Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Online advertisements provide a solid platform for spreading malware because significant effort is put into them in order to attract users and sell or advertise the product. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."
Malvertising is a fairly new concept for spreading malware and is even harder to combat because it can work its way into a webpage and spread through a system unknowingly: "The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from... infections delivered through malvertising silently travel through Web page advertisements." It is able to expose millions of users to malware, even the most cautious, and is growing rapidly: "In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising." Attackers have a very wide reach and are able to deliver these attacks easily through advertisement networks. Companies and websites have had difficulty diminishing the number of malvertising attacks, which "suggests that this attack vector isn’t likely to disappear soon."
How it works
Websites or web publishers unknowingly incorporate a corrupted or malicious advertisement into their page. Computers can become infected pre-click and post click. It is a misconception that infection only happens when visitors begin clicking on a malvertisement. "Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious. Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre or post click (in its build and design) can still be infected whilst being called. Malicious code can hide undetected and the user has no idea what's coming their way. A post-click malvertisement example: "the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web." Redirection is often built into online advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user's computer.
Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations."
Some malvertisements can infect a vulnerable computer even if the user never clicks on the (normal-appearing) advertisement.
2007/2008: The first recorded sighting of malvertising was back in late 2007 / early 2008. This threat was based on a vulnerability in Adobe Flash (something that has continued to this day – see later) and affected a number of platforms including, MySpace, Excite and Rhapsody.
2009: The NY Times online magazine was found to be serving up an ad that was part of a larger click fraud scam that created a botnet network of malware infected computers, nicknamed the Bahama botnet, that then went onto be used to carry out click fraud on pay per click ads all over the web. The banner feed of The New York Times was hacked for the weekend of September 11 to 14, causing some readers to see advertisements telling them their systems were infected and trying to trick them into installing rogue security software on their computers. According to spokeswoman Diane McNulty, "the culprit approached the newspaper as a national advertiser and had provided apparently legitimate ads for a week", and the ads were switched to the virus alert malvertisement afterwards. The New York Times then suspended third-party advertisements to address the problem, and even posted advice for readers regarding this issue on its technology blog.
2010: Malvertising really takes off. Marketing analysts ClickZ noted that the Online Trust Alliance (OTA) identified billions of display ads, across 3500 sites carrying malware. In the same year the Online Trust Alliance formed a cross industry Anti-Malvertising Task Force.
2011: Spotify had a malvertising attack which used the ‘Blackhole’ exploit kit – this was one of the first instances of a drive-by download, where a user doesn’t even have to click on an ad to become infected with malware. According to Bluecoat Security Systems Report 2011, saw an increase of 240% in malvertising based malicious sites.
2012: Symantec includes malvertising as a section in their Internet Security Threat Report 2013 which looked back at the landscape in 2012. Symantec used scanning software across a series of websites and detected that half of them were infected with malvertising. In 2012, the LA Times was hit by a massive malvertising attack which used the Blackhole exploit kit to infect users. It was seen as part of a general campaign of malvertising to hit large news portals – this strategy carried on into subsequent years with attacks on huffingtonpost.com and the NY Times.
2013: A major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion. The malware exploit was based on the commonly used web attack, Cross Site Scripting (XSS), number three in the top ten web attacks types identified by the Open Web Application Security Project (OWASP). The attack infected users machines with the ransomware, ‘Cryptowall’, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in 7 days, to decrypt the data.
2014: The year of the malvert with a 325% increase in malvertising attacks according to Security firm Cyphort. 2014 saw major malvertising campaigns against Google DoubleClick and Zedo ad networks. Again news portals including Times of Israel and the Hindustan Times were affected. As in previous attacks the cybercrime involved Cryptowall as the malware infection. This spate of malvertising was believed to have brought over $1 million of ransom money in by infecting over 600,000 computers.
