Cybercriminals are increasingly posting malicious ads on legitimate websites to obtain data and spread malware. Discover how malvertising works and what you can do to protect your business from it.
Cybercriminals do not take holidays off — in fact, they often use them to their advantage. That’s how a group of hackers celebrated President’s Day in the United States. They launched a massive malicious advertising (malvertising) campaign that involved more than 800 million ad impressions on legitimate websites between February 16-19, 2019, according to Confiant security researchers. The ads were designed to trick users into entering personal and financial information in order forms for fake products.
A Serious Problem
Malvertising is a serious problem. Avast notes that it is one of the top five endpoint threats affecting small businesses. That’s because cybercriminals are increasingly posting malvertising on legitimate websites in order to:
- Obtain sensitive data. Like in the President’s Day campaign, hackers use malvertising to obtain sensitive data, such as payment card or bank account information.
- Deliver exploit kits. These kits are designed to find known vulnerabilities in systems. If a vulnerability is found, it is used to install malware or carry out other types of malicious activities.
- Deliver malicious payloads directly. Pop-up ads, for example, can deliver malware as soon as they appear or after people click the “X” button to close them.
The Devious Ways in Which Malvertising Works
To understand how malvertising works, you need to know how web browsers render web pages. When you visit a web page, your browser automatically receives the page’s content so it can display the page. So, for example, when you visit your favorite business news website, all the articles, pictures, ads (malicious or not), and other elements on the page are automatically sent to your browser.
What the malvertising does next depends on whether it includes malicious code. For instance, suppose hackers want to deliver an exploit kit. One way they can do this is to create ads that try to lure you into clicking a link. The ad itself does not contain any malicious code. However, if you click the link, you will be sent to a server that delivers an exploit kit. If the kit finds a vulnerability, it is used to install malware on your device.
Even worse, some malicious ads deliver exploit kits without you doing anything other than going to your favorite website. In this case, the malvertising contains code that automatically redirects your browser to a server, which delivers the exploit kit. The redirection occurs behind the scenes, without you clicking a single link.
How Hackers Get Malicious Ads on Legitimate Websites
Hacking into legitimate websites and inserting malicious ads is a lot of work. That’s why cybercriminals typically pose as businesspeople to get their malvertising online. This ruse is successful because there are many different ways to get ads on websites (e.g., through advertising agencies, using advertising networks) and there is no standard vetting process. The groups involved in getting ads often do not request much information from the people submitting them. Plus, while some groups check ads before accepting them, others do not.
Even if the ads are checked, hackers find ways around the screenings. For example, sometimes they submit their ads with the malicious code disabled and then enable it after the ad is accepted and put online. In addition, hackers often remove the malicious code from their ads shortly after they are posted to make it more difficult to detect and track their attacks.
How to Protect Your Business
While the digital ad industry knows about malvertising and is taking steps to mitigate the problem, it will be awhile before these ads are no longer a threat. Thus, you need to proactively protect your business. Here are some of the measures you can take:
- Educate employees about malvertising. Be sure to discuss the dangers of clicking links in ads, as the ads might be malicious.
- Tell employees about the dangers of allowing pop-ups and redirects. Most modern web browsers block pop-ups and redirects by default, but this functionality can be manually disabled. Let employees know this is dangerous since malvertising sometimes uses both pop-ups and redirects. Similarly, let them know they should not enable web content that has been disabled by their web browsers or security software, as it might contain malicious ads.
- Uninstall browser plug-ins and extensions not being used. This will reduce the computers’ attack surface. For the plug-ins and extensions being used, consider configuring web browsers so that plug-ins and extensions are automatically disabled but can be manually enabled on a case-by-case basis.
- Update software regularly, including browser plugins and extensions. Exploit kits look for known vulnerabilities in software. Patching these vulnerabilities helps eliminate entry points into devices.
- Install ad blockers. Ad blockers remove or modify all ad content on web pages. However, they might unintentionally block non-ad content, causing a web page to display improperly or not at all.
We can help you develop a customized strategy to protect your business’s devices from malvertising and other types of cyberattacks.