Online advertisements can be irresistible. With a TV ad, you have to endure a 30-second spot pushing Corn Flakes or denture cream, whether you have any interest in those items or not. Online ads, however, are targeted to your interests.

That’s a boon to advertisers, but also a goldmine for hackers looking for a way into an enterprise’s system. Hackers can monitor a person’s online activity and create special “ads” for each individual.

Wired Magazine recently highlighted this growing threat, and ThreatPost reports that over 100 million ads have been compromised in a massive malvertising campaign with payloads of varying nefarious levels.

This is not something that is brand new, however. Cisco’s 2013 Annual Security Report highlighted that clicking on ads was 182 times more likely to install a virus on a user’s computer than surfing the Internet for porn.

Malvertising payloads are diverse

Malvertising can offer up anything from ransomware to trojans, bots, or spyware. Some commercial campaigns are simply sham ads trying to rack up clicks and views to fill the coffers of companies that exist only to collect revenue from the advertising ecosystem. Ad blockers can provide relief, but they starve the system of legitimate revenue.

Online advertising is very ubiquitous and multilayered. Due to this, an MSP has a limited number of tools to combat the dangers of infected ads, as University of Delaware electrical and computing engineer professor Chase Cotton explains. 

“Advertisements live on the web and will draw classic web vulnerabilities,” notes Cotton, pointing to outdated and unpatched browsers as particularly vexing. Many browsers allow arbitrary execution of code.

Cotton recognizes that some people have legitimate reasons for using outdated and unpatched browsers with vulnerabilities. Cotton was a longtime fan of Firefox’s “session manager” which ran on versions 57 or lower, but that provided exposure to vulnerabilities. The dependence of JavaScript is also a potential chokepoint.

“Those are the vectors that would allow a bad guy to put content up on a web page or ad content. That is how they would do malicious things to machines,” details Cotton.

Protecting yourself is key

The only precaution you can take is only interacting  with known brands and high-quality content. When you see an ad pushing something tempting, rip a page from the old “phone fraud protection” book. If someone claiming to be from your bank calls, a smart move would be to take their name and call them back yourself.

You can do that with an enticing online ad. Instead of clicking, Google that new router and go to the site yourself to take advantage of the special.

“Otherwise, there is not a whole lot in the tool kit. You have all kinds of content blocking firewalls, but those are increasingly having diminishing returns since so much is encrypted under HTTPS,” warns Cotton.

“Unless you are in a very controlled environment, your firewall can’t see the bad content anyway. Many people use a filtered DNS to offset some of this,” explains Cotton, adding that MSPs can visit threat intelligence clearinghouses like AlientVault or Spamhaus for lists of bad actor sites. It can be set up so that if enterprise employees visit any of these sites, they could be pointed to a dead end.

“Even that won’t work forever,” predicts Cotton, pointing to increased privacy regulations to make DNS data less susceptible to leakage.

Good housekeeping seal of approval

In enterprises where there is robust central IT control over end-user machines, and those units aren’t privileged; usually, malware installation isn’t an issue. In places with a lot of unknown users, such as hospitals and universities, there’s not much control that can be exercised (other than what most sites have already done, which is creating guest networks and basic protections).

Employers that require staff to use a VPN at home can also inadvertently create a conduit because any malware installed on a person’s home computer could then have a direct line into the network.

Cotton isn’t hopeful that the recent resurgence of malvertising is a fluke.

“I am not very optimistic, as advertising is the primary method to monetize online endeavors,” admits Cotton.

Where there is money, there is crime. Plus, the online advertising ecosystem has become so large and so complex, that it’s effortless to hide in the shadows and cause problems. 

“Coming up with a good housekeeping style seal of approval for ads would be near impossible,” states Cotton, as there are just too many of them.

The only silver lining is that creating a malware campaign is a bit more labor-intensive than garden-variety phishing expeditions. Criminals chasing after a quick buck might be more inclined to shy away from using malvertising. When it works, it can give a hacker unfettered access to an enterprise.

“It’s all about getting someone to click on something they shouldn’t,” explains Cotton. That describes one of the most critical actions that MSPs need to try to prevent. In the end, an online advertisement for $49 flights to a favorite vacation spot might provide too tempting to avoid clicking.

Photo: Alexander Yakimov / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *