Which is a new method of spreading malware by injecting malicious or malware laden advertisements into genuine online advertising networks and webpages?

One in every 250 ad impressions are still problematic, research suggests

Malvertising is a thorn in the side of legitimate publishers that rely on ads to generate revenue online.

Malvertising involves the abuse of online advertising to spread malware. The typically involves injecting malicious code or malware-laden advertisements into legitimate online advertising networks.

Malicious adverts served through advertising networks can end up being displayed on legitimate websites through pop-ups, drive-by downloads, or redirects to exploit kits. Visitors become diverted to fraudulent domains, phishing pages, and malware payloads as a result of the cybercrime tactic. 

The New York Times, the London Stock Exchange, Forbes, The Onion, and The Daily Mail have all fallen prey to malvertising campaigns in the past.

Cheq, an online ad verification specialist, estimates that marketers will lose $23 billion this year in online ad spending because of fraud. However, advertising networks are increasingly aware of the problem and are attempting to filter out bad ads.

But there’s still more work to be done in order to protect the legitimate advertising ecosystem, according to a new study released on Tuesday by media and publisher protection specialist Confiant.

The Demand Quality Report analyzed a sample of 120 billion ad impressions in Q3 of 2019 and found that malicious adverts, in-banner video, and low-quality advertising continue to plague the industry.

Malicious advert volumes also dropped to 0.15% of overall ad impressions, in comparison to 0.25% in Q2 2019.

This does show progress, but according to Confiant, “one in every 250 impressions was [still] marred by a serious security or quality issue” – a rate that equates to four billion problematic impressions a month based on an average of one trillion ads being served online in the same timeframe.

Slipping past detection

Nearly every ad network improved their detection rates over the quarter, with one surprising exception: Google Ad Exchange.

In previous Confiant reports, the tech giant was the best performer and malicious ad impressions reached no further than 0.02%. That being said, in Q2, violation rates increased by 320% to 0.08%.

“Still, they remain a top performer, with their violation rate coming in a 0.08% vs. 0.15% for all impressions monitored,” the report notes.

There are four “highly sophisticated threat groups” that are responsible for the majority of malvertising attacks in Q3, Confiant claims. These threat actors are known as Scamclub, RunPMK, eGobbler, and Zirconium.

Scamclub uses a “spray and pray” technique, bombarding ad networks with hundreds of malicious ads on a daily basis designed with slight variations and basic obfuscation in the hopes of a small percentage making it past security checks.

eGobbler enjoys exploiting obscure browser vulnerabilities to bypass protections against pop-ups and forced redirects, whereas RunPMK focuses on mobile traffic and attempts to abuse Google Display and Video 360 (DV360).

Zirconium is the most advanced, utilizing browser fingerprinting techniques to target desktop browser sessions and sophisticated JavaScript-based obfuscation.

While bad ad impressions are on the decline, the company notes that in Q3 2018, there was a similar downturn – only for malicious impressions to rocket in Q4.

Confiant anticipates that history will repeat itself this year as fraudsters take advantage of reduced staff levels at ad networks over the holidays.

“Publishers have it tough because with programmatic advertising they usually have little visibility into the true sources of the demand running on their sites,” Eliya Stein, Confiant security engineer told The Daily Swig.

“Apart from security measures like working with an anti-malvertising vendor, sandboxed iframes, and a strong Content Security Policy, it's important that publishers form relationships with platforms that they can have a quick feedback loop with when issues surface.”

YOU MIGHT ALSO LIKE Web trackers using CNAME Cloaking to bypass browsers' ad blockers

48.5k views

App SecurityThreats

Malvertising is an attack in which perpetrators inject malicious code into legitimate online advertising networks. The code typically redirects users to malicious websites.

The attack allows perpetrators to target users on highly reputable websites, e.g., The New York Times Online, The London Stock Exchange, Spotify and The Atlantic, all of which have been exposed to malvertising.

The online advertising ecosystem is a complex network that involves publisher sites, ad exchanges, ad servers, retargeting networks and content delivery networks (CDNs). Multiple redirections between different servers occur after a user clicks on an ad. Attackers exploit this complexity to place malicious content in places that publishers and ad networks would least expect.

Malvertising vs. Ad malware

Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.

Adware is a program running on a user’s computer. It’s usually packaged with other, legitimate software, or is installed without the user’s knowledge. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.

Differences between malvertising and ad malware include:

• Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users.
• Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.

Malvertising might perform the following attacks on users viewing the malvertisement without clicking it:

• A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
• Forced redirect of the browser to a malicious site.
• Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.

Malvertising can do the following when users actually click a malicious ad:

• Execute code that installs malware or adware on the user’s computer
• Redirect the user to a malicious website, instead of the target suggested by the ad’s content
• Redirect the user to a malicious website very similar to a real site, which is a operated by the attacker—a phishing attack

How malvertisements affect publishers

The threat to publishers is damaged reputation, loss of traffic and revenues, and legal liability to damages caused to users visiting their sites.

While publishers are aware of the problem, they find it difficult to test for or block malicious ads. Ad networks serve ads from millions of advertisers, and display ads dynamically according to real-time bidding, making it very difficult to test all the ads that are actually shown to users.

Examples: How malware is inserted into ads

Attackers use several delivery mechanisms to insert malicious code into ads:

• Malware in ad calls — when a website displays a page that contains an ad, the ad exchange pushes ads to the user via many third parties. One of these third party servers may be compromised by an attacker, who can add malicious code to the ad payload.
• Malware injected post-click — when the user clicks on an ad, they are typically redirected between several URLs, ending with the ad landing page. If an attacker compromises any of the URLs along this delivery path, they can execute malicious code.
• Malware in ad creative — malware can be embedded in a text or banner ad. For example, in HTML5 it is possible to deliver an ad as a combination of images and JavaScript, which might contain malicious code. Ad networks that deliver ads in Flash (.swf) format are especially vulnerable.
• Malware within a pixel — pixels are code embedded in an ad call or landing page, which send data to a server for tracking purposes. A legitimate pixel only sends data. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
• Malware within video — video players do not protect against malware. For example, a standard video format called VAST contains pixels from third parties, which could contain malicious code. Videos can infect users by displaying a malicious URL at the end of the video.
• Malware within Flash video — videos based on Flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner (a static image that the user can view while the file is loading). Attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
• Malware on a landing page — even on legitimate landing pages served by reputable websites, there may be clickable elements that execute malicious code. This type of malware is particularly dangerous because users click an ad, land on a real, legitimate landing page, but are infected by a malicious on-page element.

Prevention and mitigation of malvertising

Malvertising is an attack which is difficult to detect and mitigate, and requires action by end users and publishers alike.

How can end-users help mitigate malvertising?

• Antivirus software can protect against some drive-by downloads or malicious code executed by malvertising.
• Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
• Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertising.
• Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the ad.

How can publishers help mitigate malvertising

• Carefully vet ad networks and inquire about ad delivery paths and security practices.
• Scan ad creative intended for display to discover malware or unwanted code.
• If possible, enforce a policy of only showing specific file types in an ad frame (JPG, PNG, etc) without allowing JavaScript or other code.
• Imperva’s Web Application Firewall (WAF) can help protect against some malvertising threats, by using signature, behavioral and reputation analysis to block malicious code execution or requests arriving from non-trusted sources, along the ad delivery chain.