Malware distributors are increasingly embedding attack code in online advertisements, or malvertisements in order to infect Internet users. These are typically delivered via ad networks that unwittingly place them on reputable websites operated by recognizable brands. This practice does more than expose customers to fraud and personal data theft – it damages the brand equity and customer loyalty of the companies who own the websites involved. To put this problem in perspective, a single malvertising campaign can quickly infect over 10% of the Internet’s top 1,000 trafficked sites.
The malvertising problem stems from that fact that when an organization places an online advertisement it is typically placed by an ad network. Often, ad networks will resell unfilled ad spaces to other networks — basically doing anything to avoid unused real estate. Meanwhile, an ad is typically sent directly from the servers of the ad network that inherits the space, and are out of the advertising organization’s control.
This multi-level online advertising supply chain has any number of weak links that an attacker can exploit to slip malware into legitimate ads or even take out their own ads. Advertiser vetting by the ad networks is usually limited to the credit checks needed to assure payment for ad placement. There are no integrated controls, industry-enforced standards, or end-to-end accountability across the supply chain. And if an ad network did suspect that a particular ad was malicious and blocked it, it might or might not be correct about that ad, but it would certainly lose all revenue from that ad.
Meanwhile, even if an ad network wanted to scan every ad it handles, it is unlikely to be equipped to handle the sophistication of today’s attackers, who use tools to disguise their malware code from traditional signature scanners. Attackers also randomly alter the domain names of their command and control infrastructure so that known sources of malware can’t be blocked, and make sure their payment collection network is constantly shifting.
According to Cisco’s midyear threat report:
Malvertising is becoming more prevalent, and advertisers are able to launch highly targeted campaigns. A malvertiser who wants to target a specific population at a certain time—for example, soccer fans in Germany watching a World Cup match—can turn to a legitimate ad exchange to meet their objective.
The problem is only getting worse, as attackers have discovered that planting their malware onto brand-name sites gives the demands of the pop-up windows more credibility and legitimacy with less sophisticated users.
RiskIQ has found that the rate of increase in malvertising has been skyrocketing, increasing 29% in 2012 and then a staggering 225% in 2013. The increase is likely to continue accelerating in 2014.
On mobile websites malvertising has also been growing, and often appears as in-app advertising, typically on Android devices. If users respond to the malware they often end up downloading more unwanted apps.
It’s assumed that victimized consumers will increasingly resort to the defense most readily available to them—ad blocking software. But if that becomes a major trend it will cut into the ad revenue generated by the Internet for all parties. Meanwhile, malware attacks that are initiated from a website owned by the organization or an ad placed by the organization will damage the trust the company has built with its customers.
Protecting an organization’s brand from being poisoned by malvertising is complicated. Due to their sophisticated anti-detection technology, stopping today’s malvertisements requires intelligent, continuous scanning of the actual behavior of ads after they reach users’ browsers or mobile devices. Since neither the ad exchanges nor the owners of the websites that carry the ads are equipped for this task, it is best handled by third-parties that possesses the necessary expertise.
Using cloud-based crawling technology, it is possible to navigate websites or mobile apps, “clicking” banner ads so that their associated software will react as if it were being viewed by a user. Malware and other malicious behavior can then be detected. By examining the behavior of malware rather than looking for its signatures, whatever cloaking technology it uses to avoid detection becomes irrelevant.
Ads that are conclusively malicious can be removed, while questionable ones can be examined manually. Global scanning can uncover tens of thousands of malvertisements on a daily basis regardless of the specific operating systems, browser types, or geographic regions that are being targeted.
So while customers won’t know or care which ad network delivered a malicious ad, they will blame the organization that owns the website or placed the ad that attacked them. This downstream impact explains why many organizations now consider malvertising to be an enterprise security problem.
About the Author: Elias Manousos is CEO of RiskIQ, Inc.