Adobe Flash has long been used as a path for attacking computers through their browsers because it’s capable of executing code on remote Websites without users realizing it.
For this reason, Adobe has been in a constant war to find exploits and block them by providing updates to Flash as quickly as possible.
But it’s also been possible to keep malware at bay simply by not clicking on a Flash-enabled icon or video. If you didn’t click, nothing happened. Now that’s changed.
Recently, readers of The Huffington Post were greeted with a Hugo Boss ad that simply installed malware, in this case a version of Cryptowall ransomware, when it appeared in the browser. It’s worth noting that neither The Huffington Post nor Hugo Boss was involved in spreading the malware. Both were innocent parties.
What happened was a malware producer presented a falsified ad through a legitimate ad network, bid for placement and then sent the ad through. To make sure that the advertisement was accepted, the initial content for the ad was free of any malware.
Then, when it was time for the ad to be distributed, it was replaced with a “minor update” in the ad network, which then sent the advertisement through to end users just as it would a legitimate ad.
Involved were at least two major ad delivery networks, including Google’s DoubleClick and Merchenta, which in turn apparently received the ad placements through Bidable, a self-service real-time bidding platform. “Bidable had a rogue customer,” said Jerome Segura, senior security researcher at Malwarebytes, the security software company.
Segura said that the choice of the ad to infect was random and that the rogue customer was apparently acting as if it was handling advertising as a legitimate partner.
The problem came about because the manner in which online ads are handled is automated, and because of the volume, checking individual ads for malware is very difficult, and perhaps impossible. Worse, advertising agencies that submit the ads aren’t really screening the ads effectively, Segura said.
While malware advertising, or “malvertising,” isn’t new, the manner in which cyber-criminals carry out this is. This is the first time that the malware infection has taken place entirely on its own because of a Flash vulnerability. With this new type of infection, all a user has to do is go to a site where the infected ad shows up; there is no necessity to open the ad, execute anything or be redirected to another site. In this new attack, the ad is the malware.
New Malware Spreads Through Web Advertising Channels
“Another rogue advertiser could do the same thing,” Segura said.
Fortunately, there are ways for users to protect themselves. However, without significant diligence, it’s hard for companies to protect themselves from the effects of bogus advertising.
Users need to keep their operating systems, their browsers and software such as Flash constantly updated. This is especially important for Internet Explorer, where it’s easy to fall behind, and with Firefox, where until recently the update process had become cumbersome. One other browser, Google’s Chrome, updates itself every time it runs and for this reason has fewer vulnerabilities that can be exploited in this manner.
It’s also possible that some ad blockers will prevent infection, Segura said, and removing Flash will also work. But removing Flash on a Windows computer can disable some important functions while browsing. Another, perhaps more effective solution is not to use a Windows computer for browsing the Internet. This is one of the benefits of the refusal by Apple to allow Flash to run on its computers.
For businesses, this situation can be more problematic. Few businesses will knowingly allow their advertising to be hijacked, but none of the malvertising attacks took place with the knowledge or consent of the companies whose ads were infected. Those ads were simply downloaded, infected and then placed into the ad network without the knowledge of the company being depicted in the advertisement.
But that doesn’t eliminate the necessity for companies to continually watch to make sure their ads haven’t been compromised. Unfortunately, there doesn’t appear to be a good way to find and kill ads that have been hijacked, and even if they are found, it’s not necessarily easy to get the ad networks to stop running them. When Segura contacted DoubleClick and Merchenta, he said that only Merchenta responded and immediately killed the infected ad. He said that he never heard back from DoubleClick.
There are other solutions. Symantec has offered for years a service that will detect infected ads on publishers’ Websites. The Symantec AdVantage service is designed to scan Websites and detect malware placed on them. Unfortunately, with the current practice of changing ads almost constantly, this would mean that Websites would have to be scanned constantly.
Still, for businesses that use the Web, it’s crucial to make sure their sites, especially e-commerce sites, aren’t infected. Once customers start getting malware from your site, the word will get out and your Website could become a ghost town. That doesn’t help you or your customers.