Malvertising rise pushes ad industry to action
Publishers and ad networks can deploy tools from security vendors such as The Media Trust and DoubleVerify that inspect ads for malvertising and scan associated ad tags -- embedded code that tells the browser where to retrieve an ad -- to verify the location. But not every ad network uses the tools, and a malvertising ad may link to an affiliate or partner that in turn links to another site, cascading as much as four levels deep.
"If all the ad is doing is sending traffic somewhere, you may miss the fact that that the attack is happening on the third or fourth hop," says Blue Coat's Larsen. "It's rare to trace it back to a web ad company. It's almost always some other site."
In the case of the malvertising that affected the L.A. Times and other sites last fall, the cyber criminals used more than 275 different sites to deliver the malware, with the number of affected host websites in the "low hundreds." Those sites received thousands of hits per day, according to Larsen.
The user's browser was redirected through four hops to a "drive-by download" site that used an exploit kit to check for known vulnerabilities. "If you were vulnerable you would be infected without ever clicking on anything," Larsen explains. Blue Coat researchers discovered the sites as part of an ongoing search for sites using exploit kits and then traced the traffic backwards to the ad networks and publisher sites that had inadvertently carried the malvertising, Larsen says.
A spokesperson for The Media Trust says the company also had detected the malvertising attacks and notified its customers when they appeared so they could block them. It says its software was not in use by the affected publishers and the ad networks.
Mobile devices can also fall victim to malvertising that uses social engineering tactics to get the user to bypass existing protections against malware apps. These ads mimic user interface elements of the mobile operating system, such as system messages or pop-ups, in order to mislead the user into taking specific actions, says Botezatu.
Sizing up the problem
Just how big is the malvertising problem? Opinions vary, and while anecdotes abound, hard numbers on the scope of the problem are hard to come by. The Online Trust Alliance (OTA), a nonprofit advocacy group that says its mission is to build trust online, estimates that fewer than 1% of all online ads involve malvertising of some sort.
That number might sound small, but each ad is typically served up many times. "A single incident of malvertising can equate to several hundred thousand exploits," says Craig Spiezle, OTA executive director. In 2012, the OTA estimated, the industry delivered more than 10 billion ad impressions containing malvertising.
But there are no hard numbers, in part because figuring out which malware infections came from malvertising isn't easy. While it's hard to get a handle on the full scope of the problem, Botezatu is certain about one thing: "The problem is definitely not decreasing."
Certainly the issue has grown large enough to have the IAB's full attention. And part of that may be the potential negative impact of even a few widely publicized incidents. A high-profile infection such as the Yahoo attack can have consequences for both publishers and the online advertising industry. "The Yahoo incident, a portal visited by millions of people a day... takes the game to a whole new level," says Botezatu.
The problem appears to be increasing in the mobile arena as well. According to research by security software vendor RiskIQ, the incidence of malicious apps increased 388% from 2011 to 2013, and malvertising is an increasingly common technique that cyber criminals use to deliver those apps.
Around 7% of the threats Bitdefender blocked in the last month were Android packages delivered by way of mobile advertising that "falsely claimed that those devices had been infected," Botezatu says. In this scheme, a pop-up dialog, which looks like it was generated by the Android operating system, prompts the user to take action that will supposedly remove the virus.
More about online advertising
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!