Malvertising

Last updated

An example of a malicious advertisement, claiming that the computer is infected Malvertising.svg
An example of a malicious advertisement, claiming that the computer is infected

Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. [1] It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. [2] Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. [3] [4] Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'." [5]

Contents

Malvertising can be extremely hard to combat because it can quietly work its way into a webpage or advertisement on a webpage and spread unknowingly: "The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from... infections delivered through malvertising silently travel through Web page advertisements." [6] It is able to expose millions of users to malware, even the most cautious, and is growing rapidly: "In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising." [2] Attackers have a very wide reach and are able to deliver these attacks easily through advertisement networks. Companies and websites have had difficulty diminishing the number of malvertising attacks, which "suggests that this attack vector isn’t likely to disappear soon." [5]

Overview

When websites or web publishers unknowingly incorporate corrupted or malicious advertisements into their page, computers can become infected pre-click and post-click. It is a misconception that infection only happens when visitors begin clicking on a malvertisement. "Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site (without user interaction, such as clicking on them), which could be malicious. Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre- or post-click (in its build and design) can still be infected whilst being called. [7] Malicious code can hide undetected and the user has no idea what's coming their way. A post-click malvertisement example: "the user clicks on the ad to visit the advertised site, and instead is directly infected or redirected to a malicious site. These sites trick users into copying viruses or spyware usually disguised as Flash files, which are very popular on the web." [8] Redirection is often built into online advertising, and this spread of malware is often successful because users expect a redirection to happen when clicking on an advertisement. A redirection that is taking place only needs to be co-opted in order to infect a user's computer. [1]

Malvertising affects every part of the digital advertising chain differently. From platforms to publishers, and all the way down to the end-user who may have been the victim of a malvertising attack, everyone is affected. [9] Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations." [8]

Some malvertisements can infect a vulnerable computer even if the user never clicks on the (normal-appearing) advertisement. [10]

History

The first recorded sightings of malvertising were in late 2007 and early 2008. The threat was based on a vulnerability in Adobe Flash (something that has continued into the late 2010s [11] ) and affected a number of platforms including MySpace, Excite and Rhapsody. In 2009, the online edition of The New York Times Magazine was found to be serving an ad that was part of a larger click fraud scam that created a botnet network of malware-infected computers, nicknamed the Bahama botnet, that then went on to be used to carry out click fraud on pay per click ads all over the web. The banner feed of The New York Times was hacked for the weekend of September 11 to 14, causing some readers to see advertisements telling them their systems were infected and trying to trick them into installing rogue security software on their computers. According to spokeswoman Diane McNulty, "The culprit approached the newspaper as a national advertiser and had provided apparently legitimate ads for a week", and the ads were switched to the virus alert malvertisement afterwards. The New York Times then suspended third-party advertisements to address the problem, and even posted advice for readers regarding this issue on its technology blog. [12]

In 2010, malvertising took off. Marketing analysts ClickZ [13] noted that the Online Trust Alliance (OTA) identified billions of display ads, across 3500 sites carrying malware. In the same year the Online Trust Alliance [14] formed a cross industry Anti-Malvertising Task Force. In 2011, Spotify had a malvertising attack which used the Blackhole exploit kit – this was one of the first instances of a drive-by download, where a user does not even have to click on an ad to become infected with malware. Symantec added malvertising as a section in their Internet Security Threat Report 2013 in 2012. [15] Symantec used scanning software across a series of websites and detected that half of them were infected with malvertising. In 2012, the Los Angeles Times was hit by a massive malvertising attack which used the Blackhole exploit kit to infect users. It was seen as part of a general campaign of malvertising to hit large news portals – this strategy carried on into subsequent years with attacks on huffingtonpost.com and The New York Times. The growing intensity of malvertising continued in 2013, when a major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion. The malware exploit was based on the commonly used web attack, Cross-site scripting (XSS), number three in the top ten web attacks types identified by the Open Web Application Security Project [16] (OWASP). The attack infected users' machines with the ransomware Cryptowall, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in seven days, to decrypt the data. In 2014, there were major malvertising campaigns on the DoubleClick and Zedo ad networks. Various news portals, including The Times of Israel and the Hindustan Times , were affected. As in previous attacks the cybercrime involved Cryptowall as the malware infection. This spate of malvertising was believed to have brought over $1 million of ransom money in by infecting over 600,000 computers. [17]

According to McAfee's February 2015 Threat Report, malvertising was beginning to grow quickly on mobile platforms in late 2014 and early 2015. [18] Additionally, in 2015, there were malvertising campaigns on eBay, Answers.com, talktalk.co.uk, and wowhead.com, among others. The campaigns involved breaches of ad networks, including DoubleClick and engage:BDR. There was also a report of possibly the first "political malvertising" campaign by pro-Russian activists, which was based on a botnet, which then forced users' machines to visit bogus sites that generated ad revenue for the activists. The users also ended up at several pro-Russian propaganda videos. [19]

In 2021, ransomware gang REvil was spotted using paid positioning in Google search results to deliver malicious files to victims. [20] Malvertising cash or cryptocurrency giveaway campaigns with actors masquerading as popular figures including YouTuber MrBeast, Elon Musk, and others have been seen across many advertising platforms and social media sites. [21] [22] In 2022, reports surfaced of Native advertising on google search masquerading to be various software download pages (oftentimes open source), leading users to instead download ransomware, info stealer, or redirect them to tech support scams [23] [24] [25]

More examples of malicious advertisements

Several popular websites and news sources have been victims to malvertising and have had malicious advertisements placed on their webpages or widgets unknowingly, including Horoscope.com, The New York Times , [26] the London Stock Exchange, Spotify, and The Onion . [5]

Types and modes

By visiting websites that are affected by malvertising, users are at risk of infection. There are many different methods used for injecting malicious advertisements or programs into webpages:

Preventive measures

There are several precautions that people can take to reduce their chances of getting tricked by these advertisements. Commonly used programs such as Adobe Flash Player and Adobe Reader can and have had their flaws exploited, and become vulnerable to attacks, so it is important to avoid them, or at least keep them up to date. [32] Users can also download anti-virus software that protects against threats and removes malicious software from their systems. Users can also push companies and websites to scan advertisements before making them active on their webpages. [2] Users can also use ad blocking software to avoid downloading the malware contained in advertisements [33] or a specific browser extension alerting malvertising campaigns. [34]

See also

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

CoolWebSearch is a spyware or virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.

<span class="mw-page-title-main">Pop-up ad</span> Form of online advertising

Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears in the foreground of the visual interface. The pop-up window containing an advertisement is usually generated by JavaScript that uses cross-site scripting (XSS), sometimes with a secondary payload that uses Adobe Flash. They can also be generated by other vulnerabilities/security holes in browser security.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods.

Online advertising, also known as online marketing, Internet advertising, digital advertising or web advertising, is a form of marketing and advertising that uses the Internet to promote products and services to audiences and platform users. Online advertising includes email marketing, search engine marketing (SEM), social media marketing, many types of display advertising, and mobile advertising. Advertisements are increasingly being delivered via automated software systems operating across multiple websites, media services and platforms, known as programmatic advertising.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

In computer security, a drive-by download is the unintended download of software, typically malicious software. The term "drive-by download" usually refers to a download which was authorized by a user without understanding what is being downloaded, such as in the case of a Trojan horse. In other cases, the term may simply refer to a download which occurs without a user's knowledge. Common types of files distributed in drive-by download attacks include computer viruses, spyware, or crimeware.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

An exploit kit is a tool used for automatically managing and deploying exploits against a target computer. Exploit kits allow attackers to deliver malware without having advanced knowledge of the exploits being used. Browser exploits are typically used, although they may also include exploits targeting common software, such as Adobe Reader, or the operating system itself. Most kits are written in PHP.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Adrozek is malware that injects fake ads into online search results. Microsoft announced the malware threat on 10 December 2020, and noted that many different browsers are affected, including Google Chrome, Microsoft Edge, Mozilla Firefox and Yandex Browser. The malware was first detected in May 2020 and, at its peak in August 2020, controlled over 30,000 devices a day. But during the December 2020 announcement, Microsoft claimed "hundreds of thousands" of infected devices worldwide between May and September 2020.

References

  1. 1 2 Salusky, William (December 6, 2007). "Malvertising". SANS ISC. Retrieved September 11, 2019.
  2. 1 2 3 4 5 "Anti-Malvertising". Online Trust Alliance. Archived from the original on December 15, 2013. Retrieved September 11, 2019.
  3. Johnson, Bobbie (September 25, 2009). "Internet companies face up to 'malvertising' threat". The Guardian . Retrieved September 11, 2019.
  4. "The rise of malvertising and its threat to brands". Deloitte. 2009. Archived from the original on July 22, 2011. Retrieved September 11, 2019.
  5. 1 2 3 Zeltser, Lenny (June 6, 2011). "Malvertising: Some Examples of Malicious Ad Campaigns" . Retrieved September 11, 2019.
  6. "Five-month malvertising campaign serves up silent infections". Infosecurity. Reed Exhibitions Ltd. February 12, 2013. Retrieved September 11, 2019.
  7. Vuijsje, Eliana (August 31, 2015). "What is Malvertising (Malware) Detection in Online Advertising, Part I". Archived from the original on April 16, 2021. Retrieved September 11, 2019.
  8. 1 2 "A rising security threat: Malvertising". Bullguard. Retrieved September 11, 2019.
  9. clean.io, Sent with 💙 by. "Malvertising Resource Center | cleanAD". www.clean.io.
  10. Siciliano, Robert (April 8, 2014). "Business Identity Theft; Big Brand, Big Problems". Huffington Post . Retrieved September 11, 2019.
  11. Yurieff, Kaya (July 25, 2017). "So long, Flash: Adobe will kill plug-in by 2020". CNNMoney. Retrieved September 25, 2020.
  12. Picchi, Aimee (September 14, 2009). "Malvertising hits The New York Times". The Daily Finance. Archived from the original on April 21, 2016. Retrieved September 11, 2019.
  13. Kaye, Kate (February 10, 2011). "Billions of Web Ads Carried Malware in 2010" . Retrieved September 11, 2019.
  14. "Online Trust Alliance Forms Cross-Industry Anti-Malvertising Task Force". Reuters. September 8, 2010. Archived from the original on March 27, 2016. Retrieved September 11, 2019.
  15. "Symantec Internet Security Threat Report 2013" (PDF). April 2013. Archived from the original (PDF) on June 5, 2014. Retrieved September 11, 2019.
  16. "Category:OWASP Top Ten Project" . Retrieved September 11, 2019.
  17. Constantin, Lucian (August 29, 2014). "CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files" . Retrieved September 11, 2019.
  18. "McAfee Labs Threats Report February 2015" (PDF). Archived from the original (PDF) on March 4, 2016. Retrieved September 11, 2019.
  19. Connell, Michael; Vogler, Sarah (February 1, 2017). Russia's Approach to Cyber Warfare (1Rev) (Report). Archived from the original on April 20, 2021.
  20. "Ransomware gangs use SEO poisoning to infect visitors". BleepingComputer. Retrieved October 29, 2021.
  21. "Mr Beast $1000 giveaway: website scam & pop-up removal". MySpyBot. July 6, 2021. Retrieved December 19, 2021.
  22. "How to Avoid Cryptocurrency Scams". PCMAG. Retrieved December 19, 2021.
  23. "Malvertising on Google Ads is a growing problem that isn't going away". techmonitor. Claudia Glover. January 18, 2023. Retrieved February 13, 2023.
  24. Ilascu, Ionut. "Hackers push malware via Google search ads for VLC, 7-Zip, CCleaner". bleepingcomputer. Retrieved February 13, 2023.
  25. "Google ads lead to major malvertising campaign". Malwarebytes. July 19, 2022. Retrieved February 13, 2023.
  26. Johnson, Bobbie (September 25, 2009). "Internet companies face up to 'malvertising' threat". The Guardian. Retrieved September 11, 2019.
  27. Jyotiyana, Priya; Maheshwari, Saurabh (2016). "A Literature Survey on Malware and Online Advertisement Hidden Hazards". In Corchado Rodriguez, Juan Manuel; Mitra, Sushmita; Thampi, Sabu M.; El-Alfy, El-Sayed (eds.). Intelligent Systems Technologies and Applications 2016. Advances in Intelligent Systems and Computing. Vol. 530. Cham: Springer International Publishing. pp. 449–460. doi:10.1007/978-3-319-47952-1_35. ISBN   978-3-319-47952-1.
  28. Jyotiyana, Priya; Maheshwari, Saurabh (2016). "A Literature Survey on Malware and Online Advertisement Hidden Hazards". In Corchado Rodriguez, Juan Manuel; Mitra, Sushmita; Thampi, Sabu M.; El-Alfy, El-Sayed (eds.). Intelligent Systems Technologies and Applications 2016. Advances in Intelligent Systems and Computing. Vol. 530. Cham: Springer International Publishing. pp. 449–460. doi:10.1007/978-3-319-47952-1_35. ISBN   978-3-319-47952-1.
  29. 1 2 3 4 Sood, Aditya; Enbody, Richard (April 2011). "Malvertising - exploiting web advertising" (PDF). Computer Fraud and Security: 11–16. ISSN   1361-3723 . Retrieved September 11, 2019.
  30. 1 2 Finley, Klint (July 26, 2010). "Report: The 3 Biggest Enterprise Website Malware Vulnerabilities". ReadWrite Enterprise. Retrieved September 11, 2019.
  31. Jyotiyana, Priya; Maheshwari, Saurabh (2016). "A Literature Survey on Malware and Online Advertisement Hidden Hazards". In Corchado Rodriguez, Juan Manuel; Mitra, Sushmita; Thampi, Sabu M.; El-Alfy, El-Sayed (eds.). Intelligent Systems Technologies and Applications 2016. Advances in Intelligent Systems and Computing. Vol. 530. Cham: Springer International Publishing. pp. 449–460. doi:10.1007/978-3-319-47952-1_35. ISBN   978-3-319-47952-1.
  32. Richmond, Riva (May 20, 2010). "Five Ways to Keep Online Criminals at Bay". Personal Tech. The New York Times. Retrieved September 11, 2019.
  33. Nichols, Shaun (August 14, 2015). "You've been Drudged! Malware-squirting ads appear on websites with 100+ million visitors". The Register. Retrieved September 11, 2019.
  34. George, Thomas (October 9, 2015). "Malvertising up 325% – Are the AdBlockers Working?". Check&Secure. Archived from the original on January 30, 2016. Retrieved September 11, 2019.