the black- and white-hats engaging in a seemingly endless competition to be stealthier. This has inevitably led the latter to adopt the tactic of wrapping malware into seemingly harmless digital advertisements, which is, arguably, the lifeblood of the internet economy.
What if malware was a click away via the ads we encounter every day? How can we tell if clicking an ad would wreak havoc on our devices and systems?
Malvertising is one of the newest iterations in the evolution of malware. It’s a potentially more dangerous cybersecurity threat because the users are attacked through legitimate publishing and advertising platforms. The growth of online advertising has been a significant contributor to the enormous spread of malvertising. It can target a broader spectrum of users, thanks to the vastness of the channel through which it spreads. And it is very hard for the user or the ad publisher to detect and protect themselves from the dreadful consequences of malvertisements.
Malvertising is a portmanteau of 'malicious advertising.' The attacker inserts malware into legitimate advertising networks entailing highly reputed websites.
These seemingly harmless ‘infected’ ads contain malicious code that spreads the malware. When a user clicks on it, the code redirects the user to a malicious server, makes a connection with the device, and installs the malware on it, all in seconds.
Malvertising occurs extensively because large publishers often use automated third-party applications to display ads on their websites. This makes a direct overwatch difficult, which becomes beneficial for threat actors. Malvertising does not cause any direct damage to the publishing websites, which is another main reason they go unnoticed.
Not only does malvertising tarnish the reputation of advertising platforms and publishers, but it can also steal sensitive information from the end-user. And should the malware in question be ransomware, things can get all the more devastating.
Users leveraging third-party adblockers to avoid malvertisements directly affects the ad revenue of both publishers and marketers. This is a severe blow to the online advertising ecosystem.
Users typically confuse malvertising and ad malware (or adware.) Both terms are technically disparate. While malvertising is malicious in all accounts, adware—as a program that runs on a users' device to track their web activity, display unwanted ads, and steal user data— is often embedded in legitimate applications. However, most of the time, adware neither causes any serious breach of users' privacy nor do they alter or assume control of the users’ system/device or encrypts their data. Also, the codes used for malvertising are deployed on a publisher’s page as opposed to adware that is usually deployed directly on an end user’s device. As such, the scope of malware affecting users is much more than adware.
Before placing malicious codes into ads, the threat actors usually gain the trust of the publishing platform by keeping a low profile and placing legitimate ads. They may also use clickbait ads to trigger a sudden emotion among users and generate a high clickthrough rate.
A user who clicks on an infected ad is redirected to a malicious landing page.
The attackers can use the following methods to infect ads:
● Typically, a user clicking an ad is redirected through several intermediate URLs before reaching the final landing page. The attacker compromises any of these URLs to execute the malicious code in the system.
● Pixels, used for ad tracking purposes, might contain malicious codes the attacker places. A legit pixel only returns data to serves. However, attackers can intercept a pixel’s delivery path to send a response containing malicious code to the user’s browser.
● The attackers can exploit the fact that video players don’t typically protect against malware. For instance, a standard video format called VAST houses pixels from third parties which could contain malicious codes. Videos may also contain malicious URLs. Also, when, say, the attackers insert malicious code into the pre-roll banner, the users don’t even have to click on the video for the malware to be downloaded.
● The attackers sometimes compromise legitimate landing pages of products or services by leveraging clickable on-page elements that execute the malicious code.
After a user reaches where the attacker wants them to be, the malware is delivered through a browser exploit kit. The malicious landing page collects data from the user's device and explores other vulnerabilities. However, the good news is that this approach is now obsolete because of the advanced cybersecurity technologies that most web browsers use. That said, attackers have begun to use forced redirects, where the users are automatically redirected to a malicious landing page by controlling the browser navigation.
In 2021, REvil, a cyber gang that mainly uses ransomware, used paid positioning in Google search results to prompt users to click on malicious links. Also called SEO poisoning or search poisoning, this approach was highly successful since most users took the bait as they completely trusted the links that were displayed on Google’s search results.
Angler was a malicious program that automatically redirected users to a website where the vulnerabilities in the web extensions like Adobe Flash and Oracle Java were exploited.
Angler spread malware through high-profile websites like The Daily Mail and Forbes. According to sources, the threat actors extorted over $60 million using this malvertising technique.
Malvertising can be of different types based on how they are executed and delivered to the users’ devices:
● Attackers rely on pop-up ads displayed to users while browsing and trigger deceptive downloads of, say, fake software.
● Using the drive-by-download approach, the users don’t even have to click on anything for the malware to be downloaded. The download happens totally without the user’s knowledge by exploiting the vulnerabilities in the browser.
● Attackers can place their code in a publisher page by using inline frames (iFrames) in HTML— often used to insert content from another source, typically an advertisement, into a Web page. When a user accidentally clicks on the frame, malware is delivered within no time.
Users can also mitigate risks by following some simple yet effective practices:
● Keep your browser and plugins up to date.
● Use high-quality ad blockers
● Have legitimate and updated antivirus software and application security resources.
● Ensure that all downloads happen via official websites and legit/verified resources.
You can spot if you’re a victim of malvertising if your device becomes suspiciously slow or if there is the presence of any apps you didn't install on your own. You might also notice an increased occurrence of pop-ups that are particularly hard to close.
Follow these steps if you think any sort of malvertising may have compromised your device.
● Disconnect from the internet
● Enter Safe mode
● Avoid logging into accounts so that the attackers don’t acquire any important credentials that might lock you out.
● Delete temporary files that may contain those files installed by the malware.
● Check Activity Monitor (Mac) or Task Manager (Windows) to see if any suspicious programs are running.
● Run a good malware scanner that gets rid of most of the usual and known malware.
● Fix your browser either by reinstalling it, deleting unwanted plugins or by cleaning your cache.
Infecting users’ devices via ad platforms, malvertising is one of the most advanced and stealthy forms of cybersecurity attacks. Malvertising gravely affects online advertisers' and publishers' reputation and their ad revenue streams. Not to mention the violations they cause for the end-users. Lots of high-profile ad publishers and web pages have been victims of malvertising. Although there have been mitigation efforts, it’s the responsibility of both users and publishers to be cautious and take the necessary steps in mitigating the adversarial impact of malvertisements.
Novacommand can help detect threats by inspecting and analyzing the network traffic. The information about the network traffic (metadata) will be correlated and analyzed as well.
By doing this, threats can be detected in an early stage by their behavior, destination, or a combination of both.
Novacommand will not 'defend' you against threats but will alarm you on a threat and if needed initiate an action with a 3rd party integration like a firewall or EPP.
If there are clickable on-page elements on a landing page, the attacker can add malicious code into those elements, and upon a click, the malware can then be installed on a user’s device.
Most high-traffic websites display ads to their visitors. Attackers, therefore, insert malicious codes into those ads to target a higher number of users. Besides, the nature of the content on the ‘popular’ website in quests makes it easier for attackers to get higher clickthrough rates for their malvertisements.
Possibly, but not always. Ads, if infected, can hold malicious code that leads to malware being installed on your device. That doesn’t mean you can’t click on ads at all. Navigating websites cautiously and leveraging relevant cybersecurity tools can prevent you from falling victim to malvertising