Malvertising definition
Malvertising, a word that blends malware with advertising, refers to a technique cybercriminals use to target people covertly. Typically, they buy ad space on trustworthy websites, and although their ads appear legitimate, they have malicious code hidden inside them. Bad ads can redirect users to malicious websites or install malware on their computers or mobile devices.
Some of the world’s most popular websites, including those of the New York Times, Spotify and the London Stock Exchange have inadvertently displayed malicious ads, putting their users in jeopardy. What’s worrying is that people can get infected even if they don’t click on the images: Often it’s enough if they just load. This method is called “drive-by download,” because all a victim has to do is “drive by” a web page.
Cyber criminals use malvertising to deploy various forms of money-making malware, including ransomware, cryptomining scripts or banking Trojans. Some schemes install scripts that execute click-fraud operations in the background. For attackers, this endeavor can be very profitable. “Today, malvertising groups are highly organized businesses,” says Jerome Dangu, co-founder and CTO of Confiant, a company that develops solutions against bad ads.
Malvertising vs adware
Malvertising is sometimes confused with adware. Malvertising refers to malicious code initially included in ads, which affects users who load an infected website. Adware is a program that runs on a user’s computer. It’s often installed hidden inside a package that also contains legitimate software, or lands on the machine without the knowledge of the user.
How common is malvertising?
Malvertising is growing at a fast pace. Confiant calculates that 1 in every 200 online ads is malicious, while GeoEdge, which sells anti-malvertising solutions, estimates that up to 1 in 100 ads is not safe. In 2017, Google blocked 79 million ads that attempted to send people to malicious websites and removed 48 million ads that suggested the installation of unwanted software.
Users face multiple threats through bad ads. “The most common attacks are auto-redirects, where the user is thrown out of the page into a different location, in which he or she is exposed to many threats: phishing scams, malware ransom attacks, malicious ads leading to exploit kits and auto file downloads,” says Tobias Silber, vice president of marketing at GeoEdge.
Auto-redirects accounted for 47.5% of all malvertising in the last quarter of 2018, according to GeoEdge. Meanwhile, malicious ad pre-clicks (drive-by-downloads or malicious code embedded in the main scripts of a page) made up 25% of incidents. Additionally, malicious ad post-clicks (after users click on the ad, they get infected directly or get redirected to a malicious website) accounted for 7%.
Malvertising groups will continue to prosper, because often it’s difficult to bring them to justice, says Michael Tiffany, president & co-founder of White Ops. At the end of 2018, his company worked with Google and a few dozen other organizations and law enforcement agencies to take down one of the most sophisticated ad fraud operations, called “3ve” (pronounced “Eve”). The group created fake versions of websites and fake visitors to make money.
In this case, the perpetrators were arrested, but that’s not what usually happens when it comes to ad fraud. “Bringing consequences to the bad guys is still rare,” Tiffany says. “3ve was the first time consequences of that magnitude were brought down on sophisticated cybercriminals doing ad fraud.”
How malvertising works
Malvertising has continued learning new tricks since it was first seen in the wild in late 2007 or early 2008. Back then, a vulnerability in Adobe Flash allowed attackers to distribute malicious advertising through several websites, including MySpace.
A few years later, in 2011, one of the first cases of a drive-by download was uncovered. Spotify was at the center of a malvertising attack that used the notorious Blackhole exploit kit, which was available for rent for a few hundred dollars a month.
Throughout the years, however, malvertising’s modus operandi has remained the same. Typically, attackers buy ad space from ad agencies and then submit infected images hoping not to get caught. Sometimes, they start by sending a legitimate ad first, and insert malicious code later. After they infect enough people, they can clean up after themselves and remove the bad code.
These cybercriminals often take advantage of the complex mechanisms used by the advertising industry. In many cases, there can be a long supply chain between the advertiser and the publisher that includes an ad network and one or more resellers. As recent malvertising attacks have shown, this entire supply chain can be manipulated. Security company Check Point Software Technologies noticed that a legitimate online advertising company might have been at the center of a malvertising scheme.
