Malvertising: The Dawn of a New Attack Era

In September 2014, two news sites in Israel fell victim to a malvertising campaign that affected thousands of viewers. One month later, Yahoo! and AOL became victims of a similar campaign. Malvertising concerns me more than the average attack method for a several reasons:

1. It utilizes ad space on any web page that hosts third party ads… so basically most of the Internet.

Have you counted how many ads are on each web page as you casually browse news articles, or look up that film with what’s-her-name and so-and-so? This article states that the average user saw over 1,000 ads per month in 2012, and one can only assume that this number has increased since then. There’s no easy escape. Malvertising grants attackers access to hundreds of millions of users. Makes you want to install some ad blocking software, doesn’t it?

2. Malvertisements are indistinguishable from legitimate ads.

You’d be pretty hard-pressed to pick out a malicious ad at first glance even if you have “cyber intuition.”

A strict “no-click” policy for web ads isn’t enough to protect you because some malvertisements, like pop-up ads, don’t even require users to click— malware is installed when the ad loads on the page, and the malware could be anything from bots (think zombie computer) to ransomware.

3. Repercussions are basically nonexistent because the hosting web site has no control over the ads placed, and the attacker is several times removed from the ad network.

Attackers take advantage of the way an advertising network functions, with its low prices, automatic bidding process, potential for very large audiences via “trusted” sources, and almost nonexistent means for tracking them down.

This is how it works: The attacker, along with legitimate ad buyers, submits advertisement code and the highest price they’re willing to pay to an ad publisher who then uses an ad network to bid on ad space on third-party web sites. The ad network sells each space to the highest bidder on behalf of the web site — this is an automatic selling process that takes milliseconds, and prices are typically less than a dollar. An attacker’s “ad” code is then placed on the web site.

Attackers will typically build a solid reputation for themselves by placing ads with clean code for a few months before injecting them with attack code. Once this happens, the attack has a widespread reach and the potential to inject hundreds of thousands of users and generate hundreds of thousands of dollars for an initial cost was a mere fraction of that. The malvertisement only needs to be posted for a few days or a few hours before the attacker has the victims he needs, so he’ll then remove the ad altogether.

Creating an industry safeguard against malvertising requires the coordinated effort of ad networks and publishers, as well as pressure from ad hosting web sites. Such cooperation between many parties is difficult to orchestrate unless the problem greatly affects profits. But because ad networks are still being paid for ad space sold to attackers, the impact on the bottom line is revealed much more slowly. Attackers use this process because it’s easy and it works.

4. Malvertising as a consumer-based attack method is a shift from the sketchiness seen in spear phishing and packet sniffing to one that’s almost legitimate because it leverages a real business process to do all the hard work normally involved in delivering malware.

Gone are the days when malware only hung out on the bad side of the internet. Cyber threats are out in the open, hiding on real web pages that we trust and frequently visit, using methods honest people intentionally created to improve business, and we must continue to adapt in order to protect our cyber valuables. Attackers are upping their game and focusing their guile on identifying loopholes in commonplace business processes.

Luckily, there are things we at Palo Alto Networks already do to thwart malvertising threats:

• Drive-by download protection alerts users that a download is attempting to take place and requires the user to either allow or deny the download. If a malvertisement tries to auto-download malware, this mechanism gives the user an opportunity to nix it before it happens
• File-blocking profiles restrict the types of files that can be downloaded to only the files that are needed and expected by the user
• WildFire creates new anti-virus protections for unknown malware immediately after it’s seen. Malvertisements attempting to deliver known or unknown malware are detected and blocked
• URL Filtering stops traffic to known malicious web sites and uncategorized web sites. If a malvertisment is clicked, resulting web page is blocked
• Even if malware succeeds in downloading onto your machine, Traps prevents it from installing itself

Security isn’t something that stops with network architecture and coding practices. Business-to-business processes need it, too. Anything that uses the internet, or an intranet, in the slightest way must be included on the list of potential threat vectors, poked at with a cyber-stick by someone wearing their “if-I-were-a-hacker” hat, and secured accordingly.

For more information on what can happen as a result of a successful malvertisement, check out Dan Kaminsky’s interview with USA Today staff writer, Elizabeth Weise.