Of all the cyber threats driving headlines, malvertising – seeding malicious code in online advertisements to infect unsuspecting users – might be the most jarring and difficult for many Web surfers to fathom. No one expects to get infected with malware when they visit trusted sites like YouTube or Reuters – hardly the seedy sides of the Web. Yet attackers are preying on users’ implicit trust of these sites to infect them via the third-party ad content quietly displaying on these pages and sometimes burrowing into viewers’ browsers and PCs, before they even click on anything.
Malvertising is a tough problem to solve and its unsettling prevalence requires a concerted defense effort spanning a lot of stakeholders, including Web site operators, ad networks themselves and consumer and business audiences worried about protecting personal information and staving off the next data breach. Before you fire up your browser and jump into your daily bookmarks, it is important to understand why malvertising is a growing “sweet spot” for cyber criminals who easily turn new aspects of the Web to nefarious purposes.
Hacking Us Softly
Malvertising contradicts basic Web safety tips security experts have drilled into our heads – such as “Stay away from ‘sketchy’ Web sites if you don’t want to pick up malware.” This is because mainstream, high-trafficked Web sites today outsource the ad content on their pages to a vast array of third-party ad networks, including household names like Google (DoubleClick) to start-up providers and others well under the radar. As anyone who has used Disconnect’s browser plug-in knows, when you land on any popular Web site, your device is actually connecting to dozens of other URLs, imperceptibly, as Web browsers accept connections to render popup-ups, video files and even stealthier interactions. Most people would never willfully download all this arbitrary code if blindly prompted by a Web site, but this happens unwittingly or for the sake of convenience every time we go online.
The net effect of advertising’s influence on Web content is that the reputation of destination sites’ URLs is almost irrelevant from a security and screening perspective. Malvertising attacks rely on a trusted destination as a lure, before springing attacks from a myriad of other, hidden domain addresses the minute someone lands on a site to catch up on sports scores or movie trailers. Low recognition of this indirect attack method is the first advantage malvertising has in getting a jump on victims.
Attack and Cover Your Tracks
Anonymity is another advantage for malvertisers. If a victim – or their employer – even realizes a device has been infected, the forensic trail usually “goes cold” at the site that served the malicious ads. This is because site operators often have no knowledge of malware on their own domain – nor visibility into what type of ad content a third-party ad network might have been displaying on their site at any given time. Ad networks rotate content extremely fast and ads can be purchased with stolen or obfuscated account information and funds, so even when a malicious ad is pinpointed in an investigation it can be practically impossible to prove who actually placed the malicious ad order.
Best of Both Worlds
After effectiveness and anonymity, a smart attacker wants to be able to target the “right” types of victims. Accordingly, it is modern, more sophisticated ad networks’ granular profiling capabilities that really create the malvertising sweet spot.
Today ad networks let buyers configure ads to appear according to Web surfers’ precise browser or operating system types, their country locations, related search keywords and other identifying attributes. Right away we can see the value here for criminals borrowing the tactics of savvy marketers.
An attacker wishing to go after U.S. federal government employees, for example, could rig a malicious ad that only appears when major ad networks see someone in the U.S. using an older version of Internet Explorer (IE) on Windows XP, for example and typing “extended support for Windows XP government” or “government travel allowance” into a search engine. Similarly, an attacker looking to compromise certain high value victims can emplace malicious ads configured to appear in front of attorneys, scientists or other individuals who might be keyword-searching hotel rates at sensitive industry conferences or other gatherings. As the fight against phishing has taught us, if you use familiar and comfortable jargon, geography and other nuances in your socially-engineered attack, you are much more likely to hit the target.
Piggybacking on rich advertising features, malvertising offers persistent, Internet-scale profiling and attacking. The sheer size and complexity of online advertising – coupled with the Byzantine nature of who is responsible for ad content placement and screening – means attackers enjoy the luxury of concealment and safe routes to victims, while casting wide nets to reach as many specific targets as possible.
It Takes Money to Make Money
For further evidence of malvertising’s appeal, consider that attackers are actually putting up money for these malicious ad purchases, suggesting they are enjoying lucrative ROI on their ad spending. Cyber crime rings are brutally efficient and do not bother with unnecessary effort, cost and exposure, so we have to assume malvertising offers them an edge they cannot gain elsewhere. One benefit for malvertisers is that almost no organization or security vendor can readily pre-empt a malvertising attack by blacklisting sites like Reuters.com and the same goes for Web portals users visit to access Web applications.
Rahul Kashyap is Chief Security Architect and Head of Research at Bromium.
Part 2 of this two-part series will explore factors required to lessen malvertising’s “sweet spot” appeal for attackers, and explains why traditional security products typically cannot defend devices from malvertising attacks.