Malware analysis

Malware spotlight: Malvertising

Introduction: The impact of malicious ads

One of the most deceptive ways cybercriminals use to distribute malicious software (malware) is malvertising. This is delivered through booby-trapped advertisements onto the computers and mobile devices of users that visit legitimate webpages and can infect many people quickly.

As more and more people use the internet to advertise, cybercriminals have taken advantage of the ad industry. The concept is simple: taking advantage of empty ad slots, hackers can infect unaware users who are visiting a normal and safe internet page and trusting the advertisements on it. In reality, after clicking on the links found on the page or even just after loading the webpage, infections can spread and catch users off guard.

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

The best way to prevent this from happening is to know how malvertising works and learn key defense strategies that can counter it. This requires some user awareness of what suspicious ads on websites might look like and being conscious of redirects to unfamiliar webpages that bring the victim to load the attacker's site.

What is malvertising?

Malvertising (a combination of the words “malware” and “advertising”) uses a technique which allows cybercriminals to access personal and/or corporate data by disguising their attack as a legitimate item within a webpage. This digital threat uses online ads to infect computers with malware or adware, either by luring users to click on a pop-up window or through a forced browser redirect to a landing page which might contain malicious code. Malvertising is dangerous, as it can be deployed even without clicking on a link.

According to a report published by Bromium, a startup based in California that works with virtualization technology and threat isolation to prevent data breaches, more than 50 percent of malvertising is unknowingly hosted on those types of websites that, given their popularity, have the potential to infect scores of web surfers. Many of them are home, non-corporate users who don’t have suitable web filtering or security apps in place to prevent attacks from being successful and, therefore, malicious attempts can be more successful and difficult to detect. 

“Some of the world’s most popular websites, including those of the New York Times [2009], Spotify and the London Stock Exchange [2011] have inadvertently displayed malicious ads, putting their users in jeopardy,” writes Andrada Fiscutean, a technology journalist and CSO contributor. The malvertising attacks on Facebook’s game Farm Town and the malvertisement promoting the latest version of Adobe Flash Player that was embedded in Microsoft's search engine Bing (also in 2010) are also notorious.

More recently, Yahoo's ad network fell victim to a "malvertising" attack in 2015. Then there were the attacks on the BBC, AOL and MSN, all of whom became victims of a 2016 malvertising campaign designed to spread the Angler exploit kit — a common infection method nowadays used by cybercriminals to distribute malware and install ransomware payloads. In 2018, cybercriminals delivered malicious advertisements worldwide using the HiBids advertising platform while in other cases, the Google DoubleClick advertising network was targeted by a malvertising attack mining for cryptocurrencies such as Bitcoin.

How does malvertising work?

As RiskIQ writes, “Threat actors perform Malvertising all kinds of ways. Sometimes it’s via a drive-by-download, where the target user doesn’t even have to be tricked into clicking on a malicious link; the ad downloads the infection from the iframe, often without their knowledge. Sometimes, the ad will download software which collects information on the user’s computer, or adbots that add to a wide-ranging fraudulent ad network.”

Malvertising campaigns are carried out usually disguised as Flash files, in JavaScript code, within GIF animated pictures or malicious URLs or plugins like Silverlight.

 Per Malwarebytes Labs, malvertising:

• Is a popular infection method which reached its peak in 2016
• Often uses malware that's spread through “dodgy” online ads
• Might employ code that can infect and root a PC system or mobile device, forcing it to download specific adware types and allowing attackers to steal personal information
• May use an infected iframe or invisible web page element to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via an exploit kit. Or all this may happen without the user’s knowledge, which is why it’s often referred to as a drive-by-download; this can deposit malware in a drive-by attack requiring no user interaction

Note: Malvertisement can be confused with adware — another form of malware affecting online advertisements. The latter, however, is a program running on a user’s computer, often downloaded together with legitimate software unbeknown to the user. It either mines data on users’ online habits or redirect their searches to unrequested websites.

How serious is malvertising? 

PC Threat, a site designed to document spyware threats and ways to get rid of threats, believes malvertising poses a serious danger level to security. The seriousness of this threat is given by the difficulty of spotting it and the sheer number of infected ads. Per GeoEdge, an IT vendor of anti-malvertising solutions, up to 1 in 100 ads is not safe.

In addition, the fact that infections can spread also without an active click by the user is even more worrisome. According to GeoEdge, auto-redirects accounted for 47.5 percent of all malvertising in the last quarter of 2018 and malicious ad pre-clicks (drive-by downloads or malicious code embedded in the main scripts of a page) made up 25 percent of incidents. Only 7 percent were actually incidents due to malicious ad post-clicks, activated by users clicking on ads. This multiple infection methods make it harder for security scanners to identify attacks, making this malware all the more dangerous.

