MOUNTAIN VIEW, Calif. — If malware and virus-infected email, spoofed identities, phishing exploits and straightforward hacking into personal and enterprise IT systems aren’t enough, there’s a lesser-known security phenomenon wreaking plenty of havoc on its own: malvertising.
Malvertising, derived from “malicious advertising,” is the use of online advertising to spread malware. Simply mousing over an infected ad potentially can inject malware-laden code from legitimate online advertising networks and Web pages into your browser, and then eventually into your PC, if the PC is not properly protected. Some of the more sophisticated malvertising ads can even work around firewalls.
Malvertising is a relatively new concept for spreading malware; it is even harder to combat than other forms because it can work its way into a Web page and spread through a system unknown to a user.
No Action Required for It to Affect a User
Malvertising does not require user action (such as a click) to compromise the system and it does not exploit any vulnerabilities on the website or the server on which it is hosted. Infections delivered through malvertising silently travel through Web page advertisements.
Online advertisements are a powerful platform for spreading malware, because significant effort is put into them in order to attract users and sell a product.
“The punch line here is that this (malvertising) is very attractive to bad guys,” Elias Manousos, co-founder and CEO of RiskIQ told the audience March 18 at the Security Innovation Network’s IT Security Entrepreneurs Forum 2015 at the Computer History Museum here. “And why is it attractive? It comes down to targeting. Ads have evolved to target you as a consumer. The bad guys have figured this out.
“If you’re using the Internet at a hotel, a coffee shop, or even here at this conference, you’re being targeted by ads. When you go home, you’re being targeted by ads. Those advertisers know you were here and you went home.”
It’s All About Targeting the User
Targeting is characteristic of the perfect weapon, Manousos said. “Weapon delivery systems need targeting, and the ad ecosystem is delivering a targeting vehicle. Fundamentally, targeting breaks down into geolocation, IP address, your interests, and the intent that you have to actually buy a product or service. It’s a very big representation of who you are,” Manousos said.
So the sophisticated Internet vehicle for delivering advertisements — which has evolved into a true science 20 years into the history of the mainstream Internet — is also carrying a huge amount of malware through its networks. Analysts have estimated that in 2012, nearly 10 billion ad impressions were compromised by malvertising. Who knows how high that number might be today?
What’s probably most disturbing about these malvertising ads is that they can scale very quickly, Manousos said. “They (the bad actors) can actually take an ad and scale it very broadly. Now that it’s much targeted, once I get one person, then I can scale that around to thousands of Web sites and touch millions of people,” he said.
They are hard to detect, because if the bad guys just want to get one user, there’s no collateral damage, Manousos said.
Ads Are Lowest Barrier to Security
“The ad is the lowest barrier (to security), because the ad ecosystem has fundamental flaws,” he said. “When I found this out, I almost considered being a bad guy — almost literally. I don’t have to hack a site; I don’t have to send out a million emails; I don’t have to do a botnet. I can get to the same people, in a targeted way, through this ad system.”
Malvertising has been utilized for a long time — undoubtedly for years — but a publicly reported example came to light big time last fall, when advertisements with malicious code began showing up on a group of popular news and entertainment sites. They were infecting some visitors’ computers with a backdoor botnet designed to gather information on their systems and install additional malicious code. This was chronicled here by eWEEK security contributor Robert Lemos in Ars Technica.
The attack impacted visitors to The Jerusalem Post, The Times of Israel, The Hindustan Times, Internet music service Last.fm, and India-focused movie portal Bollywood Hungama, among other sites. The malware campaign involved the compromise of San Francisco-based Internet advertising network Zedo, which provided advertising for the sites — and whose network was used to distribute malicious ads.
For 10 days, the company investigated multiple malware reports, retracing the attacker’s digital footsteps to identify the malicious files and shut the back door to its systems. It took some time, but Zedo eventually was able to shut off the flow of malvertising for all its sites.
Back Doors Must Be Closed
That’s what it’s all about: back doors. Data and device protection from malvertising requires attention from all sides:
*Web developers have to take stock of these threats when building their sites to make sure that these back doors either a) do not exist, or b) cannot be entered.
*Ad-serving providers must be equally vigilant.
* Users must have Web-aware security software active at all times.
“We need new approaches in order for protection schemes to anticipate and identify these ads and disable them before they can do damage,” Manousos said.
Security thought leaders and companies must keep innovating and working to find ways to stop and/or circumvent the malevolent interests who are perpetrating malvertising.
“As it is right now, the malvertising bad guys can just sit at home and let their wares work and don’t have to change a thing in this ecosystem,” Manousos said.
“The Internet economy is at risk of the very thing that powers it: Internet advertising. Global adversaries now infiltrate the ad ecosystem on a daily basis, injecting malware into Web and mobile devices via malvertisements. Ads are everywhere; everyone is affected. With so much at stake, it’s critical we detect and defend against this threat,” Manousos said.