Skip the navigation

Malvertising rise pushes ad industry to action

May 29, 2014 06:30 AM ET

Second, malware distributors may use the ad's JavaScript to make a call to another site and deliver the malicious code after the fact. Or, finally, the ad may simply point to a site that's infected with malware. "They get people to click on an ad that takes them to a landing site where the malicious software is installed," he says.

Publishers and ad networks can deploy tools from security vendors such as The Media Trust and DoubleVerify that inspect ads for malvertising and scan associated ad tags -- embedded code that tells the browser where to retrieve an ad -- to verify the location. But not every ad network uses the tools, and a malvertising ad may link to an affiliate or partner that in turn links to another site, cascading as much as four levels deep.

"If all the ad is doing is sending traffic somewhere, you may miss the fact that that the attack is happening on the third or fourth hop," says Blue Coat's Larsen. "It's rare to trace it back to a web ad company. It's almost always some other site."

In the case of the malvertising that affected the L.A. Times and other sites last fall, the cyber criminals used more than 275 different sites to deliver the malware, with the number of affected host websites in the "low hundreds." Those sites received thousands of hits per day, according to Larsen.

The user's browser was redirected through four hops to a "drive-by download" site that used an exploit kit to check for known vulnerabilities. "If you were vulnerable you would be infected without ever clicking on anything," Larsen explains. Blue Coat researchers discovered the sites as part of an ongoing search for sites using exploit kits and then traced the traffic backwards to the ad networks and publisher sites that had inadvertently carried the malvertising, Larsen says.

A spokesperson for The Media Trust says the company also had detected the malvertising attacks and notified its customers when they appeared so they could block them. It says its software was not in use by the affected publishers and the ad networks.

Mobile devices can also fall victim to malvertising that uses social engineering tactics to get the user to bypass existing protections against malware apps. These ads mimic user interface elements of the mobile operating system, such as system messages or pop-ups, in order to mislead the user into taking specific actions, says Botezatu.

Sizing up the problem

Just how big is the malvertising problem? Opinions vary, and while anecdotes abound, hard numbers on the scope of the problem are hard to come by. The Online Trust Alliance (OTA), a nonprofit advocacy group that says its mission is to build trust online, estimates that fewer than 1% of all online ads involve malvertising of some sort.

That number might sound small, but each ad is typically served up many times. "A single incident of malvertising can equate to several hundred thousand exploits," says Craig Spiezle, OTA executive director. In 2012, the OTA estimated, the industry delivered more than 10 billion ad impressions containing malvertising.

But there are no hard numbers, in part because figuring out which malware infections came from malvertising isn't easy. While it's hard to get a handle on the full scope of the problem, Botezatu is certain about one thing: "The problem is definitely not decreasing."

One Blue Coat Systems client, which research architect Chris Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. "They were concerned about malware coming in from this vector and not being able to stop it," he says.

Certainly the issue has grown large enough to have the IAB's full attention. And part of that may be the potential negative impact of even a few widely publicized incidents. A high-profile infection such as the Yahoo attack can have consequences for both publishers and the online advertising industry. "The Yahoo incident, a portal visited by millions of people a day... takes the game to a whole new level," says Botezatu.

The problem appears to be increasing in the mobile arena as well. According to research by security software vendor RiskIQ, the incidence of malicious apps increased 388% from 2011 to 2013, and malvertising is an increasingly common technique that cyber criminals use to deliver those apps.

Around 7% of the threats Bitdefender blocked in the last month were Android packages delivered by way of mobile advertising that "falsely claimed that those devices had been infected," Botezatu says. In this scheme, a pop-up dialog, which looks like it was generated by the Android operating system, prompts the user to take action that will supposedly remove the virus.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!