November 27, 2018 By Grant Gross 3 min read

Many longtime internet users will remember receiving pop-up ads warning that their computers were infected with a virus. In nearly all cases, the ad’s specific claims were bogus; the purpose was to scare users into paying for a questionable tech support service or to drive them to a site that would actually infect them with malware.

While browser-based pop-up blockers have largely killed off that particular scam, malicious advertising — or malvertising — is still causing serious damage. Purveyors of malvertisements use an increasingly broad range of techniques to insert malware into ads that run across the web on large advertising networks.

How Malvertising Works

In most cases, threat actors create fake advertisements laden with malware and try to slip them past security checks at large ad networks. These infected ads can then sneak malware onto a web user’s computer, even if he or she doesn’t click on the ad. These so-called drive-by downloads are particularly effective against users who don’t regularly update their software.

The cost of malvertising is huge: A report from ad verification vendor GeoEdge estimated that the threat costs the online advertising industry more than $1.1 billion a year, and anticipated the cost rising another 20–30 percent in 2019.

Know Your Malvertisers

A lack of transparency in the digital ad supply chain “makes loading malicious ads through legitimate ad networks rather painless,” said Alex Calic, strategic technology partnerships officer for The Media Trust, a vendor of digital advertising and app security products. “The sheer number of ads and the large number of digital partners, many unknown to each other, along the supply chain make tracing the malicious code back to the correct offending party extremely difficult.”

It’s tough for ad brokers to keep up with the threat actors, added Jason Hong, associate professor at Carnegie Mellon’s School of Computer Science.

“It’s a cat-and-mouse game. Ad networks need to scan ad submissions for malware, but it can be really hard because attackers have a really strong economic incentive to keep innovating new ways of spreading malware.”

Call in Back-Up

The online advertising industry needs more processes to check submitted ads, added Corey Nachreiner, chief technology officer (CTO) of network security vendor WatchGuard Technologies.

“There are many web tools and frameworks that can help ad brokers escape or remove certain types of web code, such as JavaScript,” he said. “The brokers simply need to check the HTML ads being submitted to them, and make sure they only have clean content and don’t try to invisibly redirect to any off-site source.”

Ad brokers can also require more information from new customers as a way to validate them, he added. But attackers can hide malware in images and other elements, meaning that security teams may need to do more than simply scan the ads.

“Malvertising campaigns regularly slip under the radar of the advertising networks because they typically aren’t spotted until the first victims speak out, by which point it’s already too late,” said Gavin Hill, vice president of product and strategy for cybersecurity vendor Bromium. “Concealing malware within objects or images within the site, or forcing redirects for certain users, makes it extremely difficult for the advertising networks to spot malicious adverts being delivered.”

Using sophisticated tools to hide the malware in the ads, attackers can create highly targeted malvertising campaigns that fuse cybercrime and targeted marketing, Hill added.

“It’s all too easy for cybercriminals to exploit networks for their own gain,” he said. Threat actors can “deliver malicious code to vulnerable users that don’t suspect a thing.”

Broaden Your Thinking

Hill called for a holistic approach to fighting cybercrime by understanding “how the vast cybercrime economy operates.” Hong agreed.

“It really needs to be an entire community effort in combating malvertising,” he said. “Ad networks are the front line and need to improve their malware detection capabilities. We also need to hit the attackers’ finances, too, making it harder for them to monetize.”

To protect themselves from malvertising, consumers should prioritize patching. Users need to keep their software up to date to protect against malicious ads targeting known vulnerabilities.

“On end-user client side, patch, patch, and patch,” said Oliver Münchow, security evangelist with cybersecurity prevention firm Lucy Security. “And beware of the risks associated with downloads and clicks.”

In the end, maintaining your patching cadence and implementing only necessary and heavily vetted browsing tools should be a part of any routine security program. But keeping an extra eye on malvertising strategies and expanding knowledge of threat campaigns overall should help solidify another wall of the data security fortress.

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today