From browsing your favorite news site to skimming social media, digital advertisements are unavoidable no matter how many ad blockers you use. How ad tech companies collect and use personal data to serve targeted ads has become a major privacy debate, but what about the cybersecurity risk digital advertisements pose?
Before I explain the ad industry’s cybersecurity issue, let’s talk about exploits kits-- the commercially available hacking toolkits that specifically target vulnerabilities in a web browser to place malware on the system. Attackers who use exploit kits typically lure victims to malicious web pages through social engineering spam or even by infecting trusted websites.
So, how do exploit kits impact the digital advertising industry? Exploit kits are increasingly using the evil twin of an advertisement, a malvertisement, as a gateway to a web browser. Customization is easy with this method, as attackers can target specific times of day for malicious ads to run, serve ads to specific browsers, avoid mobile platforms and more.
In 2014, the reigning champ among exploit kits was RIG 3.0, a pioneer of using malvertising as a delivery system in exploit kits. Researchers from Trustwave discovered that RIG 3.0-related malvertising was served to a whopping 3.5 million machines, 1.5 million of which were infected. In March 2015, Trustwave researchers unearthed a major malvertising campaign that compromised ads on several high-traffic websites-- directing victims straight to the Angler exploit kit.
Much like their mainstream cousins in legitimate advertising, malvertisements use a number of different techniques to reach intended recipients. Infected ads can exploit vulnerabilities in browsers and add-ons and appear as videos, images and even text-only advertisements (similar to those in the Google AdWords and AdSense programs). This method works because it imitates traditional advertising techniques, almost like monarch mimicry. Attackers typically initiate malvertising campaigns with ads and credentials that are squeaky clean and only change the payload to malicious content after a campaign is approved and running. Although this traditional technique is easy to implement, its effectiveness is limited by the fact that one must click on the ad to be exposed.
However, a new malvertising method that’s gaining popularity removes that limitation. Ad networks that allow advertisers to upload full HTML or Flash files enable hackers to compromise a computer without the user clicking anything. Flash makes this especially easy given the massive number of vulnerabilities Adobe patches every month. By substituting a malicious Flash file into a previously harmless advertisement, attackers can circumvent the click requirement and deliver the malware as soon as the Flash file loads on the page.
Are cybercriminals aware of and actively using this no-click download method with Flash to serve up malvertising? Absolutely. In 2015, the development team behind the Angler exploit kit found four zero-day vulnerabilities in Adobe Flash. Since the vulnerabilities were discovered by criminals before ethical hackers, there were no security patches to stop them from being exploited.
How is malvertising forcing its way onto popular websites? Much like traditional entrepreneurs, cybercriminals are always looking to make the most bang for their buck, which in this case means buying cheap campaigns from smaller ad networks for as little as $0.20 per thousand impressions. Do these small malvertising campaigns really turn a profit for attackers? You bet. An initial investment of $5,900 can potentially yield a 1,425% return on investment, or over $84,000, in just 30 days. When these malicious ads match demographic details from browser cookie data, they can “trickle up” to larger ad networks where they match with visitor profiles. The introduction of malvertising to the traditional matchmaking system of digital advertising is posing significant challenges to ad networks and publishers as they try to stay one step ahead of attackers.
Despite ad networks’ filtering and scanning tools and consumer protections like anti-virus and browser sandboxing, malvertisements can serve inescapable exploit kits. By carefully picking its battles, using a thick skin of obfuscating code and adapting quickly to its environment, an exploit kit is able to avoid and/or survive a majority of protections offered by modern Web browsers.
Once contained to porn and video pirating sites, malvertising has now succeeded in penetrating some of the Internet’s most popular websites. By leveraging traditional business strategies and advertising techniques to make everyday ads malicious, attackers who use malvertising-based exploit kits have established themselves as innovators in the cybercrime industry. The emergence of malvertising as a significant exploit delivery mechanism has rendered the conventional idea of staying safe by simply avoiding dark corners of the Internet as insufficient.
About the author: Karl Sigler is Threat Intelligence Manager at Trustwave where he is responsible for research and analysis of current vulnerabilities, malware and threat trends. Karl and his team run the email advisory service, serve as liaison with Microsoft MAPP program, and coordinate disclosures of discovered vulnerabilities. In addition, Karl hosts the popular and informative weekly SpiderLabs Radio podcast.