Online advertising is a vital source of revenue for many websites and businesses. It allows them to reach millions of potential customers and showcase their products or services. However, online advertising also comes with a serious risk: malvertising.
Malvertising, or malicious advertising, is the use of online advertising to spread malware or redirect traffic to harmful websites. Malware is any software that can harm your computer or device, such as viruses, ransomware, spyware, trojans, etc. Malvertising can infect your device without your knowledge or consent, compromising your privacy, security and performance.
In this article, we will explain what malvertising is, how it works, what types of malvertising attacks exist, some real-world examples of malvertising campaigns and how you can prevent malvertising attacks.
This is part of a series of articles about Cybersecurity.
Malvertising, or malicious advertising, is the use of online advertising to spread malware or redirect traffic to harmful websites. Malware is any software that can harm your computer or device, such as viruses, ransomware, spyware, trojans, etc. Malvertising can infect your device without your knowledge or consent, compromising your privacy, security and performance.
Malvertising works by exploiting the complex and dynamic nature of online advertising. Online advertising involves multiple parties: advertisers who create ads; publishers who display ads on their websites; ad networks who connect advertisers and publishers; ad exchanges who facilitate bidding for ad space; ad servers who deliver ads; and users who view ads.
– Drive-by downloads
– Clickjacking
– Fake alerts
In this article
What is malvertising?
Malvertising refers to the practice of inserting malicious code or content into legitimate online advertisements. These advertisements are then distributed through online advertising networks or platforms that display ads on various websites.
The goal of malvertising is to infect users’ devices with malware or redirect them to malicious websites that can steal their personal information, extort money from them or perform other harmful actions. Malvertising can affect any website that displays ads, even reputable ones.
Malvertising is different from other forms of online threats because it does not require users to click on anything or download anything. It can exploit vulnerabilities in browsers, plugins or software to execute malicious code automatically when users load a web page that contains an infected ad. This is known as a drive-by download attack.
Alternatively, malvertising can use social engineering techniques to trick users into clicking on fake alerts or offers that lead them to malicious websites. This is known as a clickbait attack.
Malvertising can also use a combination of both methods to increase its chances of success.
Tal ZamirCTO, Perception Point
Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.
TIPS FROM THE EXPERTS
- Implement real-time ad scanning and monitoring
Collaborate with ad networks that offer real-time scanning and monitoring of advertisements for malicious content. This proactive approach can catch evolving threats before they reach end users. - Utilize machine learning to detect anomalies
Incorporate machine learning algorithms to analyze ad behavior patterns and detect anomalies that could indicate malicious intent. This can be more effective than traditional signature-based detection methods. - Educate users about ad-related phishing tactics
Train your users to recognize and avoid phishing tactics that often accompany malvertising, such as fake alerts or offers. Awareness is a critical line of defense against these social engineering attacks. - Use a web application firewall (WAF) with malvertising-specific rules
Configure your WAF to block known vectors of malvertising attacks, such as drive-by downloads or iframe-based redirects. A WAF with up-to-date threat intelligence can effectively mitigate such risks.
How does malvertising work?
Malvertising works by exploiting the complex and dynamic nature of online advertising. Online advertising involves multiple parties: advertisers who create ads; publishers who display ads on their websites; ad networks who connect advertisers and publishers; ad exchanges who facilitate bidding for ad space; ad servers who deliver ads; and users who view ads.
Malvertisers take advantage of this system by posing as legitimate advertisers and submitting infected ads to ad networks or exchanges. These ads may look normal and harmless but contain hidden code or content that can trigger malware infection or redirection.
Ad networks and exchanges often do not have enough resources or time to thoroughly check every ad they receive for malware. They may also rely on automated systems that can be bypassed by sophisticated malvertisers. As a result, infected ads can slip through the cracks and reach unsuspecting publishers and users.
When users visit a website that displays an infected ad, one of two things can happen:
- The infected ad executes its malicious code automatically when the web page loads (drive-by download). The code may exploit a vulnerability in the browser, plugin or software, to install malware on the user’s device, or open a new tab or window that redirects the user to a malicious website.
