Malvertising

Malvertising is a malicious cyber tactic that attempts to distribute malware through online advertisements. Online advertising is a vital source of income to many websites and internet properties. With demand higher than ever, online networks have become expansive and complex in order to effectively reach large online audiences. A relatively new cyber threat, malvertising takes advantage of these pathways and uses them as a dangerous tool that requires little input from its victims.^[1]

Overview of Malvertising^[2]
When websites or web publishers unknowingly incorporate corrupted or malicious advertisements into their page, computers can become infected pre-click and post-click. It is a misconception that infection only happens when visitors begin clicking on a malvertisement. "Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious. Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre- or post-click (in its build and design) can still be infected whilst being called. Malicious code can hide undetected and the user has no idea what's coming their way. A post-click malvertisement example: "the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web." Redirection is often built into online advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user's computer.

Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations."

Some malvertisements can infect a vulnerable computer even if the user never clicks on the (normal-appearing) advertisement.

How Malvertising Works^[3]
Malvertising has continued learning new tricks since it was first seen in the wild in late 2007 or early 2008. Back then, a vulnerability in Adobe Flash allowed attackers to distribute malicious advertising through several websites, including MySpace.

A few years later, in 2011, one of the first cases of a drive-by download was uncovered. Spotify was at the center of a malvertising attack that used the notorious Blackhole exploit kit, which was available for rent for a few hundred dollars a month.

Throughout the years, however, malvertising’s modus operandi has remained the same. Typically, attackers buy ad space from ad agencies and then submit infected images hoping not to get caught. Sometimes, they start by sending a legitimate ad first, and insert malicious code later. After they infect enough people, they can clean up after themselves and remove the bad code.

These cybercriminals often take advantage of the complex mechanisms used by the advertising industry. In many cases, there can be a long supply chain between the advertiser and the publisher that includes an ad network and one or more resellers. As recent malvertising attacks have shown, this entire supply chain can be manipulated. Security company Check Point Software Technologies noticed that a legitimate online advertising company might have been at the center of a malvertising scheme.

In July 2018, Check Point researchers uncovered a massive operation that distributed malvertising to users who drove by thousands of compromised WordPress websites. The ads had malicious JavaScript code that exploited unpatched vulnerabilities in browsers and browser plug-ins, including Adobe Flash Player. These attackers used multiple exploit kits, including the prolific RIG, which combines different web technologies (DoSWF, JavaScript, Flash and VBscript) to obfuscate attacks.

Check Point noticed something even more alarming. “AdsTerra, a famous ad-network company, has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities,” Check Point wrote on its website.

Dangu has noticed that malvertisers build relationships with the most reputable ad platforms. “There's a growing awareness in the ad tech industry that it is infected by malvertisers at its core,” he says. “Whenever a malicious ad gets served to a user, it evaded multiple layers of detection through the ad tech ecosystem.”

Sometimes, cybercriminals don’t even need to go through this whole process if they can hack large websites directly, tricking them into serving people with malicious ads. It happened, for instance, to Equifax right after its notorious breach, security blogger Randy Abrams discovered.

From a regular user’s perspective, malicious ads are compelling because they often provoke strong emotions and promote calls-to-action. They can also promise products at a bargain, including an iPhone for just $1, tricking users into giving their credit card data.

Confiant found that malvertising activity is 36 percent higher during weekends, the preferred day of the week for malvertisers to attack being Sunday. The holidays or shopping seasons such as Black Friday when people are actively looking for discounts also see a spike in malvertising.

source: Malwarebytes

Malvertising vs. Ad malware^[4]
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.

Adware is a program running on a user’s computer. It’s usually packaged with other, legitimate software, or is installed without the user’s knowledge. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.

Differences between malvertising and ad malware include:

Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users. Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.