Each year brings new threats, evolutions of old ones, and the typical arms-race between the good guys and the bad guys. One of the virtual battlefields expected to be active this year based on end-of-2019 trends: online advertising.

While malvertising had been on the decline in recent years, some security experts are expecting it to come roaring back in 2020, and MSPs should be on guard. A strategically placed malvertising campaign can result in reputational damage, data breaches, and network exploitation. MediaPost rang in 2020 with this warning:

“Ad threats — not to be confused with ad fraud that defrauds marketers into paying for fraudulent ad views — will become the tool for hackers in 2020.”

MSPs have enough on their security plate, between being chronically short-staffed and monitoring the increasing attack surfaces that IoT brings with it, that they could be forgiven for letting innocuous ads slip below the radar. The problem is that the ads are anything but harmless.

How malvertising has changed

It used to be that malware-infected advertising would arrive in someone’s email box, but increasingly effective security has forced the threat to evolve.

“With ever-increasing and better spam filters and awareness about threats, it has become almost impossible to scam people on that medium. So, they have moved to a new medium: online advertising,” observes Ad Energizer CEO, Muhammad Waqar Akram.

Subscribe to SmarterMSP.com

Akram says that in 2020 the threat from advertising lies in the complex web of ad networks and exchanges which place ads on websites. Some lesser-known players in the business don’t filter ads for malvertising. These exchanges often spread torrents and questionable content. But don’t think that just educating people to not click on the ads is enough.

“It is important to know that even if they don’t click on ads, usually the pop up opens, taking them to a website that quickly downloads cookies in the browser, which make the system vulnerable,” informs Akram.

Once that occurs, vulnerabilities are exploited. Akram cites a study published by Google that found that thousands of iPhones were made vulnerable by malicious cookies and then hackers gained access to a phone’s data by hooking up the cookies with other system weaknesses.

Security Boulevard warns of the changing nature of malvertising, having moved to the ad exchanges instead of email:

“Using distributed ad networks to serve up malicious ads on legitimate websites is catching victims by surprise and enabling cybercriminals to lure more intended targets to their malware.”

Even marquee names like the New York Times have been caught up in serving up bad ads.

There are also issues of privacy that can be exploited. Data breaches at smaller companies that harvest advertiser and consumer information can use that to tailor socially engineered malicious campaigns.

So, what can MSPs do?

MSPs have tools at their disposal to push back this threat in 2020. Between a robust patch management campaign, user education, firewalls, and network monitoring, malvertising can be neutralized.

Akram recommends filters and firewalls be placed to limit the number of websites that can be accessed from a workplace.

“It is important to have an allowed website filter than a blocking filter as hundreds of malicious websites are created every month,” advises Akram, which would render a blocking mechanism irrelevant. Other tools like Barracuda Content Shield help determine which websites are secure and which ones are not.

If a company has concerns about the privacy of workplace employees and data, switching to a privacy-friendly browser is a good option. Akram recommends Brave.

“Brave is a chromium-based browser, so it has a similar interface to Chrome, but it is very good at forcing websites not to track your online activity,” notes Akram. Privacy-friendly browsers are also excellent at securing data as it is backed up as a peer to peer network, instead of being backed up on a server.

Are some ads worse than others?

The big players in the online ad business, such as Google, Facebook, and Amazon, are generally safe. It’s the newer and smaller companies serving up ads that need to be monitored. These newer players often find themselves with clients who are spending thousands of dollars that they don’t want to lose, even if they are serving up bad ads.

Akram points out, “There are checks and balances in place to keep websites safe from this.”

Akram says Google Ad Manager usually detects malvertising if ads are placed through it and blocks any such creatives. However, if websites use their tags directly, then the users are more vulnerable.

As 2020 unfolds, MSPs have one other thing to put on their list to monitor: online ads. The cost of not doing so could be costly.

Photo:  SimplyDay / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *