- Apr 13, 2013
- 3,144
Part 2 is here: https://www.wired.com/insights/2014/12/why-malvertising-is-cybercriminals-latest-sweet-spot-part-2/
but both parts are rendered below:
Of all the cyber threats driving headlines, malvertising – seeding malicious code in online advertisements to infect unsuspecting users – might be the most jarring and difficult for many Web surfers to fathom. No one expects to get infected with malware when they visit trusted sites like YouTube or Reuters – hardly the seedy sides of the Web. Yet attackers are preying on users’ implicit trust of these sites to infect them via the third-party ad content quietly displaying on these pages and sometimes burrowing into viewers’ browsers and PCs, before they even click on anything.
Malvertising is a tough problem to solve and its unsettling prevalence requires a concerted defense effort spanning a lot of stakeholders, including Web site operators, ad networks themselves and consumer and business audiences worried about protecting personal information and staving off the next data breach. Before you fire up your browser and jump into your daily bookmarks, it is important to understand why malvertising is a growing “sweet spot” for cyber criminals who easily turn new aspects of the Web to nefarious purposes.
Malvertising contradicts basic Web safety tips security experts have drilled into our heads – such as “Stay away from ‘sketchy’ Web sites if you don’t want to pick up malware.” This is because mainstream, high-trafficked Web sites today outsource the ad content on their pages to a vast array of third-party ad networks, including household names like Google (DoubleClick) to start-up providers and others well under the radar. As anyone who has used Disconnect’s browser plug-in knows, when you land on any popular Web site, your device is actually connecting to dozens of other URLs, imperceptibly, as Web browsers accept connections to render popup-ups, video files and even stealthier interactions. Most people would never willfully download all this arbitrary code if blindly prompted by a Web site, but this happens unwittingly or for the sake of convenience every time we go online.
The net effect of advertising’s influence on Web content is that the reputation of destination sites’ URLs is almost irrelevant from a security and screening perspective. Malvertising attacks rely on a trusted destination as a lure, before springing attacks from a myriad of other, hidden domain addresses the minute someone lands on a site to catch up on sports scores or movie trailers. Low recognition of this indirect attack method is the first advantage malvertising has in getting a jump on victims.
Anonymity is another advantage for malvertisers. If a victim – or their employer – even realizes a device has been infected, the forensic trail usually “goes cold” at the site that served the malicious ads. This is because site operators often have no knowledge of malware on their own domain – nor visibility into what type of ad content a third-party ad network might have been displaying on their site at any given time. Ad networks rotate content extremely fast and ads can be purchased with stolen or obfuscated account information and funds, so even when a malicious ad is pinpointed in an investigation it can be practically impossible to prove who actually placed the malicious ad order.
After effectiveness and anonymity, a smart attacker wants to be able to target the “right” types of victims. Accordingly, it is modern, more sophisticated ad networks’ granular profiling capabilities that really create the malvertising sweet spot.
Today ad networks let buyers configure ads to appear according to Web surfers’ precise browser or operating system types, their country locations, related search keywords and other identifying attributes. Right away we can see the value here for criminals borrowing the tactics of savvy marketers.
An attacker wishing to go after U.S. federal government employees, for example, could rig a malicious ad that only appears when major ad networks see someone in the U.S. using an older version of Internet Explorer (IE) on Windows XP, for example and typing “extended support for Windows XP government” or “government travel allowance” into a search engine. Similarly, an attacker looking to compromise certain high value victims can emplace malicious ads configured to appear in front of attorneys, scientists or other individuals who might be keyword-searching hotel rates at sensitive industry conferences or other gatherings. As the fight against phishing has taught us, if you use familiar and comfortable jargon, geography and other nuances in your socially-engineered attack, you are much more likely to hit the target.
Piggybacking on rich advertising features, malvertising offers persistent, Internet-scale profiling and attacking. The sheer size and complexity of online advertising – coupled with the Byzantine nature of who is responsible for ad content placement and screening – means attackers enjoy the luxury of concealment and safe routes to victims, while casting wide nets to reach as many specific targets as possible.
For further evidence of malvertising’s appeal, consider that attackers are actually putting up money for these malicious ad purchases, suggesting they are enjoying lucrative ROI on their ad spending. Cyber crime rings are brutally efficient and do not bother with unnecessary effort, cost and exposure, so we have to assume malvertising offers them an edge they cannot gain elsewhere. One benefit for malvertisers is that almost no organization or security vendor can readily pre-empt a malvertising attack by blacklisting sites like Reuters.com and the same goes for Web portals users visit to access Web applications.
