The Anatomy of Malvertising

Malicious Advertisements

Online advertising companies are notorious for not protecting their information systems from malware, and that has resulted in a flood of malware infections commonly known as a malvertisement. Thousands of computers can be infected within minutes of a malvertisement going live. Online advertisement companies have made a small course correction in the last two years, but the effort is not nearly enough to stem the tide of malvertising. Publishers and ad brokers still lack authentication and authorization mechanisms along with necessary malware scanning because of the volume of advertisements that are submitted, so a complaint system is used to tackle issues. We carefully review which advertisements are placed on our website, so you don’t have to worry.

How Online Advertising Works

Advertisers, or merchant, is the company that wants to create an ad campaign to sell a product or service. The Advertiser doesn’t know how to create an effective ad in most cases, except if they have in-house staff with expertise, so the Advertiser consults with an advertising agency to create the ad campaign. The advertising agency has a network of publishers that place the ads on websites that are called advertising brokers. Advertising brokers present problems of their own because they are used for command and control servers for malware.

There are three ways to make money with online advertising. Pay-per-impression is when an advertiser pays a fee when an ad is displayed, pay-per-click is when an advertiser pays a fee when a user clicks on an ad, and pay-per-action is when an advertiser pays a fee when the user purchases a product, signs up for a newsletter or completes a survey.

The Malware

The problem lies in hackers making ads and placing the ads in the information systems of ad brokers that little to no ethical standards and high volume ad servers. The majority of malvertising is in pop-ups (which is why browsers have pop-ups prohibited by default) and banners. IFRAME’s are once again the culprit in delivering a malicious payload because they can be visible or invisible and navigate to a malicious website that will download and execute a file without your permission or knowledge that is called a drive-by-download. Malicious code can also be embedded with the advertisement code, so when the advertisement is loaded into the webpage, the malicious code is also executed. I covered IFRAMEs as a potential attack vector for Bad Rabbit.

Exploit kits (EK) are the preferred malicious code for malvertising because the exploit kits can be purchased on the dark web and designed to work “out of the box,” so there is little experience needed to start infecting computers. Exploit kits contain code that tricks software like Flash, Shockwave, and Java into executing malicious code instead of the software code for flash, for example. Two of the most popular exploit kits of all time are Angler and RIG because vulnerabilities they exploit are in Internet Explorer, Flash, Microsoft Edge, and Silverlight in their most recent versions.

Hackers have a myriad of reasons to infect your computer through online advertising. A popular motivator for malvertising is click-fraud that is malware running memory that connects to web pages to increase traffic to make hackers money for pay-per-impression, conduct a denial of service, or download other malware such as keyloggers and backdoors. Click-jacking hijacks a click the user performs on an object in a web page and routes the user to a web page that the user didn’t intend to visit.

How You Can Protect Yourself

You can use an ad blocker plugin in the browser you use, but ad blockers are unable to protect you from anything that slips through and can be bypassed or disabled if an attacker has the skill. A complete solution would be to use an antivirus that has ad blocking capability. The following list is meant to be comprehensive and not an endorsement. Notes will be added to help you make a decision.

  • Adaware – browser plugin for Chrome and includes antivirus
  • Avast Online Security – browser plugin for Chrome and includes antivirus, Avast has been hacked
  • Norton Ad Blocker – available for iOS only through iTunes, Norton has an inconsistent protection history
  • Sophos – truly free antivirus because they will not ask you to purchase a “pro” version to unlock features
  • Kaspersky Internet Security – Good protection, price is $80.00 annually; there is suspicion of the Russian government using Kaspersky software for spying

There are a lot of fake ad blockers in the Chrome Store that are difficult to tell apart from the real ad blockers, so I did not include Adblock Plus.

Leave a Reply