- The infected ad displays a fake alert or offer that entices the user to click on it (clickbait). The alert or offer may claim that the user’s device has been infected, that they have won a prize, that they need to update their software, etc. When the user clicks on it, they are redirected to a malicious website that tries to infect their device with malware or scam them out of money or information.
In other malvertising attacks, a user may search for a particular software and encounter an ad that appears to be for the desired software. However, upon clicking the ad and downloading the supposed software update, the user unknowingly installs malware onto their device. The malware may impersonate the desired software and claim to be legitimate while performing malicious actions in the background.
Types of malvertising attacks
Malvertising attacks can take different forms and use different techniques to infect your devices or steal your data. Here are some common types of malvertising attacks:
– Drive-by downloads: These are malvertisements that automatically download and execute malware on your device without your consent or knowledge. They exploit vulnerabilities in your browser, plugins, or operating system to run malicious code when you load a webpage that contains the infected ad. You don’t even need to click on the ad to trigger the attack.
– Clickjacking: These are malvertisements that trick you into clicking on something that you don’t intend to click on. They overlay invisible or disguised elements over legitimate content or buttons on a webpage. For example, they may hide a malicious link under a play button for a video or an exit button for a pop-up window. When you click on them, you unknowingly activate the malicious link and get redirected to a harmful website or download malware.
– Fake alerts: These are malvertisements that display fake warnings or offers on your screen to scare or tempt you into clicking on them. They may claim that your device is infected with malware, that you need to update your software, that you have won a prize, or that you can download a free program. When you click on them, they either install malware on your device or take you to phishing websites that try to steal your personal information.
Real-world malvertising examples
Malvertising is not a hypothetical threat but a real and growing problem that affects millions of users and websites every year. Here are some examples of recent malvertising campaigns:
– In 2018, a massive malvertising campaign targeted iOS devices and hijacked 300 million browser sessions in just 48 hours. It injected malicious code into legitimate online ads and webpages, so when victims click those pages, they are forcefully redirected to a malicious page. In this case, the ad unit forcefully redirects mobile users to adult content and gift card scams. The attacker spent about $200,000 to run the campaign, and it is believed that the attacker raked in to the tune of $1 million in 2 days.
– eGobbler is a threat group that operates malvertising campaigns. eGobbler has been active since 2019 and has targeted iOS and desktop users using Chrome and Safari browsers. eGobbler exploits vulnerabilities in WebKit, the browser engine used by these browsers, to bypass the security sandbox and hijack user sessions. According to Confiant, a security firm that tracks eGobbler’s activity, the group has infected over 1 billion ads between August and September 2021 . Google and Apple have patched some of the WebKit vulnerabilities exploited by eGobbler, but others may still remain unpatched.
Prevent Malvertising Attacks with Perception Point
Malvertising is a serious threat to online security and privacy. It involves injecting malicious code or malware into legitimate online advertisements that are displayed on various websites.
Malvertising can infect users’ devices with malware, redirect them to phishing or scam sites, or expose them to unwanted content. Malvertising can also compromise the reputation and revenue of website owners and advertisers who unknowingly host or distribute infected ads.
To protect against malvertising, users should keep their software updated, avoid clicking on suspicious or intrusive ads, and use ad blockers or browser extensions that can filter out malicious ads and websites.
Here are a few more steps users should take to prevent malvertising attacks:
– Keep their browsers and software updated with the latest security patches.
– Use ad blockers to block ads on websites. This method is not very effective as many modern websites require that you disable your ad blocker.
– Avoid clicking on suspicious or intrusive ads, especially those that offer free downloads, prizes, or alerts.
– Be wary of any unexpected redirects or changes in browser behavior
Use a security-focused browser extension that can block malicious websites, scripts and pop-ups along with phishing and malicious downloads. Perception Point’s Advanced Browser Security offers an extension that can be highly effective in blocking such threats.
Perception Point Advanced Browser Security adds enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.
By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.
An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.
Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.
Contact us for a demo of the Advanced Browser Security solution.