Malvertising: Still A Potent Cyber Threat
by Mark Gregory - Maverick Cyber Operations SME
Malvertising is the name given to criminally-controlled advertisements designed to intentionally infect victims (both individuals and businesses). The infected ads can be virtually any ad on any site. For all intents and purposes, the advert looks the same as any other, but it has been placed by a criminal.
When you visit an site through a malvertising advertisement, without your knowledge a tiny piece of code hidden deep in the advertisement sends your computer to criminal servers. These servers then catalogue details about your computer and its location, before choosing which piece of malware to send you. This doesn’t need a new browser window and you won’t know about it.
Malvertising is a growing problem, While the technology being used in the background is advanced, the way it presents to the person being infected is simple. The first sign will often be when the malware is already installed and starts threatening money for menaces, logging your bank details or any number of despicable scams.
It is common practice to outsource web site advertising to third-parties. These companies re-sell this space and provide software which allows people to upload their own advertisements, offering a winning bid for the right for more people to see them. This provides cyber criminals a way of inserting their own malicious advertisements into this self-service platform. Once loaded, all they have to do is set a price per advertisement to compete with legitimate advertisers.
The impact of unintentionally hosting corrupted advertising on your website can be drastic. First and foremost is a loss of revenue as you are not being paid for the advertising space you paid to re-host. It further costs revenue losses, due to the time required to remove the malvertising from your site. A secondary disadvantage, and perhaps of more importance , is the lost rapport with customers and potentially irreversible harm to your organization’s reputation. If your customers are attacked by a virus originating from your site, they are likely to lose confidence in your brand and could potentially make their feelings known to other prospective customers.
For individuals who fall victim to malware, ransomware, and scams resulting from clicking on a malicious advertisement, the risk includes lost data, compromised credit and banking information, and malware such as keystroke loggers or spyware designed to compromise all of your accesses like login credentials to your work, bank, or other secure online sites.
Since advertising is such a significant source of income for most businesses, unfortunately the risk is unlikely to be able to be mitigated entirely. Anti-virus software and online protection tools help, and good web browsers with plug-ins that validate end-point security can aid in combating the threat. The best defense for individuals is using a LiveOS like Maverick’s AssuredID to perform all your higher-risk activities such as shopping, banking, and general surfing in conditions where you are most likely to see – and click on – an advertisement.
Organizations can combat the threat to the enterprise at the network level, where a good content-filtering firewall and regularly updated anti-virus software are valuable investments. Organizations should also provide regular and recurring Security Awareness training to their employees, such as Maverick’s Security Awareness Training (SAT) Program. Frequent, recurring Security Awareness improves user knowledge and prevents missteps that can cause an organization not only money but brand reputation.
When considering using a third party advertiser, organizations must assess the quality of the products/services they are offering via resold advertising space. Organizations should review all domain names and associated URLs before allowing them to advertise on the corporate site. These practices are not limited to corporations, however. Blog, video, or other online content hosts who allow advertising to help pay for production should also consider these practices – in cases where they control the choice of advertisers directly.
The threats of Malvertising differ on by organization and for individuals as well. The impact is largely dependent on the preventative measures individuals and organizations are willing to employ. Making yourself aware of the problem is the first step.