- Apr 13, 2013
- 3,147
Most people these days ‘know’ about the ‘dangers’ of the Internet and how today’s sophisticated cyber criminals are always on the lookout for new ways to pilfer sensitive personal/customer data, credit card numbers, classified corporate data and more. However, many continue to rely on ‘common sense’ to protect themselves from malicious attacks, such as: staying away from ‘shady’ sites and not clicking on suspicious-looking online advertisements (ads) and links.
Yet, malvertising, where malicious codes are embedded in online ads to infect unsuspecting users, has become one of the fastest growing cyber threats dominating the headlines. Infecting even trusted sites like Yahoo, malvertising throws out the notion that one is ‘safe’ as long as one stays away from sketchy sites and dubious advertisements. In this issue, we look at what malvertising is, how it works, its latest victims, reasons for its success, and what you can do to protect yourself against this increasingly popular attack vector.
The Hard Truth: The Reality about Malvertising
Alarming statistics continue to raise the alarm on why malvertising has become the cyber criminals’ latest sweet spot1:
What is Malvertising
First discovered in 2007, malvertising is a relatively new attack vector where malicious codes are inserted into online ads to distribute malware.
As ad content on high-trafficked web sites are largely outsourced and distributed through third-party ad networks, 5 hackers launch attacks through these networks to stay under the radar. Sometimes, hackers even start with posting legitimate ads on credible websites to gain trust, before inserting malicious code or spyware behind the ads to launch the malware. As one’s naked eyes cannot differentiate between malicious ads and legitimate apps, tools that can detect malvertising become essential.
As a result, websites or web publishers used by ad networks often incorporate malicious ads unknowingly into their pages. When a user lands on these pages, exploit kits, which are tools used by cyber criminals to exploit the vulnerabilities in one’s system, would then execute the embedded malicious code.
According to the Wired magazine, malvertising preys on users’ implicit trust of legit sites to quietly infect users via third-party ad content displayed on users’ browsers – before burrowing subsequently into one’s browsers and PCs. Sometimes, this can be achieved even without users clicking on anything! 6
Latest Victims of Malvertisements
Victim(s)
Date of Cyber Campaign
Attack Techniques and Impact
Nu.ul (most-read Dutch language news portal with more than 50 million visitors in March 2016 alone), Marktplatts.nl (eBay style service website) and up to 288 other websites.10
Weekend of 10th April 2016
Weekend of 11 – 13 March, 2016
Around weekend of 11 – 13 March, 2016
Mid-February 2016 (or earlier)
How Malvertising Works
As explained on Trustwave’s 2016 Global Security Report, there are 3 ways in which malvertisements can be delivered, namely: Click, No-Click and Pop-Under14:
Technique
How it Works
How it Escapes Detection
1. Click: Clicking the ad redirects users to an exploit kit’s landing page.
*Limited effectiveness as it depends on users clicking on the ad to be exposed to the exploit.
*Most dangerous as exploit can be activated without any user interaction.
*User interaction of any form – either clicking on the ad or anywhere on the page – can launch the pop-under window and trigger the exploit.
8 Reasons Why Malvertising is Effective in Causing Havoc
Traditional security tools such as standalone anti-virus software cannot reliably stop malvertising attacks in time. Besides basic security hygiene, such as ensuring your browsers and software are kept up-to-date, what you need is a multi-layered security protection that proactively discovers, blocks and defends your enterprise network, systems and endpoints against today’s Internet-borne threats.
Yet, malvertising, where malicious codes are embedded in online ads to infect unsuspecting users, has become one of the fastest growing cyber threats dominating the headlines. Infecting even trusted sites like Yahoo, malvertising throws out the notion that one is ‘safe’ as long as one stays away from sketchy sites and dubious advertisements. In this issue, we look at what malvertising is, how it works, its latest victims, reasons for its success, and what you can do to protect yourself against this increasingly popular attack vector.
