Serena Raymond
September 25, 2020 in
Security

Malvertising is On The Rise

Ads are everywhere. When we’re scrolling through our social media feeds, clicking on news sites, in our emails, search engines, and in recommended content. That small “ad” text on nearly everything is leading to major banner blindness, meaning people see ads regularly without even registering they’re there. And privacy issues of tracking internet users aside, ads pose a serious risk when you consider ad networks can be hijacked. It’s called malvertising.

What is malvertising?

It should be pretty obvious where malvertising gets its name from. It’s a combination of “malware” and “advertising.” Hackers pay for ads on trusted websites and promote their ads that can:

  • Point to malicious websites
  • Force-download malware just by viewing the ad
  • Leverage the CPU of a site visitor’s computer for cryptomining resources

There’s no limit to where these ads might appear or what they might look like. Pop-up ads, banner ads, text ads, and even buttons (such as X-out or “cancel” buttons) can be infected with malware. 

Major news publishers have standards and a process for vetting ads before they go live, but malvertising schemes can still slip through the cracks. Just this year, a group of trusted sites were the victims of a large-scale malvertising attack. This attack deployed ransomware after ads were clicked.

The rise of malvertising

The first recorded instance of malvertising occurred at the end of 2007, impacting sites like MySpace through a vulnerability in Adobe Flash.

Back in 2011, when Spotify was still a desktop application, it was hit with malware that impacted users who didn’t have anti-virus in place. The ad was a forced download of malware, and users didn’t even need to click the ad to become affected.

And while relying on ad blockers is a good practice, it doesn’t always stop you from becoming the victim of a malvertising scam. In 2017, the malvertising attack RoughTed actually bypassed ad blockers and was still able to infect end users.

Around the same time in 2017, we also saw the first reports of deploying ads for cryptomining initiatives. Some of these campaigns utilized YouTube ads, as first reported in early 2017—10 years after Google first rolled out ads on YouTube. A majority of these ads used publicly available cryptocurrency-mining JavaScript from Coinhive, a cryptocurrency mining company. In 2018, Coinhive was a top online threat but the service was shut down in 2019. Part of Coinhive’s strategy was taking a cut of the cryptocurrency mined through the use of their JavaScript (reportedly 30% of the revenue generated). Some hackers chose to write their own scripts to avoid this fee. But the end result for the website visitor was absorbing so much their computer’s resources that they could barely function.

As of December 2019, 1 in every 250 ads is still malicious.

Avoiding malvertising campaigns

Don’t click anything on questionable websites

While trustworthy websites can still get hit by a major malvertising attack, sites that host illegal streams or generally unsavory content are much more likely to inadvertently (or uncaringly) host malicious ads. Torrent site Pirate Bay previously “borrowed” CPU from their users’ computers in a manner very similar to the cryptomining malvertising attacks we described earlier.

Professional news sites have internal audits and approval processes in place that don’t necessarily catch every malvertising scam that comes through, but it makes the likelihood of finding a malicious ad on a site like CNN rare compared to an adult content site. Any site that is looking to make money, whatever the cost, is a site you should be wary of.

Beware of “freebies”

Hackers just want you to click. Ads promising gift card giveaways or major purchases free-of-charge should be avoided at all costs. These hackers are trying to make their ad seem as appealing as possible. And what’s more appealing than essentially free money with no effort?

If you remember the ad with the sound clip “Congratulations, you’ve been selected to win a free iPod Nano,” that is the type of ad you should avoid clicking. You have not been selected to win anything. Either you’ll have major hoops to jump through to get that free device, or it will lead to a malicious website that can infect your computer.

When you see an ad that seems to be too good to be true, just remind yourself that it’s probably not true.

Do the links go where they say they’re going?

Sites like Google and Facebook have done a good job over the years of requiring a site’s display URL (the one you see before you click on the ad) to match the destination URL (the one you land on after clicking).

This is to avoid click fraud through impersonation. If an ad can make their display URL anything they want, they could pretend to be Nike giving away free sneakers while in reality they’re hackers looking to capture your credentials. When you hover over a link with your mouse, you’re able to get a preview of the link without clicking in most cases. If the preview is obscured or doesn’t match the display URL, do not click.

At the end of the day, trust your instincts.

Ad blockers

While ad blockers don’t necessarily protect you from every single malvertising scheme out there (and they certainly won’t protect you from malicious websites on the whole), it’s a good layer of protection to add to your browsing experience.

DNS filtering

It’s easy to avoid malicious links, no matter if they’re in malvertising ads or phishing schemes, when they’re blocked at the DNS level. DNS filtering can assess and block 0-day malvertising attacks.