Malvertising is malware bundled with online advertising. This is where the advertiser is generally an attacker with the aim of compromising your computer system and the data it holds. A malvertising campaign may be bundled with other malicious campaigns like a ransomware campaign for additional damage. Ransomware is a malware that is designed to deliver a payload to the host’s computer and encrypt the data it holds. After complete encryption of the host’s data, the attacker demands a ransom for providing the decryption key.
Malvertising can be combined with ransomware to infect the host’s computer system by exposing it to seemingly legitimate online adverts. When the host clicks on these seemingly legitimate adverts, his / her computer system becomes infected with the ransomware software. Once infected, the files on the system become encrypted and a ransom is made in exchange for decryption.
How does Malvertising spread
Now that we know what malvertising is, the next question would be how it spreads and makes its way to a host’s computer system. Malvertising simply spreads through online ad networks. These networks act as a gateway for advertisers and affiliates (websites that host these adverts provided by advertisers)
These advertising networks are usually careful about who they include within their network, but at times may miss detecting a malicious advertiser. This malicious advertiser would have the intent of dispersing malware through the advertiser’s network. Once the advert is cleared, the ad network disperses it to its affiliate websites. Once at this stage, the malicious ad is displayed to readers. The advert spoofs the reader into thinking that it is a legitimate advert, once the reader clicks on it, the malware gets downloaded on their system, infecting it.
Examples of malvertising
Malvertising on the New York Times
The New York Times website was a victim of malvertising in 2016 1. It’s readers were exposed to a spoofed and malicious advert, which was getting displayed throughout its website and across its user-base. This particular malicious advert was different than usual as it didn’t require the user to actually click on the advert to get infected. Once users were infected, the attackers would demand a ransom to decrypt their data and give them access to their computer system. The advert used the Angler exploit kit to find susceptibilities within the user’s computer and provide a gateway for the payload.
Malvertising on the London Stock Exchange
The LSE main website was infected with Malvertisments for over 90 days before they could detect it and take corrective measures 2.
Malvertising on Spotify
In 2016, Spotify was displaying malverised content through their portals, due to an infection routed through a third party ad network 3.
Malvertising through the Yahoo network
The Angler Exploit Kit was again at it, during a malvertsing attack through Yahoo’s ad network 4. The Malvertisers created a campaign on July 28th, 2015; to infect Yahoo users with the malware. The campaign went undetected as Yahoo had previously whitelisted a third party ad server called AdJuggler, the malware was seemingly approved due to this. The corrupt advert was eventually pointed out to yahoo and they took corrective action. However, it was not before the malware made its way to the Yahoo homepage itself.
Malvertising through Google Adwords
In 2016, Malvertisers set their eyes on targeting Mac OSX users through the Google Adwords ad network. They lured unsuspecting users into downloading malware imitating to be Google’s Chrome browser. Once a user clicked on the Ad, he / she would get routed to a splash page, with the ability to download a software, once the user begins his download, a corrupt file called FLVPlayer.dmg would infect the user’s computer 5.
Google’s take on malvertising
Google provides a guide to help publishers and users combat malvertising.6 Some of the tips they mention are:
- Practice due diligence on part of publishers
- Recognize suspicious behaviours and patterns by new advertisers
- Be extra-diligent about website redirects
- Use an up-to-date anti-virus
- Beware of Social Engineering tricks used by malvertisers
Malvertising through Pop-ups
All malvertising methods use some or the other form of steganography to inject malware. Infecting the host’s computer system through browser pop-ups is a regular practice. One should be alert while clicking on pop-ups from unknown websites. One can also use Ad-blocker tools to block pop-ups and increase digital safety.
Malvertising through Text / banner ads
This is where an attacker spoofs an ad network to think that it’s a legitimate business. Once this is done, the attacker disperses malware throughout the network and filters it across publisher websites. An example of this would be the Malvertising attack on Yahoo’s ad network.
One should be careful while dealing with iframes on unknown websites. It may act as a gateway for malware.
Tools used for malvertising
Neutrino exploit kit
The Neutrino exploit kit is a hacking tool that generally targets the WordPress content management system and compromises the website and its data. It may also compromise any visitors that visit the website.
Angler exploit kit
The Angler exploit kit is a hacking tool used by attackers to compromise the victim’s system. The kit finds loop-holes within Adobe’s Flash player and inject malware subsequently. It also affects Microsoft’s Silverlight.
Protection against malvertising
The below mentioned tips proven ways to keep malvertisers at bay:
Make use of an Ad blocker
- Disable or uninstall unused browser plugins
- Be careful with Flash and Java. Disable them if you do not actively use them
- Double check the URL of a page before downloading software through it
- Be cautious while clicking on links or banners through emails
- Use a credible anti-virus and keep your system up-to-date