Advertising might be the business model that built the Internet, but, as with any prevalent and deeply ingrained technology, it has been hijacked by attackers for malicious ends. This manifests itself as malvertising.
Malvertising is essentially the method attackers use to embed malicious code into adverts, which then drop a payload directly on to the endpoint of the user.
Initially a consumer focused problem, as with many things in cyber security, it has graduated into becoming a problem for enterprises.
Where is malvertising and what does it do?
The beauty of malvertising for an attacker is that the malicious ads can be placed on any number of otherwise highly trafficked websites. Typically, they select websites which people trust. Brands such as the Daily Mail for example have been caught serving up infected ads.
Malvertising starts with an attacker abusing the ad networks which now serve a vast proportion of all the adverts on the Internet.
These have been made very simple to use. Usually it’s just a case of signing up for an account, loading ad code and creative, selecting targeting preferences and paying. In no time at all, your ad is featured in a variety of places.
To subvert this process, what an attacker does is submit legitimate looking code and, once checks have been performed, they switch it out for malware.
The attack is made particularly more effective by the criminal element using an exploit as their entry point onto a system. It will look for an unpatched vulnerability in each individual machine, and if present, send the payload. This can be anything from RATs to spyware. As it is a drive-by attack, everything happens without the knowledge of the user.
Malvertising: what is it?
Malicious advertising, AKA malvertising is an attack where the criminal hides malicious code in an online advertisement to infect computers that view or interact with that advert.
How does malvertising work?
Malicious ads are placed alongside legitimate ads, using common advertising networks to buy up ad-space on all types of websites – even highly reputable ones. The cybercriminal may switch-out clean code for malicious code once the advert has been approved to get it past advertising network checks and quality control.
- The malicious ads are visually indistinguishable from a real advert, appearing as a banner or pop up on a website. Rotation with legitimate adverts makes it hard to spot.
- Visitor’s computers can be infected pre-click or post-click, this means a device can become infected without action (click) from the user.
- The malicious element, often a virus or spyware, could be embedded in main scripts of the page, delivered through auto-run redirects or as a drive-by download.
- A malvertising attack can also use iFrames to discreetly navigate to additional web pages to reach the malicious payload and infect computers.
The rub for enterprises, especially in a day and age when their workforce is largely remote, is that once installed on an endpoint – malware has a nasty habit of ‘landing and expanding’ – moving sideways into high value areas such as core networks and email servers.
The upshot is, malicious code will sit hidden for as long as possible, scooping up sensitive data, keystrokes and other IP and communicating it all back to a control server.
How can you protect your business against malvertising?
The typical mantra of educating employees alongside technical solutions is hard in the case of malvertising, given it requires little or no interaction from the user. That said, there are some websites that have a lower quality of checks on their advertising or are set up specifically to drop malware.
This can be anything from adult websites to fake sites set up on nearby or cousin domains to look like legitimate brands. In these instances, it is good hygiene to reinforce the message that people should stay away from such web presences on company hardware.
From a technical perspective, a good web filtering solution installed on a web gateway or directly onto endpoints will help mitigate some of the risk.
If kept fed with a contemporary threat intel feed of malvertising domains, this technology will prevent the user from visiting malicious websites in the first place.
Such technology will also be a powerful ally in helping to detect and block the malicious calls made by any malware which does manage to install within an environment, effectively severing communication with the controller.
Malvertising may be hard to detect from a user point of view, but deploying a rigorous approach to web filtering will help stop malware installing in the first place and block it calling home if it does manage to get a foothold.
For more information on advanced web security and malware prevention, click here.