The Hard Truth: The Reality about Malvertising
Alarming statistics continue to raise the alarm on why malvertising has become the cyber criminals’ latest sweet spot1:
- The Media Trust’s research reveals that the number of new malware programmes detected every day is at a staggering 400,000.2
- The Interactive Advertising Bureau (IAB) reported a 260% increase in malvertising in first six months of 2015.3
- The FBI reported that cyber criminals are earning approximately US $325 to 500 million yearly through these scams.4
What is Malvertising
First discovered in 2007, malvertising is a relatively new attack vector where malicious codes are inserted into online ads to distribute malware.
As ad content on high-trafficked web sites are largely outsourced and distributed through third-party ad networks, 5 hackers launch attacks through these networks to stay under the radar. Sometimes, hackers even start with posting legitimate ads on credible websites to gain trust, before inserting malicious code or spyware behind the ads to launch the malware. As one’s naked eyes cannot differentiate between malicious ads and legitimate apps, tools that can detect malvertising become essential.
As a result, websites or web publishers used by ad networks often incorporate malicious ads unknowingly into their pages. When a user lands on these pages, exploit kits, which are tools used by cyber criminals to exploit the vulnerabilities in one’s system, would then execute the embedded malicious code.
According to the Wired magazine, malvertising preys on users’ implicit trust of legit sites to quietly infect users via third-party ad content displayed on users’ browsers – before burrowing subsequently into one’s browsers and PCs. Sometimes, this can be achieved even without users clicking on anything! 6
Latest Victims of Malvertisements
Victim(s)
Date of Cyber Campaign
Attack Techniques and Impact
Nu.ul (most-read Dutch language news portal with more than 50 million visitors in March 2016 alone), Marktplatts.nl (eBay style service website) and up to 288 other websites.10
Weekend of 10th April 2016
- Exposed millions to poisoned ads.
- Loaded external scripts that redirect towards an exploit kit.
- Angler exploit kit used to spread malware such as the CrytoWall 4.0 ransomware.
Weekend of 11 – 13 March, 2016
- Delivered malware through multiple ad networks.
- Leveraged several vulnerabilities, including recently-patched flaw in Microsoft’s Silverlight (discontinued in 2013).
- Infected ad redirected users to servers hosting the malware, including the widely-popular Angler exploit kit.
- Attempted to infiltrate users’ computers through any back door to install a cryptolocker-style software. This encrypts users’ hard disks and demands for a payment in bitcoin for a key to unlock it (ransomware).
Around weekend of 11 – 13 March, 2016
- New technique using Angler exploit kit, which has been detected to compromise over 90,000 websites.9
- In this campaign, the cyber criminals have acquired the expired domain of a small but reputable advertising agency to provide exploit kit with “high quality traffic from popular websites that published their ads directly”.
- Used a JavaScript with more than 12,000 lines of code, designed to look for security products and tools. If any of these tools were found, the malware would shut down. Otherwise, it would append an iframe to the HTML, which leads to the Angler exploit kit.
- Victims were infected with the Bedep Trojan and Teslacrypt ransomware.
Mid-February 2016 (or earlier)
- First example of an exploit kit that has successfully installed malicious apps on a mobile device without any user interaction.
- Malicious ad contained JavaScript code that exploited a previously known vulnerability (lbxslt) to deliver an Android exploit Towelroot, which in turn installed the ransomware, called Dogspectus or Cyber.Police.12
- Ransomware delivered via a malicious ad, without requiring action by the victim.
- Instead of encrypting user files, like other typical ransomware, this one displays a fake warning from law enforcement agencies, warning victims on the need to pay a fine due to illegal activity detected on device.
- Malicious ad placed on Yahoo, designed to seize users’ computers to mine for bitcoin.
- In 1 hour, 300,000 users were exposed to malicious ad. 9 percent or 27,000 users were compromised.
How Malvertising Works
As explained on Trustwave’s 2016 Global Security Report, there are 3 ways in which malvertisements can be delivered, namely: Click, No-Click and Pop-Under14:
Technique
How it Works
How it Escapes Detection
1. Click: Clicking the ad redirects users to an exploit kit’s landing page.
*Limited effectiveness as it depends on users clicking on the ad to be exposed to the exploit.
