Web-based advertising can be annoying (as when it causes your web page to load slowly) or a bit creepy (as when you get an ad for cold medicine just when you’ start sniffling). But it can be also be very dangerous and highly malicious. Malicious advertising, or “malvertising,” is one of the scariest – and most effective –cyber threats out there.
Two things make malvertising particularly scary:
- Malvertising can be inserted in legitimate, reputable websites, possibly exposing users who might block ads on less trusted sites – or avoid them entirely by avoiding those sites. The NYTimes, the London Stock Exchange, Spotify, and The Atlantic have all inadvertently delivered malvertising.
- Malvertising bypasses built-in browser protections against pop-ups and forced redirects, then spawns forced redirects or loads malicious payloads. Yet it is transparent to the very websites that host it.
In May 2020 almost 1 million WordPress websites were hit with an attack that targeted cross-site scripting (XSS) vulnerabilities in an attempt to inject code that would redirect visitors to malvertising sites.
Recognizing the seriousness of the malvertising threat, which has been exacerbated by users working remotely, and often on unmanaged devices, the US Cybersecurity and Infrastructure Security Agency (CISA) recently issued guidance to federal agencies on how to defend against malvertising.
Recommended Protective Steps
The guide recommended federal agencies implement four measures to protect against malvertising:
- Standardize and Secure Web Browsers
- Deploy Advertisement Blocking Software
- Implement Protective Domain Name System Technologies
- Isolate Web Browsers from Operating Systems
Standardize and Secure Web Browsers
Many malvertising attacks exploit browser and browser plug-in vulnerabilities. Enforcing use of a single standard browser across an organization has the advantages of reducing the attack surface and making it easier to implement controls over protection tools, versions and configuration management.
Deploy Ad Blocking Software
Ad-blocking software either prevents ads from being displayed or removes certain types of ads, such as banner ads or pop-ups. Some ad-blocking solutions come as browser extensions that allow the user or agency to customize which ads may be displayed. Ad-blocking software can be risky: they operate with high levels of privilege and have access to all traffic, so if one is compromised it could do a lot of damage. It’s also worth noting that some vendors accept payment from certain advertisers to allowlist their ads – and if one of those ads was infected, it would get through.
Protective DNS Technologies
Protective Domain Name System (DNS) technologies prevent redirects to known malvertising domains. With studies showing that over 90% of cyberattacks use DNS, it has been estimated that DNS protective technology could prevent only one out of three attacks – and the other two would get through.
Isolate Web Browsers from Operating Systems
CISA is a proponent of web browser isolation, also known as remote browser isolation, which has already been implemented by the Department of Defense, as well as major corporations. The CISA guide identifies several benefits of browser isolation that go far beyond malvertising prevention. Remote browser isolation:
- Prevents all ransomware and other malware from the web from reaching endpoints and networks
- Protects remote users as they browse, when solution is provided on a cloud platform
- Reduces the need for agency blocklisting / allowlisting – as well as helpdesk exception requests
- Unburdens users of the responsibility for avoiding malicious links
- Reduces dependence on costly, debatably effective internet security training for users
- Enables administrators to isolate everything or only selected traffic or sites
- Eliminates risk from malicious downloads, for solutions that integrate content disarm and reconfiguration (CDR) within the isolated area
- Enables users – for instance, researchers — to safely visit malicious websites
- Transparent to users — does not negatively impact the web browsing experience
The report also says that browser isolation may be more complex than the other recommended actions in the guide, but with Ericom’s browser isolation solution, Ericom Shield, there are no agents to install or exceptions to manage, making it easy to install and use. Deploying the solution on the high-availability Ericom Global Cloud is a popular choice for organization that want to implement RBI quickly, so they can immediately reap its strong security benefits.
Malvertising and other browser-based exploits that deliver malware place all individuals, organizations and businesses who use the internet at risk. Government agencies are particularly desirable targets for cybercriminals because of the sensitive data they hold. In addition, the essential services they provide can put them under pressure to pay ransomware demands rather than take the time to find workarounds. A recent attack on London’s Hackney Council shut down many important public services including transport, wedding licenses, housing assistance, and provision of other social services. Since the attack came during a pandemic, when almost all services were delivered online, the impact was especially severe; it cost the council millions of dollars. While recent high profile, sophisticated attacks by nation-state actors have loomed large in headlines, most attacks on government agencies are far more banal – criminal activity with financial motives. Like the malvertising discussed in the CISA alert, these attacks almost always involve web-based exploits delivering ransomware, malware or exploit kits. To learn more about how adopting a Zero Trust approach to network security can help protect vital public sector networks, download our new white paper, “To Halt Public Sector Cyberattacks, in Zero We Trust”.