In September 2014, two news sites in Israel fell victim to a malvertising campaign that affected thousands of viewers. One month later, Yahoo! and AOL became victims of a similar campaign. Malvertising concerns me more than the average attack method for a several reasons:
Have you counted how many ads are on each web page as you casually browse news articles, or look up that film with what’s-her-name and so-and-so? This article states that the average user saw over 1,000 ads per month in 2012, and one can only assume that this number has increased since then. There’s no easy escape. Malvertising grants attackers access to hundreds of millions of users. Makes you want to install some ad blocking software, doesn’t it?
You’d be pretty hard-pressed to pick out a malicious ad at first glance even if you have “cyber intuition.”
A strict “no-click” policy for web ads isn’t enough to protect you because some malvertisements, like pop-up ads, don’t even require users to click— malware is installed when the ad loads on the page, and the malware could be anything from bots (think zombie computer) to ransomware.
Attackers take advantage of the way an advertising network functions, with its low prices, automatic bidding process, potential for very large audiences via “trusted” sources, and almost nonexistent means for tracking them down.
This is how it works: The attacker, along with legitimate ad buyers, submits advertisement code and the highest price they’re willing to pay to an ad publisher who then uses an ad network to bid on ad space on third-party web sites. The ad network sells each space to the highest bidder on behalf of the web site — this is an automatic selling process that takes milliseconds, and prices are typically less than a dollar. An attacker’s “ad” code is then placed on the web site.
Attackers will typically build a solid reputation for themselves by placing ads with clean code for a few months before injecting them with attack code. Once this happens, the attack has a widespread reach and the potential to inject hundreds of thousands of users and generate hundreds of thousands of dollars for an initial cost was a mere fraction of that. The malvertisement only needs to be posted for a few days or a few hours before the attacker has the victims he needs, so he’ll then remove the ad altogether.
Creating an industry safeguard against malvertising requires the coordinated effort of ad networks and publishers, as well as pressure from ad hosting web sites. Such cooperation between many parties is difficult to orchestrate unless the problem greatly affects profits. But because ad networks are still being paid for ad space sold to attackers, the impact on the bottom line is revealed much more slowly. Attackers use this process because it’s easy and it works.
Gone are the days when malware only hung out on the bad side of the internet. Cyber threats are out in the open, hiding on real web pages that we trust and frequently visit, using methods honest people intentionally created to improve business, and we must continue to adapt in order to protect our cyber valuables. Attackers are upping their game and focusing their guile on identifying loopholes in commonplace business processes.
Luckily, there are things we at Palo Alto Networks already do to thwart malvertising threats:
Security isn’t something that stops with network architecture and coding practices. Business-to-business processes need it, too. Anything that uses the internet, or an intranet, in the slightest way must be included on the list of potential threat vectors, poked at with a cyber-stick by someone wearing their “if-I-were-a-hacker” hat, and secured accordingly.
For more information on what can happen as a result of a successful malvertisement, check out Dan Kaminsky’s interview with USA Today staff writer, Elizabeth Weise.