The current state of malvertising

Ads have been used to spread malware for years, but only recently have they got the attention of web users. Malvertising was first recorded in 2007 when an Adobe Flash campaign targeted visitors on sites such as MySpace. The threat has continued to this day, which is clearly evident by the number of malvertisements recorded year over year. Especially in the past five years, the increase of incidents has been impressive with a peak between 2013 and 2016. Per a Cyphort Labs Special Report, in fact, there was a 325% increase in malvertising from 2013 to 2014. Research from RiskIQ confirmed that malvertising rose by 132% from 2015 to 2016.

Though malvertising has recently decreased as browsers became more secure and limits to redirect are often imposed, the threat is still real. In the beginning of 2019, for example, “a malvertising campaign has been targeting Macs since at least mid-January, with at least a million machines exposed,” writes Paul Wagenseil, a senior editor at Tom’s Guide. “The malicious ads lure users into updating their Adobe Flash players — but that update is really a downloader called Shlayer that opens up the Mac to even more malware.” 

How do you avoid malvertising? 

Since many adverts do commonly appear on credible ad networks for publishers and on popular websites with affiliate marketing, people often don’t hesitate to click on pop-up ads, unaware that the content might contain intrusive advertising (malvertising). Consequently, it’s become an increasing challenge for individuals and organizations alike to detect and mitigate this threat. Nevertheless, much effort is being put into trying to counteract it via technical security tools and awareness training for users.

On the technical side, security scanners and antivirus tools are often updated to detect the newest scams. Vulnerability patches should also promptly be downloaded and installed. Web browser settings should disable autoplay of Java and Flash (often used for malvertising), and some computer users are actually limiting the use of Flash and Java altogether. Adblocker plugins, pop-up blockers and script blockers are widely used to avoid any type of malware that becomes intrusive in the same way.

User awareness, however, is always the best starting point. Helping them recognize fake ads is one of the best defenses, especially in the case of after-click malware infections. Ads that have misspellings or that convey a sense of urgency (click within five seconds to claim a prize, for example), that promise the impossible or that make claims of 100% safety or privacy for data, all display warning signs. Particular attention should always be given to ads about lotteries, sexual content, sweepstakes and free downloads.

Conclusion

Malvertising remains one of the top attack types detected by intrusion protection systems (IPS) and is one of those threat actors that all web users need to be aware of today. This threat is very effective and can easily infect networks in a variety of ways that sometimes don’t even require much user’s interaction. Fraud, stolen data, disruption of website content and brand reputation damage are all possible outcomes of becoming victim of malvertising.

“Malvertising is particularly effective, as it’s difficult to detect and take down because malicious ads are delivered through ad networks and not resident on web pages,” RiskIQ explains. Links and websites appear as legitimate and, in many cases, users are redirected to infected sites without even realizing it. Embedded malicious code could be in a Flash file or a PNG file, for example, or might redirect victims to an exploit kit landing page after clicking on an advertisement.

Proper tools, continuous patch updating and, above all, awareness training are all essential elements of proper countermeasures to prevent this difficult-to-deal-with malware threat.

 

Sources

1. Malvertising, Center for Internet Security
2. Malvertising - a new method to distribute malicious software, PCThreat.com
3. Malvertising, Malwarebytes
4. Malvertising Is Here: How to Protect Yourself, Tom's Guide
5. Malvertising: What is it and how to avoid it, Norton
6. Malvertising: What You Need to Know, Lastline
7. Malvertising: Avoid Bad Ad Invasion, Webroot
8. Malvertising: Some Examples of Malicious Ad Campaigns, Lenny Zeltser
9. Special Report: The Rise of Malvertising, Cyphort, Inc.
10. Why Malvertising Is Cybercriminals’ Latest Sweet Spot, Wired
11. A Look at the History of Malvertising, GeoEdge Ltd.
12. The Rise of Malvertising, Risk Management Monitor
13. Beware of the rise of malvertising, Information Age
14. RiskIQ Finds Malvertising on the Rise Once Again, RiskIQ
15. What is malvertising? And how to protect against it, CSO
16. RiskIQ’s Q4 2017 Malvertising Roundup: Malvertising Increased Again in 2017 but is Trending Down, RiskIQ
17. Exploit kits: spring 2019 review, Malwarebytes
18. Malvertising continues to pound legitimate web sites, CSO
19. Malvertising campaign strikes top websites worldwide, ZDNet
20. What is malvertising and why is it so dangerous on mobile?, Wandera
21. Malvertising Campaign Delivers Millions of Bad Ads, Infosecurity Magazine
22. 8 Reasons Why the Malicious Ad Threat Is Poised to Grow Even Worse, Trustwave
23. 1 Million Macs Exposed to Malvertising Scam, Tom’s Guide
24. Malvertising Explored, CSIAC
25. eGobbler Malvertiser Bypassed Browser Protections Using Obscure Bugs, Tripwire