What is the definition of malvertising?
Malvertising, or malicious advertising, is the term for criminally controlled advertisements within Internet connected programs, usually web browsers (there are exceptions), which intentionally harm people and businesses with all manner of malware, potentially unwanted programs (PUPs), and assorted scams. In other words, malvertising uses what looks like legitimate online advertising to distribute malware and other threats with little to no user interaction required.
Malvertising can appear on any advertisement on any site, even the ones you visit as part of your everyday Internet browsing. Typically, malvertising installs a tiny piece of code, which sends your computer to criminal command and control (C&C) servers. The server scans your computer for its location and what software is installed on it, and then chooses which malware it determines is most effective to send you.
How does malvertising work?
Despite the malicious code, malvertising takes on the appearance of everyday ads like pop-ups (pushing things at you such as fake browser updates, free utilities, antivirus programs, and so on), paid ads, banner ads, and more. Malvertising criminals rely on two main methods to infect your computer.
The first is an advertisement that presents some kind of provocative enticement to get you to click on it. The lure might come in the form of an “alert,” such as a warning that you already suffer from a malware infection. Or it might be an offer for a free program. Such tactics use social engineering to scare or tempt you into clicking on a link. Give into that temptation and you are infected.
Even more nefarious is the second method, known as a drive-by download. In this case, the infected ad uses an invisible web page element to do its work. You don’t even need to click on the ad to trigger the malicious activity. Just loading the web page hosting the ad (or a spam email or malicious pop-up window) redirects you to an exploit landing page, which takes advantage of any vulnerabilities in your browser or holes in your software security to access your machine.
How can malvertising harm me?
Perhaps a more pertinent way to put that question is: is there really any chance it won’t harm you? The answer is no, because the bad guys behind malvertising have multiple illicit goals they pursue with dogged determination. They want to make money off you by stealing your identification data, your financial data, and your contact data, among other things. Other than outright stealing data, they can encrypt or delete information, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission. It all depends on what kind of programs the malvertising succeeds in downloading. The payloads can include:
- Malware, which is the umbrella term that describes any malicious program or code that is harmful to systems.
- Ransomware, the term for a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back. Ransomware has been called the cybercriminal’s weapon of choice because it demands a quick, profitable payment in hard-to-trace cryptocurrency. The code behind ransomware is easy to obtain through online criminal marketplaces and defending against it can be difficult.
- Spyware is malware that secretly observes the computer user’s activities without permission and reports it to the software’s author.
- Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. Typically, it uses an underhanded method to either disguise itself as legitimate, or piggyback on another program to trick you into installing it on your PC, tablet, or mobile device.
- A virus is the original malware that attaches to another program and, when executed—usually inadvertently by the user—replicates itself by modifying other computer programs and infecting them with its own bits of code. Most cybersecurity professionals agree that viruses today are more of a legacy threat than an ongoing risk to Windows or Mac users. That’s because they’ve been around for decades and have not substantially changed.
- Malicious cryptomining, also sometimes called drive-by mining or cryptojacking, is an increasingly prevalent malware usually installed by a Trojan. It allows someone else to use your computer to mine cryptocurrency like Bitcoin or Monero. So instead of letting you cash in on your own computer’s horsepower, the cryptominers send the collected coins into their own account and not yours. So, essentially, a malicious cryptominer is stealing your resources to make money.
What is the history of malvertising?
