Towards the end of 2018, the global information company, Experian released a number of online ads as part of a new advertising company. What they didn’t know was that one of their online ads contained an additional image which was hidden within the ad request and was not visible to the online user. On clicking the ad request, innocent users enabled a malicious code, which redirected them to a phishing website.
In another instance in 2018, Check Point found a fraudulent advertising campaign that was aimed at thousands of compromised WordPress website users. The campaign redirected the users to an external IP address (22.214.171.124), which was popularly referred to as “Master134.” This IP address was further used to redirect the traffic to a legitimate advertising domain owned by AdsTerra ad network to be sold as traffic for online advertisers.
With the increase in the number of online ads, hackers are using a new type of cyberattack to target global online ad networks aimed at spreading malware or other malicious code among all online users. Short for “malicious advertising,” malvertising in simple terms, is the technique used to infect online ads with various types of malware code that can ultimately infect thousands of connected computers.
Why is malvertising so damaging? The 2018 industry statistics reveal that malvertising costs online ad publishers around $120 million and online advertisers around $920 million, making it a grand loss of around 1.13 billion in 2018. This cost is only expected to increase further in 2019 and beyond. Websites of leading names like the New York Times, London Stock Exchange, and Spotify have also fallen prey to malvertising by displaying malicious ads to their online customers.
Let’s now discuss how malvertising attacks are carried out and how it is different from adware.
What is Malvertising and how does it work?
Malvertising is a fraudulent form of online advertising where hackers embed malicious code within an online ad which is then published on a popular ad network. When online users click the online ad or simply visit their destination page, the malware code is downloaded on their device and proceeds to cause damage.
Malvertising attacks are targeting Android and iPhone smartphone users. Referred to the PayLeak malware attack, ads on leading online newspapers and magazines were used to lure smartphone users to a phishing website using a fake Amazon gift card offer.
Hackers typically use the following two types of malvertising to spread malware through online ads:
- Drive-by Download method
This method of malvertising does not even require the user to click the malicious ad. By simply loading the target webpage, the malware tool is downloaded to the user’s device without any user consent. Among the earliest successful malvertising attack in 2012, this method was used to hit the online users of the Los Angeles Times that was part of a larger malvertising campaign targeting large news websites.
- Click To Download method
This method of malvertising requires the user to actually click the online ad for the hidden malware code to be downloaded on their device. Malicious ads (using this method) are made to appear like real ads like the “Amazon” ad (in the introductory section) or virus alert ads that entice the users to click on them. A recent example of this malvertising method is the 2017 case of the Zirconium Group that created 28 fake online ad agencies to promote a malvertising campaign resulting in over 1 billion ad views.
Malvertising versus Adware
As both of them deal mainly with an online advertisement, malvertising is often confused with adware (short for ad-based malware). In reality, both are quite different. Here’s a comparison:
- Malvertising is a form of illegitimate malware code within an online ad running on a publisher’s web page. On the other hand, adware is an illegitimate software program that is running on the user’s program.
- Malvertising infects the user’s device only if the user clicks on the malicious ad or visits an infected website. Meanwhile, adware is hidden within a software tool (example, a fake flash player) that may look legitimate (but is not) and is installed along with the main software program on the user’s device.
- Malvertising only impacts a particular infected webpage, while adware affects each and every webpage visited by the user.
How do hackers insert malicious code into online ads?
To execute malvertising, hackers can use a variety of ad sources to insert malware or any malicious code. These include:
- Online ad calls (or ad payload) through a third-party server
- Ad post-clicks leading to the ad landing page
- Ad creatives including text or banner ads
- Pixel code embedded in an ad call or landing page
- Video players or formats such as VAST that can contain a malicious URL on completion of a video play.
- Flash-based videos that have a pre-roll banner
- Landing pages
Targeted towards the growing E-commerce business, cybercriminals were successful in targeting the online checkout and payment pages of several small-time retail websites hosted on the Magento platform. Dubbed as the “CartThief” attack, the malware code was able to steal personal and financial information of the online shoppers from each transaction.
How to protect yourself from malvertising
As an online user, you can use a range of security measures and practices to protect yourself from malvertising, including:
- “Click to play” option on your browser: This disables the automatic play functionality for Flash, QuickTime, and other plugins, thus effectively preventing any drive-by-download form of malvertising. Also, consider deleting (or disabling) browser plugins that you are no longer using.
- Using an ad blocker: Installing an ad blocker on your device effectively prevents online ads from appearing on your screen. You can also configure the ad blocker to allow online ads from selected trusted websites.
- Update your computer or mobile device: Malvertising attacks can be prevented by removing security-related vulnerabilities in your computer or mobile device. Install the latest security patches by updating your operating system, running applications, web browsers, and mobile apps.
- Be wary of suspicious ads: Keep your device safe by thinking before clicking on online ads. Avoid clicking on suspicious-looking ads like virus alerts, scareware, or online get-rich offers that appear too good to be true.
- Purchase a malware removal or an anti-virus tool: Keep your smartphone and computer safe by purchasing an efficient tool that can detect or remove malware or exploit kits that lead to malvertising.
Malvertising: Latest Trends
Starting from the earliest attacks in 2007-2008, malvertising continues to evolve to this date and pose new challenges to cybersecurity experts. Among the latest trends in 2018 and 2019, malvertising is targeting cryptocurrency miners in the form of malicious ads for trading in cryptocurrencies. A January 2018 case study revealed a fraudulent ad campaign (with embedded scripts) for the CoinHive cryptocurrency, resulting in a 285% increase in the number of CoinHive miners. Also referred to as Cryptojacking, the number of infected devices increased by over 300% monthly towards the end of 2018.
Cybercriminals are no longer focusing on online ads or “click frauds” to implement malvertising but are extending their reach through “bad bots” that is making detection more challenging. Thanks to evolving technology, a malvertising campaign can now be run like any other “traditional” online ad campaign.
Apple and Android phone users are also being targeted for malvertising through the use of forced redirects and Trojanized mobile apps.
With the increased form and complexity of online malvertising attacks, online customers, ad publishers, and online advertisers are realizing the enormous risk that these online attacks pose to their business revenue and reputation. Only a well-designed and comprehensive cybersecurity solution can prepare them to mitigate such attacks or recover from their unfortunate consequences.
What do you think about the threat posed by malvertising? What is the best way to prevent such attacks? Do share your thoughts by leaving behind your online comments. You can also learn more about how cybersecurity works with our professional training program.