Security is always a game of measure vs. countermeasure and malvertising is no exception. Now that smart attackers have discovered how to twist the nature of the online advertising to their criminal ends, awareness and a number of responses are necessary to counter the threat.
Malvertising will thrive as long as it is worth attackers’ money, meaning the Web’s large population of unaware or otherwise susceptible victims will remain at risk. The complexity of the threat means there is no single solution, but important steps can be taken across the board.
First, the ad networks need to do a better job of policing content they display. When even the largest and well-resourced ad networks, like Google’s, are found to be aiding attackers, it should sound a call-to-action for the entire industry. Online advertising underpins a huge slice of the Web economy, so it is obviously against many diverse stakeholders’ interests for the public to increasingly associating online ads with malware and abuse.
Secondly, the reputable, high-traffic sites regrettably implicated in malware attacks – because of ad content on their pages that they fundamentally cannot control – will likely press for better content screening at the ad networks’ side. It is conceivable they will even vote with their wallets and prefer to do business with demonstrably more secure ad partners.
Third, individuals and organizations need to keep focusing on awareness of the problem and can turn to a few safeguards, regardless of whether the security of ad networks improves. There are browser settings and plug-ins like AdBlock, for example, which block the dynamic scripts and quiet connections ads use to display dangerous content. However, these changes have the side effect of also disabling useful features and interfaces on popular sites as well, making them not worth the effort for some users.
In recent research, many traditional PC defenses like anti-virus and other endpoint protection software cannot reliably stop malvertising attacks. This is because these tools frequently cannot determine in time whether a Flash-powered banner ad, for example (which is not defined as malicious, itself), is simply serving ad content or something more sinister.
When you consider malvertising-linked outrage, financial losses and device restoration/clean-up costs, you have to agree that the Web’s malicious actors have – unsurprisingly, yet again – proven adept at turning e-commerce’s latest features to their own, criminal ends. Attackers are banking on the reality that we cannot block every ad or hold every ad network to any kind of uniform security screening.
It is therefore even more urgent for influential ad industry figures to step-up in response and for CIOs and CISOs to recognize and account for malvertising in the array of threats facing their devices and employees. Without focused action to curtail malvertising, we may soon long for the days when ads only planted songs in our heads instead of malware in our devices.
but both parts are rendered below:
Of all the cyber threats driving headlines, malvertising – seeding malicious code in online advertisements to infect unsuspecting users – might be the most jarring and difficult for many Web surfers to fathom. No one expects to get infected with malware when they visit trusted sites like YouTube or Reuters – hardly the seedy sides of the Web. Yet attackers are preying on users’ implicit trust of these sites to infect them via the third-party ad content quietly displaying on these pages and sometimes burrowing into viewers’ browsers and PCs, before they even click on anything.
Malvertising is a tough problem to solve and its unsettling prevalence requires a concerted defense effort spanning a lot of stakeholders, including Web site operators, ad networks themselves and consumer and business audiences worried about protecting personal information and staving off the next data breach. Before you fire up your browser and jump into your daily bookmarks, it is important to understand why malvertising is a growing “sweet spot” for cyber criminals who easily turn new aspects of the Web to nefarious purposes.
Malvertising contradicts basic Web safety tips security experts have drilled into our heads – such as “Stay away from ‘sketchy’ Web sites if you don’t want to pick up malware.” This is because mainstream, high-trafficked Web sites today outsource the ad content on their pages to a vast array of third-party ad networks, including household names like Google (DoubleClick) to start-up providers and others well under the radar. As anyone who has used Disconnect’s browser plug-in knows, when you land on any popular Web site, your device is actually connecting to dozens of other URLs, imperceptibly, as Web browsers accept connections to render popup-ups, video files and even stealthier interactions. Most people would never willfully download all this arbitrary code if blindly prompted by a Web site, but this happens unwittingly or for the sake of convenience every time we go online.
The net effect of advertising’s influence on Web content is that the reputation of destination sites’ URLs is almost irrelevant from a security and screening perspective. Malvertising attacks rely on a trusted destination as a lure, before springing attacks from a myriad of other, hidden domain addresses the minute someone lands on a site to catch up on sports scores or movie trailers. Low recognition of this indirect attack method is the first advantage malvertising has in getting a jump on victims.