According to Wikipedia, the first recorded malvertising attack occurred in late 2007 or early 2008. The threat exploited a vulnerability in Adobe Flash, attacking a number of popular platforms, including MySpace. It was also the last time anyone mentioned MySpace. In 2009, The New York Times online magazine fell prey to malvertising by publishing an ad that enlisted computers into a larger botnet of malware-infected computers. Readers were served up ads telling them that their systems were infected, which was a ploy to trick them into installing malicious security software on their computers. In 2010, malvertising exploded across the internet, with industry watchers identifying billions of display ads that were carrying malware across 3,500 sites. In 2011, Spotify fell victim to an early example of a drive-by download malvertising attack. In 2012, a massive malvertising attack hit The Los Angeles Times, infecting users via drive-by download. It was seen as part of a general campaign of malvertising to hit large news portals, and this strategy served as a template for future attacks. The following year, 2013, saw a major malvertising attack on Yahoo.com, which put a significant number of the webpage’s 6.9 billion monthly visitors at risk. The attack infected user’s machines with the CryptoWall ransomware. As we reported, 2014 showed a significant increase in malvertising attacks. Google DoubleClick and Zedo ad networks suffered major malvertising campaigns, as did news portals such as Times of Israel and The Jerusalem Post. In 2015, attacks continued to diversify, using a variety of popular websites to display bad ads, and drop malware onto the computers of unsuspecting users. Targeted websites included dating sites, adult video streaming sites, Google Adwords, and MSN.com. Today, malvertising detections continue to grow. ZDNet reported on a threat actor known as Zirconium, which perpetrated what was arguably the biggest malvertising campaign in 2017 when the organization bought an estimated one billion ads throughout the year. Zirconium designed its malicious ads with forced redirects that brought users to websites hosting fraudulent schemes or malware. Industry watchers believe that this single campaign was present on 62 percent of ad-monetized websites each week. Malvertising actors have also gotten creative as of late. Cybercriminals are now taking over abandoned domains, i.e. websites that the previous owner never renewed, to display malicious ads that force redirect users to tech support scam sites. They’re also abusing cryptocurrency miners. In January 2018 Malwarebytes researchers discovered pages with malicious ads containing embedded scripts for Coinhive. While Coinhive has legitimate uses, cybercriminals use the service to turn your computer into a cryptomining machine without your knowledge or permission.
What are the main kinds of malvertising campaigns?
Once online crooks have determined what kind of computer you use, what software, and what country you are in, they have all they need to devise tailored campaigns. A few campaign categories include:
- Get-rich-quick schemes and other surveys. These are aggressive efforts by unscrupulous advertising networks that disrupt your browsing with screen hijacks. They might be anything from a lottery offer, work-from-home scams, bogus surveys, and other too-good-to-be-true freebies. In the past, surveys in this category have even targeted iPhone users.
- Fake Flash Player (and other software) updates. This is one of the most common techniques to foist adware and even malware onto Mac users. Masquerading as updates for the Flash Player, or video codecs, these pages are well designed and pushy. In some cases, the installer will automatically download itself onto your computer. These campaigns work particularly well on adult or video streaming websites, because they can lure users to download the application in order to watch the content they are looking for. You should stay away from such “programs.” But if you choose to download, only do so by going to the product’s official repositories, since these look-alikes on the infected sites are bundled with junk that will slow down your Mac, or worse, install spyware and other malware on it.
- Scareware. Similar to the tech support scam, scareware first says that your Mac or Windows machine is severely damaged or infected, and then urges you to download a program to fix it. Scareware scams are typically the works of greedy malvertising affiliates trying to drive the most leads they can in order to collect large commissions off various PUPs.
What kinds of platforms are vulnerable to malvertising?
Although Windows has been the main focus of malware attacks for years, a malvertising campaign focused on a browser or plug-in can just as easily infect a Mac, Chromebook, Android phone, iPhone, or any such devices in a business network.
True, cybercriminals mostly target Windows users because the huge Windows user base gives malvertisers the best return on investment. But Macs are just as vulnerable to malvertising attacks.
Regarding mobile devices, malvertising can be even more of a threat, since many people don’t take the same precautions or have the same firewalls on their phone that they routinely have on their desktop or laptop. Compounding the risk is the fact that mobile devices are always on and carried from home, to work, on weekend outings, are often used for shopping, and so on. All of which makes them a prime target for malvertising.
Businesses, with their distributed networks full of attractive personal and financial data on all kinds of devices, have recently become even bigger targets for the kinds of malware that malvertising delivers. According to the October 2018 Malwarebytes Labs Cybercrime Tactics and Techniques Report, businesses saw a 55 percent increase in attacks compared to the previous quarter. At the same time, consumer attacks increased by only four percent quarter over quarter.
How do I protect against malvertising?
First, tighten up vulnerabilities on your computer and mobile device. Keep your operating system, your applications, and web browsers (plug-ins included) up to date with the latest security patches. Remove any software (especially Flash or Java) that you don’t use or need, because malvertising searches for ways to exploit weaknesses in such software.
Always practice safe computing and think before you click on anything. And always be skeptical about any suspiciously alarming notices, or scareware, as well as any too-good-to-be-true pop-up offers you receive. Even if you never click on suspect ads, it still won’t protect you against drive-by malvertising living on reputable sites, but it will decrease your odds of getting hit by much of what the bad guys throw at you as most malvertising relies on your click to deliver its malware payload.
Enable click-to-play plugins on your web browser. Click-to-play plugins keep Flash or Java from running unless you specifically tell them to (by clicking on the ad). A large percentage of malvertising relies on exploiting these plugins, so enabling this feature in your browser settings will offer excellent protection.
You should seriously consider using ad blockers, which can filter out a lot of the malvertising noise, thereby stopping dynamic scripts from loading dangerous content. By blocking all advertisements from displaying on websites, you remove any chance of viewing and clicking on an ad that is potentially harmful. Ad blocking also results in additional benefits, from reducing the number of cookies loaded on your machine, to protecting your privacy by preventing tracking, saving bandwidth, loading pages faster, and prolonging battery life on mobile devices.
However, many of the most reputable news sites rely on advertising for revenue, so they ask users to disable ad blockers in order to access content. Malwarebytes has weighed in on this subject. There’s also considerable advice about using ad blockers on our blog, detailing some of the completely free methods available to you for a safer internet experience. For example, here’s one of our blogs about ad blockers and anti-tracking browser extensions. And we cover a few of the common ad blocking utilities and how to best configure those tools for maximum effectiveness.
Malwarebytes provides ad-blocking technology in our iPhone app, and offers powerful ad-blocking extensions for your Chrome or Firefox browser. We also include malicious website protection in our premium products and business products.
Of course, the best way to protect yourself and your equipment from falling victim to malvertising (and any malware, for that matter), you need to scan your system regularly with a quality cybersecurity program.
Real-time, always-on cybersecurity is the gold standard for preventing not only infection from malvertising on an infected site, but also from all other associated malware threats that may already be lurking on your device. For all platforms and devices, from Windows, Mac, and Chromebook to Android, and iPhone, plus business environments, Malwarebytes is your first line of defense.
Optimize SecOps by pairing SIEM with SOAR
In an ever-expanding threat landscape, digital security breaches can result in costly downtime, lost revenue, regulatory fines and brand damage. According to a recent IBM Security and Ponemon study, the average cost worldwide of a data breach has risen 12 percent over the past 5 years to $3.92 million in 2019. But in the U.S., the average cost of a breach is $8.19 million—more than double the worldwide average. This cost equates to approximately $150 per lost or stolen record. And in regulated environments such as health care, financial services, energy and others, the long-term costs are even higher.
No CISO wants to lose their job over a security breach that makes headlines and hits the bottom line. To address these threats, Gartner predicts that companies will spend more than $124 billion on information security products and services in 2019.
How can CISOs optimize SecOps, especially when the security skills shortage prevents them from staffing-up effectively?
It’s no easy feat to protect an organization’s IT and security operations (SecOps) against human errors and malicious attacks continuously, but a security orchestration, automation and response (SOAR) tool can help. Per the IBM/Ponemon study, companies deploying security automation technologies experienced about half the cost of a breach ($2.65 million average) compared to those that were not equipped with these technologies.
You know your organization needs to level-up with automation. Now what?
While most large companies and enterprises have already invested in network monitoring, application performance monitoring (APM), and/or security information and event management (SIEM) solutions, these disparate tools rarely work well together without intervention, and full visibility into their activity is nearly impossible. These obstacles slow the identification of indicators of compromise (IOCs) and hinder effective incident response. Automating manual, repetitive tasks is a must to secure mission-critical systems.
The good news is, if you already have a SIEM and documented workflows or use cases, your organization is likely mature enough for automation. To get to the next level of security maturity, pair your SIEM with the right SOAR solution.
Here are three ways SIEM paired with best-in-class SOAR optimizes security operations:
- SIEM + SOAR increases real-time visibility of potential security incidents in progress. A unified view of your organization’s security infrastructure enables your analysts to investigate and remediate threats efficiently.
- SIEM + SOAR accelerates incident response. Overworked and understaffed analysts cannot keep up with the endless onslaught of daily SIEM alarms. Because of this, many alerts go uninvestigated, and potentially malicious activity slips through the cracks. SOAR enables your SOC to investigate and remediate threats at machine speeds while simultaneously allowing your analysts to turn their attention to higher-value tasks.
- Report on the value of your SecOps with SOAR. When analysts try to keep up with SIEM alerts, they are able to do little much else than attempt to keep up (which they can’t). When a SOAR solution empowers your analysts with automation and visibility into the entire IT infrastructure, you are better equipped to demonstrate the value of your security operations center (SOC) and even report on ROI to your C-suite.
Are you ready to level-up your SOC? Download the Gartner 2018 Critical Capabilities for Security Information and Event Management report courtesy of Swimlane to learn more about how your SIEM tool should integrate with SOAR for an enhanced SOC.