Malvertising Thrives in 'Shady' Parts of Highly-Automated Ad Networks

By Robert Lemos  |  Posted 2016-03-31 Print this article Print
Shady Malvertising

Attacks on highly-automated ad networks serving major Websites demonstrate that attackers are finding ways to exploit the poorly-defended online ad market.

For two days in mid-March, visitors to major news and information sites—such as the New York Times, Newsweek, The Hill and the Weather Network—may have been redirected to Web servers that attempted to infect visitors' systems with a variant of the Angler exploit kit and, ultimately, ransomware.

So far, the impact of the attack is unknown, but a single antivirus vendor, Trend Micro, recorded 41,000 infection attempts among its users between March 12 and 14. The attack hit visitors to AOL, the BBC, NFL, The Hill, Newsweek, the New York Times, MSN,, The Weather Network and the Xfinity portal, according to Malwarebytes, an endpoint security firm.

Another attack used ads on the site of a major British newspaper, The Daily Mail, to attempt to infect visitors the same week, but was likely part of a different campaign, the firm stated.

Overall, the attacks demonstrate that attackers can readily exploit weaknesses in the complex ad market and take advantage of the trust in publisher brands that have little to do with the trustworthiness of the ad content, Craig Young, security researcher with the vulnerabilities exposures research team (VERT) at Tripwire, told eWEEK.

"It is exploiting the fact that people have trust for popular Websites," he said. "If you go to the Website of a major newspaper, you are going to expect that it will have sanitized content. You would expect that an attacker would have to breach the security of the publisher to put something on the site."

However, malvertising makes an end-run around that assumed security, he said.

"Shady" ad networks

No wonder, then, that malvertising is—at least anecdotally—on the rise. Such attacks are happening more often—albeit, not always on such well-known sites—because attackers are becoming more sophisticated and more at ease with the complexities of the ad market, Jerome Segura, senior security researcher with Malwarebytes, told eWEEK.

"There are daily attacks and they typically happen via ad networks that are a bit shady, and by 'shady,' I mean companies that have very lax security practices," Segura said.

The advertising ecosystem is very complex, and that complexity allows attackers to thrive in the "shady" parts of the ecosystem—those areas where top-line publishers, advertisers and ad networks may not have visibility, he said.

Norman Guadagno, chief evangelist for data-backup and security firm Carbonite and a former ad agency representative, also argued that the complexity makes malvertising a tough problem to solve. Every day, advertising networks deliver some 314 billion ad impressions to Website visitors, according to Guadagno, citing numbers from the Goodway Group, an online marketer.

"It is a problem that is rooted fundamentally in the complexity of the ad ecosystem," he told eWEEK. "Between all the ad networks, all the sites, all the ads being served, all the code being used to make ads—it is a big, insanely complex ecosystem that has vulnerabilities."

Ad-savvy attackers

While the complexity of the advertising ecosystem helps malvertising hide, attackers are also becoming more knowledgeable about how to take advantage of that complexity.

In a recent study of one malvertising campaign, Malwarebytes found that attackers used targeted ads to focus on certain segments of the consumer marketplace and have started adding code to their ad banners that fingerprint the targeted computer, determining its operating system, browser and what security software it may be running, according to the firm.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel