Malvertising Thrives in 'Shady Parts' of Highly-Automated Ad Networks
This tactic also lets the attacker look for the telltale signs that a visitor is not a human, but an analyst's machine testing the advertisement for malicious activity, Malwarebyte's Segura said. "Attackers are highly motivated and they are looking for new vectors all the time," he said. "Ad banners not only redirect to Websites, but they fingerprint the Website. Rather than direct people to the exploit kit, they wanted to figure out the potential victims—and hide from researchers—for longer periods of time." The study looked at more than 100 fake advertising domains that had fake profiles and used malicious GIF advertisements to target only residential IP addresses. More than 40 percent of infections affected computers in the United States at a cost of 19 cents per 1,000 impressions. "The fingerprinting techniques—coupled with geolocation and IP checks—are effective but have been (historically) employed relatively late in the infection chain," the report stated. "It only made sense to add them at the traffic redirection phase to ensure only 'qualified' users were being redirected to exploit kits."Advertising networks and advertisers need to focus on being aware of who is supplying their content and forming a chain of trust from the publisher all the way down to the advertiser, said experts. Unfortunately, with real-time bidding and programmatic advertising making the ad-buying process faster, there is less time for anyone in the chain to make a decision on the content of an ad, said Christopher Budd, global threat communications manager with Trend Micro. "Advertising is a very fast market, and one thing we know in security is that speed kills … whether we are talking about shortened development time or trying to push things out and not spending enough time on a security architecture review," he said. "Doing it really well requires a more methodical approach." The speed factor was on display in the latest attack. The majority of the traffic sent to potential victims came during a 12-hour period late in the day on March 13—a Sunday, according to data from Trend Micro. Malvertising underscores the security problems in the advertising ecosystem posed by the inconsistent vetting of third-party content suppliers. While users are the ultimate victims, there is very little they can do to force publishers and advertising networks to insure that their content is non-malicious. However, users can harden their systems and treat with suspicion any odd Website behavior, Trend Micro's Budd said. Endpoint security software—whether an antimalware program, a network-based service such as OpenDNS, or an application firewall such as Little Snitch—can help catch malvertising before it infects a system. "At the end of the day, the more people make themselves non-viable targets, the more that this particular attack vector will evaporate," he said. "The criminals are not going to go away, unfortunately. If we make malvertising not worth the time, however, they will move onto something else."
The complexity of advertising networks and the ability of attackers to easily hide in a way that is not apparent to users raises questions about the best way to fight malvertising.