2015: To date, malvertising has continued unabated and is truly coming into its own. 2015 is the year that malvertising really hit the mobile user. McAfee has identified, in their Threat Report for February 2015 that malvertising is growing quickly on mobile platforms and is expected to continue to grow rapidly, targeting mobile users. This year has seen attacks against, eBay, answers.com, talktalk.co.uk, wowhead.com and many others. It involved breaches of ad networks, including, DoubleClick and engage:BDR. There was also a report of possibly the first ‘political malvertising’ campaign by pro-Russian activists which was based on a botnet, which then forced users machines to visit bogus sites that generated ad revenue for the activists. The users also ended up at several pro-Russian propaganda videos.
More examples of malicious advertisements
Several popular websites and news sources have been victims to malvertising and have had malicious advertisements placed on their webpages or widgets unknowingly, including Horoscope.com, The New York Times, the London Stock Exchange, Spotify, and The Onion.
Types and modes
By visiting websites that are affected by malvertising, users are at risk of infection. There are many different methods used for injecting malicious advertisements or programs into webpages:
- Pop-up ads for deceptive downloads, such as fake anti-virus programs that install malicious software on the computer
- In-text or in-content advertising
- Drive-by downloads
- Web widgets in which redirection can be co-opted into redirecting to a malicious site
- Hidden iframes that spread malware into websites
- Content delivery networks exploited to share malware
- Malicious banners on websites
- Third-party advertisements on webpages
- Third-party applications, such as forums, help desks, and customer relationship management and content management systems
There are several precautions that people can take to lessen their chances of getting tricked by these advertisements. Besides just learning about them, users can download internet browsers that can detect websites that have malware advertisements on them, such as Internet Explorer 9 or Google Chrome, which "includes some security advances that make attacks more difficult." Commonly used programs such as Adobe Flash Player and Adobe Reader can have their flaws exploited, and become vulnerable to attacks, so it is important to keep them up to date. Users can also download anti-virus software that protects against threats and removes malicious software from their systems. Users can also push companies and websites to scan advertisements before making them active on their webpages. Users can also use ad blocking software to avoid downloading the malware contained in advertisements or a specific browser extension alerting malvertising campaigns.
- William Salusky (2007-12-06). "Malvertising". SANS ISC. Retrieved 2010-08-05.
- Online Trust Alliance (2012-07-29). "Anti-Malvertising Resources". Online Trust Alliance. Retrieved 2013-05-25.
- Sood, Aditya; Enbody, Richard (April 2011). "Malvertising - exploiting web advertising" (PDF). Computer Fraud and Security: 11–16. Retrieved 26 February 2013.
- Bobbie Johnson (25 September 2009). "Internet companies face up to 'malvertising' threat". The Guardian. Retrieved 2010-08-05.
- "The rise of malvertising and its threat to brands". Deloitte. 2009.
- Zeltser, Lenny. "Malvertising: Some Examples of Malicious Ad Campaigns". Lenny Zeltser on Information Security. Retrieved 22 March 2013.
- "Five-month malvertising campaign serves up silent infections". Infosecurity. Reed Exhibitions. Retrieved 18 March 2013.
- "A rising security threat: Malvertising". Bullguard. Retrieved 18 March 2013.
- Siciliano, Robert (2014-04-08). "Business Identity Theft; Big Brand, Big Problems". Retrieved 10 August 2014.
- Picchi, Aimee (14 September 2009). "Malvertising hits The New York Times". The Daily Finance. Retrieved 26 February 2013.
- Johnson, Bobbie (Sep 25, 2009). "Internet companies face up to 'malvertising' threat". The Guardian. Retrieved 26 February 2013.
- Finley, Klint. "Report: The 3 Biggest Enterprise Website Malware Vulnerabilities". Readwrite Enterprise. SAY Media. Retrieved 22 March 2013.
- Richmond, Riva. "Five Ways to Keep Online Criminals at Bay". Personal Tech. The New York Times. Retrieved 26 February 2013.
- Shaun Nichols (14 August 2015). "You've been Drudged! Malware-squirting ads appear on websites with 100+ million visitors". The Register. Retrieved 2015-08-15.
- Thomas George (2015-10-09). "Malvertising up 325% – Are the AdBlockers Working?". Check&Secure. Retrieved 2015-10-25.