One of the most worrying vectors ever in the history of cybersecurity is starting to become the weapon of choice of the cybercriminal. With a 325% increase in attacks according to Cyphort, Malvertising, or malicious ads, is a force to be reckoned with.
Malvertising isn’t new. Using malicious ads as a vector to push out malware has been around as a technique since around 2007. However, it is becoming even more sinister and successful because of some hacker innovations in the area. The original version of a malvertising campaign relied on user intervention. However, in recent attacks, no user intervention was needed to end up infected with malware. This is the sinister twist in the malicious ad tale that is leaving consumers and businesses alike reeling.
The reason that malvertising is so successful is down to how the cybercriminal plays the system. Ads are served up across Internet sites from centralized ad networks, such as Google AdSense and Media.net. There are many of these types of networks, serving up ads that reach hundreds of millions of users across the Internet. Cybercriminals use these networks to push their malicious ads out across legitimate websites. It is this use of a legitimate and trusted process and website that makes malvertising so difficult to control and spot. As the networks become savvier about spotting infected ads, the cybercriminals are one step ahead. They are known to place clean ads (paying themselves for the service) and once accepted and pushed out across the network, they are then able to use command and control services to infect the ad with malware.
Malicious ads do still occasionally use the click to install method of malware infection. In this case, the malware is activated on clicking the ad. If a vulnerability is present in the user’s browser, or software add-ins like Flash or Java, then the malware runs using that exploit. However, there is an increase in the use of independent exploit kits to perform the infection, as these require no user intervention. In this scenario you have an infection method known as a ‘drive-by-download’ taking place. Drive-by-downloads work by performing a silent redirection from the site hosting the ad, to a spoof site hosting the exploit kit. This redirection is often very fast and hardly noticeable. On the spoof site sits an exploit kit; the Angler exploit kit seems to be a popular choice. In fact, in Cisco’s Midyear Security Report for 2015 they found that 40% of user penetration was caused by the Angler exploit kit. An exploit kit works by finding vulnerabilities in software on your computer, usually browser and browser add-in software; if found, it uses these to install the malware.
The types of malware installed by malvertising attacks are varied, but a spate of ransomware attacks have taken place recently. Other types of malware popular with malvertising cybercriminals are those that steal login credentials.
Using legitimate networks to push ads out means that attacks are prevalent on well-known and trusted websites. Here are some examples of recent malvertising attacks:
In an attack, in early 2015, which infected major sites like Huffington Post, a Hugo Boss ad was used as the conduit for malware. This attack didn’t use a redirect to an exploit kit (EK). Instead the kit was packaged up into the ad, which got through the ad network security and out into the wider Internet. The ad based EK utilized Flash vulnerabilities to do its work. Anyone infected ended up with the notorious, ‘ransomware’, on their system, which encrypted all of their files and attempted to extort money to decrypt them.
Also in 2015, Yahoo’s ad network suffered a major malvertising breach. The attack was based on the Angler exploit kit, which used a drive-by-download to infect user’s machines. The Yahoo network receives 6.9 billion monthly visits so had the potential to impact a massive number of end users: a perfect conduit for malware.
In a most recent attack, earlier this year, a major malvertising campaign affected major news sites like the New York Times and again used a redirect to an exploit kit. This time the EK took advantage of vulnerabilities in Microsoft Silverlight. Again ransomware infection was the end result.
Mobiles aren’t immune to malvertising either. According to the Bluecoat’s 2014 Mobile Malware Report, malvertising is the top threat to mobile users. Mobile as a platform for malvertising makes sense in the light of a BI Intelligence report, which shows that mobile advertising is growing faster than other forms of advertising – why would a cybercriminal not take advantage of that?
It is hard to find out accurate figures on just how many successful infections have been made with a malvertising campaign. However, the fact that this mechanism is increasingly being used, and that ransomware is bringing in as much as $325 million per strain, means that cybercriminals will be willing to spend money to make money by placing ads across legitimate networks that people trust.
If ad networks are unable to manage the problem and the number of successful attacks seems to point to this, then we need to take steps to protect our computers directly.
All malvertising based exploits are based on finding vulnerabilities in your browser or browser plug-ins. This means there are some things you can do immediately to help reduce the risk:
1. Make sure all of your browsers and associated software, such as Adobe Flash and Java are up to date.
2. Instead of patching, remove: Flash and Java have known vulnerabilities, which cybercriminals can exploit. If possible remove software such as Adobe Flash and Java. However this can impact the functionality of some websites so may not be possible. It is also likely that HTML 5, at some point in the future, will be used as a method of inserting malware, so removal of Flash and Java may become a mute point.
3. Don’t use deprecated software plug-ins such as Microsoft Silverlight as they won’t be supported going forward. Some browsers, such as Chrome have already stopped supporting Silverlight.
4. Make sure you have a company wide strategy for dealing with this threat, both to prevent infection and to handle the results if you do get infected.