Anonymity is another advantage for malvertisers. If a victim – or their employer – even realizes a device has been infected, the forensic trail usually “goes cold” at the site that served the malicious ads. This is because site operators often have no knowledge of malware on their own domain – nor visibility into what type of ad content a third-party ad network might have been displaying on their site at any given time. Ad networks rotate content extremely fast and ads can be purchased with stolen or obfuscated account information and funds, so even when a malicious ad is pinpointed in an investigation it can be practically impossible to prove who actually placed the malicious ad order.
After effectiveness and anonymity, a smart attacker wants to be able to target the “right” types of victims. Accordingly, it is modern, more sophisticated ad networks’ granular profiling capabilities that really create the malvertising sweet spot.
Today ad networks let buyers configure ads to appear according to Web surfers’ precise browser or operating system types, their country locations, related search keywords and other identifying attributes. Right away we can see the value here for criminals borrowing the tactics of savvy marketers.
An attacker wishing to go after U.S. federal government employees, for example, could rig a malicious ad that only appears when major ad networks see someone in the U.S. using an older version of Internet Explorer (IE) on Windows XP, for example and typing “extended support for Windows XP government” or “government travel allowance” into a search engine. Similarly, an attacker looking to compromise certain high value victims can emplace malicious ads configured to appear in front of attorneys, scientists or other individuals who might be keyword-searching hotel rates at sensitive industry conferences or other gatherings. As the fight against phishing has taught us, if you use familiar and comfortable jargon, geography and other nuances in your socially-engineered attack, you are much more likely to hit the target.
Piggybacking on rich advertising features, malvertising offers persistent, Internet-scale profiling and attacking. The sheer size and complexity of online advertising – coupled with the Byzantine nature of who is responsible for ad content placement and screening – means attackers enjoy the luxury of concealment and safe routes to victims, while casting wide nets to reach as many specific targets as possible.
For further evidence of malvertising’s appeal, consider that attackers are actually putting up money for these malicious ad purchases, suggesting they are enjoying lucrative ROI on their ad spending. Cyber crime rings are brutally efficient and do not bother with unnecessary effort, cost and exposure, so we have to assume malvertising offers them an edge they cannot gain elsewhere. One benefit for malvertisers is that almost no organization or security vendor can readily pre-empt a malvertising attack by blacklisting sites like Reuters.com and the same goes for Web portals users visit to access Web applications.
Security is always a game of measure vs. countermeasure and malvertising is no exception. Now that smart attackers have discovered how to twist the nature of the online advertising to their criminal ends, awareness and a number of responses are necessary to counter the threat.
Malvertising will thrive as long as it is worth attackers’ money, meaning the Web’s large population of unaware or otherwise susceptible victims will remain at risk. The complexity of the threat means there is no single solution, but important steps can be taken across the board.
First, the ad networks need to do a better job of policing content they display. When even the largest and well-resourced ad networks, like Google’s, are found to be aiding attackers, it should sound a call-to-action for the entire industry. Online advertising underpins a huge slice of the Web economy, so it is obviously against many diverse stakeholders’ interests for the public to increasingly associating online ads with malware and abuse.
Secondly, the reputable, high-traffic sites regrettably implicated in malware attacks – because of ad content on their pages that they fundamentally cannot control – will likely press for better content screening at the ad networks’ side. It is conceivable they will even vote with their wallets and prefer to do business with demonstrably more secure ad partners.
Third, individuals and organizations need to keep focusing on awareness of the problem and can turn to a few safeguards, regardless of whether the security of ad networks improves. There are browser settings and plug-ins like AdBlock, for example, which block the dynamic scripts and quiet connections ads use to display dangerous content. However, these changes have the side effect of also disabling useful features and interfaces on popular sites as well, making them not worth the effort for some users.
In recent research, many traditional PC defenses like anti-virus and other endpoint protection software cannot reliably stop malvertising attacks. This is because these tools frequently cannot determine in time whether a Flash-powered banner ad, for example (which is not defined as malicious, itself), is simply serving ad content or something more sinister.
When you consider malvertising-linked outrage, financial losses and device restoration/clean-up costs, you have to agree that the Web’s malicious actors have – unsurprisingly, yet again – proven adept at turning e-commerce’s latest features to their own, criminal ends. Attackers are banking on the reality that we cannot block every ad or hold every ad network to any kind of uniform security screening.
It is therefore even more urgent for influential ad industry figures to step-up in response and for CIOs and CISOs to recognize and account for malvertising in the array of threats facing their devices and employees. Without focused action to curtail malvertising, we may soon long for the days when ads only planted songs in our heads instead of malware in our devices.
