Share this
Malvertising is On The Rise
by Serena Raymond on Sep 24, 2020 12:00:00 AM
Ads are everywhere. When we’re scrolling through our social media feeds, clicking on news sites, in our emails, search engines, and in recommended content. That small “ad” text on nearly everything is leading to major banner blindness, meaning people see ads regularly without even registering they’re there. And privacy issues of tracking internet users aside, ads pose a serious risk when you consider ad networks can be hijacked. It’s called malvertising.
Malvertising: also known as, malicious advertising, is the spread of malware and compromise systems disguised as advertisements.
What is malvertising?
It should be pretty obvious where malvertising gets its name from. It’s a combination of “malware” and “advertising.” Hackers pay for ads on trusted websites and promote their ads that can:
- Point to malicious websites
- Force-download malware just by viewing the ad
- Leverage the CPU of a site visitor’s computer for cryptomining resources
There’s no limit to where these ads might appear or what they might look like. Pop-up ads, banner ads, text ads, and even buttons (such as X-out or “cancel” buttons) can be infected with malware.
Major news publishers have standards and a process for vetting ads before they go live, but malvertising schemes can still slip through the cracks. Just this year, a group of trusted sites were the victims of a large-scale malvertising attack. This attack deployed ransomware after ads were clicked.
The rise of malvertising
The first recorded instance of malvertising occurred at the end of 2007, impacting sites like MySpace through a vulnerability in Adobe Flash.
Back in 2011, when Spotify was still a desktop application, it was hit with malware that impacted users who didn’t have anti-virus in place. The ad was a forced download of malware, and users didn’t even need to click the ad to become affected.
And while relying on ad blockers is a good practice, it doesn’t always stop you from becoming the victim of a malvertising scam. In 2017, the malvertising attack RoughTed actually bypassed ad blockers and was still able to infect end users.
Around the same time in 2017, we also saw the first reports of deploying ads for cryptomining initiatives. Some of these campaigns utilized YouTube ads, as first reported in early 2017—10 years after Google first rolled out ads on YouTube. A majority of these ads used publicly available cryptocurrency-mining JavaScript from Coinhive, a cryptocurrency mining company. In 2018, Coinhive was a top online threat but the service was shut down in 2019. Part of Coinhive’s strategy was taking a cut of the cryptocurrency mined through the use of their JavaScript (reportedly 30% of the revenue generated). Some hackers chose to write their own scripts to avoid this fee. But the end result for the website visitor was absorbing so much their computer’s resources that they could barely function.
As of December 2019, 1 in every 250 ads is still malicious.
Avoiding malvertising campaigns
Don’t click anything on questionable websites
While trustworthy websites can still get hit by a major malvertising attack, sites that host illegal streams or generally unsavory content are much more likely to inadvertently (or uncaringly) host malicious ads. Torrent site Pirate Bay previously “borrowed” CPU from their users’ computers in a manner very similar to the cryptomining malvertising attacks we described earlier.
Professional news sites have internal audits and approval processes in place that don’t necessarily catch every malvertising scam that comes through, but it makes the likelihood of finding a malicious ad on a site like CNN rare compared to an adult content site. Any site that is looking to make money, whatever the cost, is a site you should be wary of.
Beware of “freebies”
Hackers just want you to click. Ads promising gift card giveaways or major purchases free-of-charge should be avoided at all costs. These hackers are trying to make their ad seem as appealing as possible. And what’s more appealing than essentially free money with no effort?
If you remember the ad with the sound clip “Congratulations, you’ve been selected to win a free iPod Nano,” that is the type of ad you should avoid clicking. You have not been selected to win anything. Either you’ll have major hoops to jump through to get that free device, or it will lead to a malicious website that can infect your computer.
When you see an ad that seems to be too good to be true, just remind yourself that it’s probably not true.
Do the links go where they say they’re going?
Sites like Google and Facebook have done a good job over the years of requiring a site’s display URL (the one you see before you click on the ad) to match the destination URL (the one you land on after clicking).
This is to avoid click fraud through impersonation. If an ad can make their display URL anything they want, they could pretend to be Nike giving away free sneakers while in reality they’re hackers looking to capture your credentials. When you hover over a link with your mouse, you’re able to get a preview of the link without clicking in most cases. If the preview is obscured or doesn’t match the display URL, do not click.
At the end of the day, trust your instincts.
Ad blockers
While ad blockers don’t necessarily protect you from every single malvertising scheme out there (and they certainly won’t protect you from malicious websites on the whole), it’s a good layer of protection to add to your browsing experience.
DNS filtering
It’s easy to avoid malicious links, no matter if they’re in malvertising ads or phishing schemes, when they’re blocked at the DNS level. DNS filtering can assess and block 0-day malvertising attacks.
Get your free trial of DNSFilter
Share this
Categories
- Featured (258)
- Protective DNS (18)
- IT (13)
- IndyCar (9)
- Cybersecurity Brief (7)
- AI (6)
- Content Filtering (6)
- Deep Dive (6)
- IT Challenges (5)
- Public Wi-Fi (5)
- Roaming Client (4)
- Team (4)
- Compare (3)
- Malware (3)
- Tech (3)
- Anycast (2)
- Events (2)
- Machine Learning (2)
- Phishing (2)
- Ransomware (2)
- Tech Stack (2)
- MSP (1)
- Secure Web Gateway (1)
Automation is no longer optional for companies looking to scale and operate their cyber defenses. It enables organizations to do more with less, eliminating rote and mundane tasks to free up valuable human resources for more strategic initiatives. However, if not used carefully, automation can amplify existing problems, making something bad even worse. So, how can we use automation effectively and safely?
Our final race weekend at the Music City Grand Prix was an adrenaline-pumping experience that perfectly blended speed, technology, and unforgettable moments. It was a weekend full of thrills, camaraderie, and lightning-fast Wi-Fi in Nashville. Here’s a rundown of the highlights:
As education relies more heavily on technology, the importance of ensuring the safety and media literacy of students continues to grow. Educational environments must navigate a complex landscape of online content, balancing the need for open access to information with the necessity of protecting students from harmful, inappropriate, or inaccurate material. Digital safety encompasses protecting students from online threats such as cyberbullying, m...