Cybercriminals are always looking for new ways to generate illicit income, but that doesn’t mean they are ignoring old favorites—like malvertising.
The very fact that advertisements are so commonplace has led to them becoming a familiar part of the online landscape. Most often considered either an unwanted annoyance or necessary evil, online ads can actually be something far more sinister… even dangerous. Malicious advertising, or malvertising as it has become known, hides among the huge amounts of ads the average user will be exposed to on a daily basis. Not only does it look the same as perfectly legitimate advertising, it is generally served up by legitimate websites using just as legitimate advertising networks.
Advertising networks do implement various measures to uncover malvertising campaigns before they can start being distributed, but the threat sector remains profitable enough for criminal organizations to continue with. It should come as no surprise then, that the bad guys are investing in alternative methods of distributing their wares. Methods such as establishing fake digital ad agencies, for example. One investigation, published at the end of January, found that in 2017 the ‘Zirconium’ criminal consortium had established no less than 28 fake agencies responsible for one billion ad impressions delivering everything from malware to tech support scams.
Cybercriminals often use simple redirection tactics to take unsuspecting users, who click on a malicious ad, to a site serving up malware disguised as demo software, white papers, or video streams. The typical malvertising campaign of old would involve a pop-up warning that your computer was infected and redirect to a ‘free scan’ or ‘free antivirus software’ that would deliver the actual malware payload. While such ancient campaigns sadly still continue with some success, the bad guys have moved on to more advanced methodologies.
Ransomware is also now being distributed via malvertising, with ‘Matrix’ malware being served up by ads from the RIG exploit kit, and a CryptoMix variant being pushed by the AdGholas malvertising group to organisations, such as University College London.
The dangers of malvertising don’t just apply to end users who get scammed, but also to those organizations whose sites inadvertently serve up the malicious ad. The bottom line is there could be reputational damage if a malvertising campaign launched from your site gets media attention, as well as loss of traffic (and revenue) if Google and other search engines blacklist you for hosting malware. If your site is flagged as a malware distributor, then appeal as soon as the malvertising has been removed in order to minimise the impact on your SEO performance.
When it comes to mitigating against the malvertising threat, there’s plenty of advice managed service providers (MSPs) can offer clients. As with most malware threats, the real answer when it comes to the most successful mitigation is to employ a multilayered strategic approach to reducing the attack surface.
Combining user education, patch management, adblocking software, and remote management can help you take a proactive approach to the malvertising menace. From the web server side, ensure you only deal with legitimate advertising networks with fraud detection systems in place, and keep your own patching policy updated. Just last year (2017), there were reports of sites being hit by malvertising campaigns due to running old theme versions of WordPress with an unpatched vulnerability enabling code-injection attacks.
Getting the security basics shouldn’t be forgotten, and web protection that prevents access to known malware-associated sites can go a long way in keeping your clients safe. Using a remote monitoring and management platform that includes built-in web protection against malware threats—including URL filtering—will help prevent malvertising redirects from being successful.
Finally, deploying AdBlocking plugins on browser clients can also be effective when dealing with most of these threats, so they really shouldn’t be overlooked. That said, there is a trend for sites that rely on advertising revenue for monetization to require disabling AdBlockers, which then opens up the threat surface once more. Depending on the nature of your customer’s business, this may mean they just have to do without these types of sites.
Davey has been writing about IT security for more than two decades, and is a three times winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious 'Enigma' award for his 'lifetime contribution' to information security journalism in 2011.
You can follow Davey on Twitter at @happygeek
© 2018 SolarWinds MSP UK Ltd. All rights reserved.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.