What is Malvertising?
Malvertising is the name we in the security industry give to criminally-controlled adverts which intentionally infect people and businesses. These can be any ad on any site – often ones which you use as part of your everyday Internet usage.
How does malvertising work?
Malicious actors hide a small piece of code deep within a legitimate looking advertisement, which will direct the user’s machine to a malicious or compromised server. When the user’s machine successfully makes a connection to the server, an exploit kit hosted on that server executes. An exploit kit is a type of malware that evaluates a system, determines what vulnerabilities exist on the system, and exploits a vulnerability. From there, the malicious actor is able to install malware by utilizing the security bypass created by the exploit kit. The additional software could allow the attacker to perform a number of actions including, allowing full access to the computer, ex filtrating financial or sensitive information, locking the system and holding it ransom via ransomware, or adding the system to a botnet so it can be used to perform additional attacks. This entire process occurs behind the scenes, out of sight of the user and without any interaction from the user.
The Most Popular Exploit Kit
One of the most popular exploit kits currently in use is the Angler Exploit Kit. Angler employs a number of evasion techniques in order to avoid being detected. For example, the URL of the landing page the user’s computer connects to, where the exploit kit is hosted, is often generated dynamically. This makes it difficult to detect because the URL is constantly changing. Angler also has the functionality to determine if it is being run inside of a virtual machine, thus making it difficult for cybersecurity analysts to perform analysis on it. Finally, multiple layers of obfuscation exist in Angler, built on top of each other with various encoding schemes (base64, RC4, etc.) to hide the code that executes when the vulnerable user visits the server.
Angler uses a variety of vulnerabilities in Adobe Flash, Microsoft Silver light, and Oracle Java. These are all extremely common extensions running on many popular web browsers. When the user’s computer visits the server hosting the exploit kit, the system is scanned to determine which versions of the above software are running on the user’s browser. From there, Angler picks the best vulnerability for exploiting the victim.
A Very Real Threat
There are numerous examples of popular websites inadvertently hosting malicious advertisements. According to the news media, popular sites belonging to the New York Times, BBC, AOL and the NFL were the target of malvertising campaigns as recently as March 2016. In this instance, the malicious code was delivered through a compromised ad network. After the exploit kit ran, the malware that was downloaded onto vulnerable systems was a variant of Trojan Bedep. This malware typically provides the malicious actor a backdoor through which they can access the infected system and download additional files on to it. Some reports also indicated the attacker then infected the machine with a ransomware known as Teslacrypt. Ransomware is a type of malware that encrypts files on a user’s machine, and then demands payment in order to decrypt them.
The news media reported another example of a large-scale malvertising campaign in September 2015. In this case, the attacker utilized a number of large ad networks, as well as a number of smaller ones and the campaign went undiscovered for almost three weeks. Many large sites with millions of visitors per month were affected, including eBay UK, answers.com, and drudgereport.com. The attackers also took great care in hiding their activities, creating legitimate appearing companies to place the ads.
How To Combat It
Unfortunately, due to the way this attack vector works, it is quite difficult for users to protect themselves against it. The best course of action is to ensure that all utilized software and extensions (particularly the web browser, as well as Flash and Java) are kept up-to-date. Where possible, if your browser allows for it disable the use of Flash or set it to require user interaction in order to run. When browsing the Internet, make sure to close browser windows when not in use, since this will minimize the number of ads displayed and minimize the likelihood of a malicious ad appearing. Consider the use of an add-on ad blocker in order to block automated scripts from running on visited websites.