First of all, malvertising should not be confused with spam, cookies, or web beacons. Malvertising is far more sophisticated and, potentially, far more deadly. It has a somewhat convoluted attack strategy which makes it difficult to detect. Nonetheless, it is a mode of attack that is rapidly on the rise and one that you are most likely to encounter, so some basic knowledge about it is good to have.
Now, imagine that you are a knowledgeable and careful web user. You know enough not to click on certain links, you never download anything suspicious, and you never visit questionable web pages. In fact, let’s go so far as saying you are one of the most careful people who uses the internet. Then, one day, you learn that your credit card details have been stolen or your Facebook account has been compromised. Your first reaction would be that this is impossible. That’s understandable. However, it happens more and more often because more and more legitimate websites are being infected with code that exists on invisible frames (iframes) on a web page. In other words, you may be directed to an infected, invisible malware injecting page without ever knowing it. This hidden code is activated when the page loads. It then analyzes what software your computer has installed on it and, then, matches that software to any known vulnerabilities. Eventually, without you clicking on anything or downloading anything, the attackers have gained enough information about your computer or device to take advantage of the vulnerability it found to compromise your device and get whatever information it needs from you. Malvertising, in fact, is a subtype of an exploit known as a ‘drive-by download’.
To make this clear, these so-called exploit kits are hidden from view and take no action against you that is visible. You will get no antivirus or other warning pop-up. The kits find the vulnerability and install their malware without being detected. The legitimate website is not, itself, actually infected so would escape detection as a bad site. The malicious code is often hidden in advertisements that link to sites where the bad code exists. You would probably think that legitimate websites have legitimate ads. In fact, the more popular the website, the better it is for hackers to exploit it. Although clicking is not really necessary, it can be an additional distribution technique to get you to a site with the infecting code. Even if you check the IP address the ad might want you to click through to, you would see nothing wrong with it. This is why major web sites don’t realize they are being used for malware distribution. The original site, let’s say, Amazon.com (which, in fact, has been a victim of malvertising) only sees the ad linking to a legitimate site and, therefore, doesn’t realize that it is being used as a tool in a chain to compromise visitors to its site. A study done by Google Research in coordination with the University of California at Berkeley and Santa Barbara, found that there were “5.1% of page views on Windows and 3.4% of page views on Mac that showed tell-tale signs of ad injection software”.
Here is some information from Malwarebytes on the growing presence of exploit kits.
Once your device is infected, the malware can do whatever any other malware can do because the malware, possibly in communication with a remote attacker, has full control over your device.
Of course, many companies allow advertisements on their websites. They generally arrange this business by hiring companies that manage advertising networks. These advertising network companies, in turn, decide which ads are displayed on various sites. The ads often target the interests of the person browsing based on information gleaned from cookies and other means. Companies that want to advertise (want to drive traffic to their sites) bid for the right to have their ads placed in certain prime locations. Criminals can also bid for this right with what appear to be legitimate ads. If they win the bid, these infected ads are cycled into certain popular websites where they can target certain individuals for malware attacks. Often, the attackers do nothing for a couple of weeks. They want to build up a degree of trust and raise no suspicions. However, once trust has been established, the attacks begin.
You may think that these ads can be traced back to their sources, but that’s not the case. They go through so many twists and turns that it is nearly impossible to see where they came from and may often look, at least on the surface, to have a legitimate source.
So a good case can be made for the effectiveness of these attacks. Until recently, however, they were seen as only a minor source of criminal activity, though with the potential to be much more. Back in November of 2014, Rahul Kashyap, chief security officer at security company Bromium, noted that “the interesting thing is, many of these [malvertising] exploits are not [using] the really sophisticated malware. They are not like what you would encounter in a targeted attack. This means the sophistication is yet to come.”
That was six months ago. Since then, the Huffington Post was infected with ransomware-related malvertising which shut down visitors’ computers and demanded $300 to get them running again. Google has been attacked a couple of times and its Doubleclick network compromised. Other, mostly adult sites, have been infected with malvertising that eventually delivers the ransomware, Cryptowall. Recently, Facebook teamed with security firm, RiskQ to fight malvertising and Google is considering using encryption against it, if possible.
The real worry and real possibility is that this attack vector could be used in more serious attacks involving information and even nation-state attacks. In its testimony before the Senate Committee on Homeland Security and Government Affairs (Emerging Threats to Consumers within the Online Advertising Industry), Craig Spiezle pointed out that
“criminals are becoming experts in targeting and timing, taking advantage of the powerful tools and data available to internet advertisers. They are data driven marketers with precision to reach vulnerable segments of society or high net worth audiences. They have been enabled to choose the day and time of exploits as well as the type of device they choose to target.” In other words, it is simply a matter of time before malvertising is used to compromise major corporations or government agencies.
Can it be stopped? Companies can blacklist certain sites known to have malware, but malvertising occurs on valid sites that it would be counterproductive to block. One solution is to require anyone connected to a network to use ad blocking software. This, however, may produce negative long term affects, as the free use of various sites on the internet is based on the display of ads that can generate income. Some sites do offer an ad free service with the payment of a monthly fee, but this is a choice that few people are willing to make. My own experience with ad blockers is that they slow down browsing and cause other problems. I’m not alone in this opinion. This being the case, it would only be a matter of time before employees connected to a network found ways around the ad blocking requirement. Besides, hackers being the persistent people that they are, will no doubt eventually find a way to compromise the ad blockers themselves.
The malvertising issue is not going away soon. Last year saw a 391% increase in malvertising and we can expect a similar 3-digit increase this year. However, it will probably take a devastating and high-profile malvertising-based attack to get the average internet user to take any precautions at all.
Malvertising attacks can compromise any device. If that device happens to be connected to a network, then that device can be used to launch an attack against the entire network and all the information stored within it. InZero Systems is aware of this threat, which is why it separates one device into two at the hardware level. Sure, an endpoint, a device, can be compromised by malvertising. There’s nothing much that can be done to stop that. However, the sensitive data on the network cannot be compromised if it has InZero architecture because the hardware barrier prevents any attempts at attack. Secure the endpoints on your network the best that you can, but secure your data even more.