The security industry is flooded with research showing that malvertising is a major and fast-growing threat.
- June was the worst month ever for malvertising, said Patrick Belcher, Director of Security Analytics for Invincea.
- Yahoo! was hit in July by one of the largest malvertising attacks ever seen, said Jerome Segura, Malwarebytes’ Senior Security Researcher.
- Malcious ads spiked 260% in the first quarter of 2015 compared to the same period last year, according to RiskIQ.
We dig into this threat below to show you how to avoid it.
What is malvertising?
Malvertising is the use of online ads to spread malware.
By creating malicious ads, attackers can use the massive reach of online ad networks to infect more users with ransomware, trojans, and other hazards.
Types of malvertising
- Drive-by download
The fastest-growing type of malvertising requires no interaction from the user. Infection begins once the user visits a site and the malicious ad is loaded.
The user’s system is penetrated through software vulnerabilities found in common applications such as Flash and Java. By keeping all software up to date, users can avoid many of these attacks.
However, a recent spike in zero-day attacks means patching will not help in all cases. (More on this below)
Though becoming less common, some malvertising requires interaction from the user. In one example, the user clicks an ad and is redirected to a malicious site that installs malware on the system.
- Fake viruses and updates
Another common malvertising tactic is to claim that the user has a virus or out-of-date application. The user clicks to download and install the fake solution and becomes infected.
Types of malware installed
The type of malware spread by malvertising varies. The payload can be anything from an application that secretly mines for Bitcoins, or it could be a standard banking Trojan.
Two types of malware that are popular in the recent wave of malvertising, according to Invincea, are ransomware and click-fraud malware.
Flash is the biggest target
Adobe Flash is the application most targeted by today’s malvertising attacks. Several zero-day exploits for Flash have recently been discovered in online ads, and there have even been calls to “get rid” of Flash by some.
As you can see in this chart from Bromium’s report, Flash is having its turn in a long cycle of favorite applications to exploit:
Criminals change tactics constantly. Internet Explorer (IE), Java Runtime Environment (JRE), and other applications have been major targets in the past, and we can expect the cycle to continue.
Why is malvertising growing?
Many trends are contributing to the rapid rise of malvertising.
Online ads are convenient for crime
Ad networks give criminals a fast and easy way to reach thousands, even millions, of potential victims for malware.
Buying ads is typically cheap, anonymous, and automated. Advertisers can pay less than a hundred dollars and reach thousands of websites. They can target the ads by site topic, region, and even web browser.
Also, ad networks make buying and uploading ads as fast and easy as possible. By removing barriers, the networks can sell more ad space. Unfortunately, this also makes it easier for attackers to slip in.
All of this gives criminals (and legitimate companies) a fast and easy way to spread their message.
Websites have no control over ads
The internet economy runs on advertising. Without ad revenue, many websites would not exist.
By joining an ad network, websites can easily turn site traffic into revenue. The sites dedicate space to show the ads, and the network pays based on the number of impressions or clicks.
But other than choosing where to show ads on their sites, the site owners have no control over the ads’ content. The networks determine which ads are shown, and the ads change every time a page loads.
So websites can show ads that harm visitors without realizing it. Even if they knew, they could not stop the ads from showing without removing the network’s ads completely – and that may kill a site’s only revenue stream.
Networks struggle to detect bad ads
Major ad networks serve billions of ads a day. Uncovering the tiny percentage that are harmful is a major task.
The top networks, such as Google Display Network or Yahoo! Bing Network Contextual Ads, have more resources and expertise. They tend to be better at blocking malvertising than the smaller networks.
“These [networks] traditionally have more resources and stricter controls… Overall the number of incidents for the major ad networks is much, much lower than those that are less reputable,” said Segura in an interview with AdAge last week.
And there are many smaller networks with fewer resources. Here’s a list of 44.
Major networks infiltrated
Although the major ad networks are typically better at detecting malicious ads, they cannot eliminate the problem completely. Websites such as eBay.co.uk, Yahoo!, and YouTube have been hit by malvertising campaigns – partly because they are huge targets.
The chart below from Bromium shows that more than half of all malvertising originates from news and entertainment websites.
Attackers are able to use ad networks to reach some of the most popular sites on the web. That gives them access to vast amounts of traffic, which is helping to spread this threat.
More zero-day exploits
Malvertising attackers are using newly discovered vulnerabilities in common applications to penetrate users’ systems.
These zero-day attacks target vulnerabilities that have not been patched by software vendors. That means anyone using the application is vulnerable.
The combination of a drive-by download with a zero-day attack for an application as widespread as Flash is a frightening prospect. Millions of users are vulnerable, and they only have to load the wrong webpage to be infected.
Malware detection evasion improves
Attackers are improving how they side-step detection by anti-virus and intrusion detection systems.
A growing trend is for malware to build and install itself in a series of steps, rather than loading and installing a full package. The victims gradually receive snippets of malicious code that build into full-scale infection.
As attackers become more adept at avoiding detection and gain access to larger networks and websites, this threat will continue to accelerate.
Attackers gain ROI
Attackers are business-minded. They are in it for the money. As long as malvertising earns a strong return on investment, they will continue to use it.
Whether attackers are buying ads with their own funds or with stolen credit card information is an open question. But for a relatively small investment, a criminal outfit can vastly expand its number of malware infections, thereby pulling more revenue from its click fraud, ransomware, and other efforts.
As long as attackers continue to receive high returns on investment, malvertising will continue to remain a threat.
How to avoid malvertising
The rise in zero-day exploits and detection evasion in malvertising is concerning. But there are several steps you can take to better protect your systems and clients from these attacks.
Never browse as an administrator
Malware typically requires administrator-level access to install. By logging into a workstation as a standard user when browsing the web, you can prevent drive-by downloads and other attacks from installing malware without your knowledge.
For example, if you are logged in as a standard user and a website attempts to force software onto your machine, then you will be required to enter the administrator’s password before the installation can take place.
This can prevent many (but not all) types of malware from installing automatically without your consent.
Adobe Flash is the most targeted application in the recent wave of malvertising. You can disable the Flash plugin in your internet browser, or require Flash to have permission to run, by changing your browser settings.
A downside to this approach is a potential loss of functionality on certain websites, especially some web videos and animations. Many companies are transitioning from Flash to HTML5, but Flash is still widely used.
Although not a primary target in the recent wave of malvertising attacks, Java (developed by Oracle) is another application that is prone to vulnerabilities and often the target of exploits and attacks. Oracle provides instructions for disabling Java on its website.
However, just like Flash, Java is widely used across the web. Disabling it may prevent some applications, such as web conferencing and ecommerce sites, from working properly.
Block ads with plugins
Plugins such as AdBlock Plus are available for major internet browsers. These tools will automatically block most web ads.
Although blocking ads can harm the Internet economy – preventing free websites from generating revenue – you will be able to help prevent malicious ads from harming you and your clients until this problem is stamped out.
Preventing users from visiting malicious websites is always a good idea. Web filtering can help prevent ads from redirecting users to malicious sites, and it can prevent users from directly visiting sites known for drive-by downloads and other attacks.
Stick with the basics
Basic security practices – such as maintaining updated software, anti-virus, and network security – should always be followed.
Although some attacks use zero-day exploits and are hard to prevent, many attacks use old exploits that have long since been patched. And although some malware and virus variants are new and novel, some are well-known by anti-virus vendors and easily blocked.
So keep your guard up, keep your systems patched, and keep your users educated.