Last week we discussed drive-by downloads, a particularly nasty way of having one’s computer infected, because by the time the infection is discovered it is too late. As a recap, a drive-by download is an infection vector that allows malware to infect a system through an exploit in a browser, browser plugin, or other vulnerable piece of software on a system–all without user interaction–just by visiting a compromised website.
Another way attackers are starting to distribute their malicious software is through malvertising. Malvertising is a fairly recent phenomenon that relies on the state of Internet advertising to spread malware. But, first let us answer the big question.
What is Malvertising?
Malvertising is a malicious advertisement that takes advantage of a vulnerability present on a computer to infect it with malware, much like a drive-by download or by re-directing an unsuspecting user to a malicious website. Malvertising is dangerous because one can be infected by visiting what most everyone would consider a trustworthy website. That is the entire intent of malvertising attackers: increase infection rates by having their advertisements displayed on prominent websites that receive thousands or hundreds of thousands of visits per day. Websites like Yahoo, MSN, and Huntington Post have all served malvertisements unknowingly at one point.
Malvertisements often rely on zero-day exploits (unpatched vulnerabilities of which a software developer is unaware) to begin most infections. Zero-day exploits are a favorite of attackers, because if an issue is new and unknown it cannot be patched, therefore everyone is vulnerable. In this case an attacker would not have to rely on an older attack and hope that their victim has an out-of-date plugin or browser installed. But, zero-day exploits are far more rare and often require a lot of work to find, making the effort to use them less economical for the attacker. Most malvertisements rely on older exploits, so keeping one’s operating system, browser, plugins, and other software up-to-date can go a long way in helping prevent malvertisements from working.
How Malicious Advertisements Happen
Internet advertisements are not served by the originating website. They are typically published by an advertising broker and supplied by an advertising network. The original website sets aside space in their layout and when the page loads in a browser the advertisements are downloaded from an advertising network’s servers. There is more complexity between the advertising broker and the advertisement network, but we will forgo these details for the sake of brevity. Overall, this setup allows an advertising broker and network to track impressions, clicks, and saves bandwidth for the original site owner.
This almost seems like a win-win for both parties, until you take into account how some of the advertising networks review submitted advertisements. A lot of networks attempt to keep costs down by letting people upload advertisements onto their networks through an automated system. Due to this automation, and random checks, a lot of advertisements submitted to larger advertising networks are not reviewed before they make it to a webpage. Some of them are malicious.
Another way for an attacker to inject malicious advertisements into a network is to simply hack into one of their servers and place the advertisement directly in their database. One such weak platform called OpenX had a well-known vulnerability, which if exploited would give attackers administrative access to the server. Once in attackers would often redirect legitimate advertisements to a malicious website or phishing website.
Some of our IT/365 Managed Service packages include features that allow us to keep all your systems up-to-date, along with many third-party software, without you having to worry about it. You will know all of your systems and employees are as protected as they possibly can be with a top-ranked antivirus, the latest patches, all backed by our monitoring systems that never sleep.
If you are curious about how you can protect yourself from this new threat do not hesitate to contact us.