Malvertising: You Might Be Infected If…

JOE CISO on March 01, 2018 | 1777

Malicious advertising has spread like the latest flu bug. Billions upon billions of online advertisements—many that we see every day—are compromised with “malvertising”. 

Much like with the flu, sometimes just going out in public (or visiting an ad-supported website) is enough to become infected—even if you don’t click on anything. Pop-up ads can start delivering their malicious payloads just as soon as the ads appear on your screen. Your PC is now infected and contagious to others, but you might not know it yet.

In other cases, the ad might popup suddenly out of nowhere. Did you quickly click that “X” in the upper corner to close the ad? Congratulations. You just caused the malvertisement to execute and your PC is now infected. The bad guys don’t play fair.

Malvertising doesn’t necessarily hang around sleazy websites. Even innocuous advertisements on highly trustworthy sites can be infected. You could be checking an online news site or watching a sporting event in your browser when you see an interesting advertisement for dental services. Click on that seemingly legitimate ad to visit the dentist’s site and before you can say, “I want general anesthetic”, you are re-directed to a minefield full of floss and nasty malware.

Sometimes, the disease poses as the cure. You click on a helpful warning that “YOUR COMPUTER MAY BE INFECTED” only to find that the very “medicine”—the software you thought was going to scan your computer—is actually delivering the infection. In this Scareware scenario, you innocently agree to purchase and download some registry fix or anti-virus app from a popup that “noticed” your problem and offered to help you. Don’t go there! It’s worthless, at best, and infectious, at worst.

In another scenario, the ad creator might place a legitimate, malware-free advertisement on a popular website. At the outset, the website owner will check the code to make sure that the ad is malware-free. So far so good. Over time, the creator gains a good reputation. He can be trusted. Only later, when nobody suspects, the advertiser turns into an attacker, injecting a malicious payload into his own ad. From then on, the ad starts infecting visitors. If the attacker wants to cover his tracks, he merely waits until his stunt infects a few hundred or thousand computers (this could happen in an hour) and then he discontinues the ad. Fun for him. Disaster for you.

Online advertising is a giant business, with trillions of ad impressions served per year. Malvertising has expanded accordingly, siphoning off $8 billion.

By infiltrating popular, syndicated online ad services, thousands of sites can be infected at once. Websites that run third-party ads do not control the syndicated ads that appear on their pages. The stakes are high. In 2017, malicious ads created by the cyber-criminal syndicate, Zirconium Group, reached 62 percent of the Internet's ad-monetized websites on a weekly basis.

How to Protect Your Endpoints

When you visit a website, you just don’t know what code is running behind the scenes. There may be strands of malvertising that begin running malicious code the moment you open a certain webpage. Everyone in your organization with Internet access has probably clicked on an ad at least once, whether intentionally or by mistake. Are those ads all legitimate? Have they introduced malware onto their PC, which may be burrowing deeper into your corporate network even as we speak? More importantly, what can you do to protect endpoints from the next sneak attack?

Here are the standard answers:

  • Make sure all endpoints are running a reliable antivirus solution – and keep it current
  • As we have written in the past, plugins like Adobe Flash and Java are riddled with security holes. If your users don’t absolutely need it, disable it
  • Malvertising attacks have exploited security gaps in browsers (and their extensions), so be sure to keep up with the latest security patches
  • And of course – routine security awareness training should stress the inherent danger in clicking on anything you’re not absolutely sure you can trust

All of these precautions may be good enough for your home computer, but they are not complete solutions. For enterprise PCs holding company data, we cannot overemphasize the importance of Remote Browser Isolation (RBI).

RBI executes 100% of active web content off of your endpoints, in a disposable container remote from the enterprise network, so that web-borne threats cannot get a foothold. Instead, websites are rendered as a safe, interactive content stream that is delivered to the local browser in real time. In this manner, RBI ensures a transparent, natural browsing experience for users so they don’t notice any behavior or response differences, just smooth, seamless and safe browsing.

To be truly protected against malvertising and other web-borne mal-adies, you need to stay away from sources of contagion. So unless your users are prepared to stay off the Internet indefinitely, you need to look into Remote Browser Isolation. 

Let the other guys catch the mal-adies. Let’s you and I stay healthy.


Image credit: Hermann Kaser, Flickr (CC BY-SA 2.0)

Author | 21 Blog Posts


Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles