Malvertising is nothing new. But often times for hackers, what’s old is new again. “Cybersecurity is like a game of whack-a-mole, you punch one threat down, and it pops up someplace else later,” says Max Jennings, a cybersecurity expert in Chicago. Jennings explains the cyclical nature of cybersecurity is that once awareness is raised about a cyber danger, hackers will stop using it.
How old tricks become new again
As the awareness of a cyberthreat fades over time, all “tool(s)” becomes effective again for hackers. “And this is where we are with malvertising. It got a lot of publicity several years ago and when people became aware of the danger, hackers found it less effective, and it faded from the foreground. But here we are again,” Jennings notes.
Spamhaus is reporting a massive spike in malvertising in the first month of 2023, specifically: numerous malware, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, and Vidar, are being delivered to victims’ machines through bad actors impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, and Thunderbird using Google Ads.
Spamhaus goes on to say: Victims were being lured with impersonator Thunderbird Google Ads, leading to spoofed pages, which, once clicked on, delivered an IcedID payload to the unwitting victim’s device.
“Some of these ads are so specific that you’d never expect them to be malvertising,” Jennings warns.
Best practices for MSPs
So, with all the other threats out there, what can MSPs do to stem the growing threat from malvertising?
“Malvertising, unlike some other attacks, is very human-natured based, so sometimes all the tech tools in the world can’t prevent problems, but that doesn’t mean MSPs should not try,” Jennings advises.
Some data points to malvertising being a more significant issue on weekends and holidays. While offices may be emptier on weekends, sometimes security is more lax also, so organizations must be sure to keep security on 24/7 alert. Some studies show as many as one out of every 100 ads carry a malicious payload.
“When you think of how many ads are out there, that’s a high number,” says Jennings. “A lot of it just bread-and-butter back to basics; however, user training is also vital when it comes to combatting malvertising.”
Steps to preventing malvertisement attacks
Ad blocking: “Just get rid of the ads, problem solved,” Jennings advises. This won’t mitigate every kind of malvertising threat, but it gets rid of the vast majority. But this isn’t possible in every business environment, he explains. “Many businesses want the ads in their ecosystem to monitor consumer behavior and competitor behavior.” Still, consider installing an ad blocker if your client is in a business where serving ups is of no value.
Content Security Policy (CSP): A CSP can determine which domains can serve content on your website. “What this does is prevents unauthorized scripts from running, and that means users won’t unwittingly download malware,” Jennings says. But many understaffed, overworked IT departments overlook this relatively simple fix.
Security & awareness training: As is often the case, the cheapest fix is the human fix. “If people are aware that the threat is out there and you lead them through some proper training, you’ll go a long, long way to eliminating the human element,” Jennings suggests.
Themes to emphasize in training should include:
- Ads should look professionally produced; if not, don’t click on them (of course, hackers are getting increasingly sophisticated in their profession, so the ads are looking more and more accurate.)
- Don’t click on ads that have spelling errors; this is part of the “professionally produced” theme.
- Don’t view ads that don’t correspond to your recent/typical search history. A user who has never viewed an advertisement for anti-baldness cream should consider such an ad suspicious.
Disable Flash and/or Java: Avoid using Flash and Java. There have been many reported issues with both being used as entry points for malvertising attacks. If you can get by without using them, then do so. “Some businesses can’t do without Java or Flash, but if you can, then by eliminating that, you are eliminating an entry point,” Jennings advises.
MSPs will never eliminate all the threats, Jennings warns, adding, “But what you can do is tilt the odds in your favor and following these steps will greatly reduce chances for a malvertising attack.”
Photo: lumerb / Shutterstock