- Create a legitimate-looking ad that leads to an exploit landing page.
- This landing page contains exploits for vulnerabilities in browsers and popular browser add-ons.
- Once clicked, the exploit launches the malware.
- HTML and media assets for the ad and its home page are typically stolen from a legitimate advertiser.
- Starts with a harmless ad, which is altered only shortly after the ad buy has been placed, to escape detection.
- Exploits are delivered after redirecting the user through multiple pages before landing on a malicious landing page, to escape detection by security systems.
*Most dangerous as exploit can be activated without any user interaction.
- Exploit built into a flash-based ad.
- Anyone visiting a page containing the ad, with a Flash Player that is unpatched, is vulnerable to the exploit without clicking on anything.
- Starts with a harmless ad.
- This ad will be subsequently altered in either of these 3 ways:
- Substituted by a new version uploaded to the ad server.
- Or by changing the html of the inline frame that hosts the ad to point to a different Flash file.
- Flash file scripted to display no malicious behaviour, until a target date or time has passed (eg. Launch malicious on the 5th of every month or every 10th user who visits the site).
*User interaction of any form – either clicking on the ad or anywhere on the page – can launch the pop-under window and trigger the exploit.
- When a user uses a vulnerable browser or plugin to load the contents of the pop-under window, the exploit would be triggered.
- Clicking anywhere on the page, not just the ad, can also launch the pop-under window.
- Launches an exploit landing page from a pop-under window, which is triggered by script on the page.
8 Reasons Why Malvertising is Effective in Causing Havoc
- Relies on Trusted Destination as a Lure15: One’s guards are usually ‘down’ when using trusted and commonly-used websites or portals (eg. Google.com, Reuters.com, Yahoo.com). When one lands on these popular websites, the device actually connects to many other URLs to accept pop-ups, video files and unfortunately, stealthier URLs. Malvertising plays on users’ implicit trust on these sites to infect them via third-party malvertisements.
- Hiding under the cloak of anonymity16: Ad networks rotate content regularly to meet their obligations to ad buyers. Even with security forensic investigation, it is not possible to pinpoint the specific ad content a third-party ad network might be displaying on one’s site at any one time.
- Works even without users clicking on them: With exploits built into a flash-based ad, anyone visiting a page with an unpatched Flash Player would be exposed to the exploit — even without clicking on the ad or the page.
- Takes advantage of overlooked patches: Malvertisements are stealthy by taking advantage of overlooked patches in browsers or third-party applications like Flash Player, Adobe Reader etc.
- Malicious payload only enabled after a date/time delay17: Malvertisements can be “programmed” to attack only at specific times (eg. A delay of several days after the ad buy has been approved; or to attack every 10th user who views the ad etc).
- Clever in evading legacy security solutions: Unlike traditional security tools where the URLs of bogus or malicious sites can be ‘blocked’, security tools are unable to pre-empt a malvertising attack by blacklisting official sites like Yahoo.com etc. Malicious ads also use sophisticated technologies such as underground testing services and encryption services to avoid detection and ‘protect’ itself. 18
- Leveraging sophisticated profiling capabilities to target “right” victims19: Ad networks allow buyers to configure ads to appear to target customers by setting parameters such as country locations, gender, income level and even choice of browser, operating system etc. Today’s savvy cyber criminals are hopping on the bandwagon to leverage these sophisticated profiling capabilities to go after the ‘right’ victims that may be high net worth individuals with the capabilities to pay the ‘ransom’ they are asking for.
- Malvertising is cheap and customisable20: Cyber criminals often purchase thousands of impressions for their ads for as cheap as a few dollars. By leveraging the abovementioned profiling capabilities, cyber criminals can filter out unwanted traffic without paying for it or choose to pay more to target a certain type of traffic.
Traditional security tools such as standalone anti-virus software cannot reliably stop malvertising attacks in time. Besides basic security hygiene, such as ensuring your browsers and software are kept up-to-date, what you need is a multi-layered security protection that proactively discovers, blocks and defends your enterprise network, systems and endpoints against today’s Internet-borne threats.
