alvertising is a new cyber threat that requires no action on the user’s end.
In the face of constantly adapting cyber threats, one of the most promising cyber security realities is that every end user has the power to fight off an attack. The security world promotes the message: with the right software and cyber threat smarts, you too can fight for the survival of your online privacy and security in the digital realm of hundreds of millions of malware, hackers, and malicious threats.
But what would happen if all that self-defense power disappeared?
Malvertising, or malicious online advertising, is a distressing cyber threat designed to sidestep all your normal defenses. Before you get the wrong impression, malvertising does not necessarily look like the hokey weight loss ads or free gift cards you’re used to seeing. The attack source can range from an infected advertisement to an infected ad delivery server that can impact thousands of sites. Scariest of all, once the avenue for implementation has been decided by the injected code, this seemingly benign attack can access and infect a workstation or network without clicking, downloading, or requiring any interaction by the end user.
Simply put, Malvertising is an online ad that looks legitimate but has been hijacked for a malicious purpose. For example, if you visit a site with one of these malicious ads, you can be infected by a drive-by-download. In this case, the drive-by-download is a link hidden inside the code of the ad that automatically downloads and installs the intended software, and then uses that download to search for browser and plugin vulnerabilities on your computer, like holes in a software on your machine that open a backdoor to installs directly onto your machine. Once a vulnerability is uncovered, the source of the vulnerability will be exploited and used to infect your system with malware like spyware, ransomware, and Trojans.
An example of this type of online scheme in action is detailed by Sophos, a computer security firm that recently took a deeper look when Forbes was exposed to Malvertising last September.
The ad requested the user to click on a link to install a free version of Java. Once clicked, a download of Java did indeed begin, but it was a previous version (more than a year’s worth of security patches old) of the popular software that had since been updated, patched, and strengthened. Sophos additionally found that even after this attack, Forbes’ website continued presenting more than 100 different ad-serving domains to visitors.
And that’s what’s worrisome. Forbes and other well-respected news publications like The Daily Mail, Yahoo, Reuters, YouTube, Google, and The Huffington Post have all fallen prey to these malicious ads, and many have a hard time cleaning up the supply chain that provides online ads.
Tom’s Guide, a website that focuses on new technology and popular gadgets, blames the failures of popular sites to remedy Malvertising on the “chaotic nature of the online advertising agency.” Tracking and vetting third-party companies that purchase online ad space is a huge undertaking because the process is extremely fast and is usually automated. According to a report issued jointly by the Interactive Advertising Bureau (IAB) and Ernst & Young, companies whose revenue models rely on ad income have been severely impacted by trying to combat malware-related activities to the tune of $1.1 billion a year. Further, an additional $781 million of ad revenue lost in a single year was a result of network administrators and everyday end users instituting ad blockers (we suggest them later in this article) to protect their environments.
The bottom line is: detecting a malvertisement in action is nearly impossible, and online advertisers have not mastered their ad sources to guarantee protection to their end users. So what do those realities mean to you as an executive?
The decision to protect your company against online threats requires active participation. To protect yourself, we recommend these three tips:
Always make sure the browsers, software, and systems used at your company are up-to-date. While updating a browser won’t prevent zero-day exploits, it will help to prevent everything else. Vulnerabilities come from two things: a zero-day exploit (wherein a developer has launched a program or new upgrade and doesn’t know all of the vulnerabilities yet) or a user failing to update their browser, system or software with a newly released version meant to update usability issues and vulnerabilities in the code. A network administrator with an understanding of the balance between zero-day concerns and outdated updates is able to make smart decisions about when it’s time to push out upgrades to an entire environment.
To limit the impact of an exploit, set admin rights so that only identified admins can install or modify programs or require that any installs or modifications have to be approved. (For example, the users in the Java download would have been blocked from installing an older version of Java). Keep in mind, requiring admin access for upgrades means that your system administrator bears the responsibility for making sure your employees’ software is updated in a timely manner.
Install an antivirus program. The best kind of antivirus software runs in real time and any file coming to a protected computer is scanned for viruses, malware, and Trojans. The antivirus program blocks such files from being installed on the computer. A regular antivirus solution will focus attention on the hard drive of a computer and may not be able to detect a virus on your machine if a malvertising attack installs the malware in memory or uses an encrypted version of a malicious program.
Not all antivirus solutions include this feature, but if you’re worried about your employees visiting sites with malvertising, you may want to think about choosing an antivirus suite that includes ad blocking. Ad blocking provides additional security that should keep most, if not all, ads off your browser, stopping the attack at its source. While the push toward ad-blocking software is unpopular in the online advertisement community, it’s ultimately the strongest solution to protect your environment against this type of attack.
These three tips are a starting point in a wider online security plan. If you’re worried your defenses aren’t ready for the next attack, we are capable of helping you better your security strategy. Contact a firm principal today.