The enduring scourge of malvertising rears up anew

Byron Acohido 18 Mar 2019

Threat actors are gaming the online advertising ecosystem to silently spread malware like never before; why it’s up to you to protect yourself.

Malvertising is rearing its ugly head – yet again.

Malicious online ads have surged and retreated in cycles since the earliest days of the Internet. Remember when infectious banner ads and viral toolbars cluttered early browsers?

Historically, with each iteration of malicious ads, the online advertising industry, led by Google, has fought back, and kept this scourge at a publicly acceptable level.

However, malvertising has never been as dynamic, stealthy and persistent as it is today. Here’s what you should know about this enduring online threat:

Gaming the ecosystem

Malvertising has become enmeshed in the highly dynamic online advertising, shopping and banking ecosystem we’ve come to rely on. It has accomplished this by leveraging the openness of the browsers on our go-to computing devices, namely our smartphones and PCs.

Malvertising code often circulates in tiny iframes, the HTML element that enables objects to appear on a webpage without changing the page. This bad code comes and goes, circulating to even well-known, high-traffic websites as part of the flow of web ads being placed dynamically by the online advertising networks, of which Google is the largest.

Malvertisers game this ecosystem in several ways. There are endless ways for them to hack into websites and ad networks directly. Doors and windows are left wide open in the software applications being rapidly developed to support a swelling army of third-party contractors who supply shopping cart services, data management platforms, retargeting enablement systems, and the like.

“The bad guys are insinuating their malicious code as part of the code that renders on the victim’s device during fulfillment,” says Chris Olson, CEO of the Media Trust, a McLean, VA-based website security vendor. “If you visit a large retail website, you may encounter 100 or 150 third party companies that get access to your computing device. For the most part, no one is really thinking about the security of all of these third-party apps. It’s only lightly monitored.”

Another gambit favored by threat actors is to set up shop as an independent ad network, and then patiently behave as a model citizen in order to gain trust. Once good-standing is achieved, the attacker begins to slip malicious ads into the daily flow of the ecosystem.

Cutting-edge attacks

One recent attack, dubbed PayLeak, targeted consumers using their smartphone browsers to visit the websites of premium newspapers and magazines onto which malvertising had been embedded.

Anyone paying a visit to one of these sites received an exploit kit that checked whether the compromised device was an Android or an iPhone; figured out whether the device was protected by antivirus; and took note of whether the device was positioned upright, or lying down.

PayLeak next redirected Android users to a phishing site, using an Amazon gift card giveaway as a lure; iPhone users receive successive popups –  first an update alert, followed by falsified instructions to update their Apple Pay account.

In yet another recent cutting-edge attack, cybercriminals targeted smaller online retailers with stealthy malware, dubbed CartThief, designed to exploit websites using the open-source Magento ecommerce platform.

CartThief went into action as soon as a user clicked to a checkout page and submitted an online payment; the malware copied, encrypted and sent personal and financial details from the transaction to the attacker’s command-and-control server.

The CartThief attackers pulled this off by rendering an overlay on the victim’s computing device to trick the victim into divulging personal information. The website publisher doesn’t see this, neither does the financial firm. The transaction actually gets completed. The bad guys walk away with the personal data, leaving the consumer, the publisher and the bank none the wiser.

They then sell the stolen data in batches for whatever the going rate is. Current day malvertising amazingly leverages tools like cookies, data tracking and overlay coding – all of the commoditized software widely and openly available in the online advertising ecosystem.

Campaigns like PayLeak and CartThief highlight how vital it has become for consumers to be cognizant of the fact that the next website they visit could be invisibly booby-trapped, and that it is up to each individual to reduce his or her digital footprint.

Protecting yourself

Here are a few common sense practices to protect yourself from malvertising:

  • Purchase and keep updated robust antivirus protection for all of your smartphones and PCs. AV software will detect and deter exploit kits and scan your devices for any fresh infections.

  • Disable browser plug-ins that you aren’t really using, and change the settings of plug-ins that you do use to “click-to-play.”  Criminals know all about plug-ins and they continually tune their exploit kits to seek out ones useful for carrying out malicious activities. It may be inconvenient to use manual settings, but you are also making it more difficult for the attacker.
  • Keep your operating systems, your browsers and your plug-ins patched and updated – again, for all of your smartphones and PCs. If you use them online, they’re ripe for attack. Fresh vulnerabilities are discovered all the time, and if you procrastinate, the exploit kits will find you.

  • Consider using an ad blocker. Ad blockers are tricky, and require due diligence. They can reduce your risk, but they can also degrade your user-experience below your tolerance level. Ad blockers are improving all the time; but malvertising purveyors can find ways to get around them. That said, criminals are opportunists; they seek out low-hanging fruit. So using an ad blocker can make you less of a target. One to consider: Avast has a good ad blocker in its free Avast Secure Browser product.

The drivers behind this current cycle of malvertising are complex and potent. Google gets it, and is fighting hard. However, all too many website publishers, smaller advertising networks and third-party suppliers don’t appear to fully grasp the mushrooming vulnerabilities of the current ecosystem, much less what they should be doing to make it harder for threat actors.

Presumably they will get enlightened at some point, and this current cycle will decelerate. In the meantime, individual consumers will have to take it upon themselves to keep their guards up –  or suffer the consequences.

What do you think about malvertising? Join the conversation with Avast on Facebook and Twitter.

Talk more soon.

Byron Acohido is a guest blogger on the Avast Blog where you can catch up on all the latest security news.  Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world with award-winning free antivirus and keeping their online activities private with VPN and other privacy products.

--> -->