In July 2018, Check Point researchers uncovered a massive operation that distributed malvertising to users who drove by thousands of compromised WordPress websites. The ads had malicious JavaScript code that exploited unpatched vulnerabilities in browsers and browser plug-ins, including Adobe Flash Player. These attackers used multiple exploit kits, including the prolific RIG, which combines different web technologies (DoSWF, JavaScript, Flash and VBscript) to obfuscate attacks.
Check Point noticed something even more alarming. “AdsTerra, a famous ad-network company, has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities,” Check Point wrote on its website.
Dangu has noticed that malvertisers build relationships with the most reputable ad platforms. “There’s a growing awareness in the ad tech industry that it is infected by malvertisers at its core,” he says. “Whenever a malicious ad gets served to a user, it evaded multiple layers of detection through the ad tech ecosystem.”
Sometimes, cybercriminals don’t even need to go through this whole process if they can hack large websites directly, tricking them into serving people with malicious ads. It happened, for instance, to Equifax right after its notorious breach, security blogger Randy Abrams discovered.
From a regular user’s perspective, malicious ads are compelling because they often provoke strong emotions and promote calls-to-action. They can also promise products at a bargain, including an iPhone for just $1, tricking users into giving their credit card data.
Confiant found that malvertising activity is 36% higher during weekends, the preferred day of the week for malvertisers to attack being Sunday. The holidays or shopping seasons such as Black Friday when people are actively looking for discounts also see a spike in malvertising.
What is state of malvertising today?
The malvertising industry is getting more sophisticated when it comes to its malware delivery methods. The beginning of 2019 brought an increasing number of drive-by malicious ads that don’t require a user’s click, says Phil Cowger, researcher at cybersecurity company RiskIQ.
Currently, the most common attack is the gift card scam, says Confiant’s Dangu. At the end of 2018, the company uncovered a massive malvertising campaign targeting iOS devices owned by U.S. citizens. The cybercriminal group known as ScamClub hijacked 300 million browser sessions in just two days. “Attackers collect vast amounts of private data willingly shared by victims, thinking they will receive a reward,” Dangu says referring to the free Amazon gift card scam. “The data collected includes buying intent, health-related data, and is resold to data providers by the attackers.”
Another group, eGobbler, also targeted U.S.-based users. The massive operation was connected to Presidents’ Day weekend. When victims clicked on an ad, it redirected them to malicious websites, many of which invited the victims to enter personal and financial data.
Dangu says that the complex mechanisms of the advertising industry hold part of the blame. “One of the most recent eGobbler campaigns was served via direct relationships with seven ad platforms,” he says. “This is a staggering number and shows how deeply rooted [malvertising groups] are in the ad tech environment.”
eGobbler targets HTML5 libraries like CreateJS and GreenSock to hide its malicious code, making it very difficult for security analysts to find and for automated scanners to detect. The group leverages sophisticated anti-bot techniques to hide from scanners, according to Dangu.
Polyglot images and steganography
One of the tools malvertising groups like to use is steganography. The concept of concealing a message inside another text or an image is at least 2,500 years old, and a couple of examples were mentioned by Herodotus in his Histories.
Malvertising groups often use the same approach the embed malicious code into an unseen image hidden in an ad’s image. The number of such incidents has been growing exponentially in the last quarter of 2018 and into 2019, according to GeoEdge.
One of the victims was Experian, a multi-billion-dollar global information services company. “One of their ads was innocently targeted with a second image, one that was not visible to the user but hidden inside the ad request, which called up the embedded malicious code,” says Silber. “Once the ad appears on a user’s desktop or phone, the malicious code is enabled. In this instance, the malicious code was an auto-redirect to a phishing site targeting U.S. users.”
Steganography was also employed by a malvertising group called VeryMal, which targeted Mac users, according to a report. In this case, JavaScript malware was hiding inside image files.
Criminal groups are always looking to improve, so steganography recently got an even more clever sibling: polyglot images. Researchers at Devcon discovered a cybercriminal group that used this sophisticated technique.
Steganographic exploits use data hidden in an image by altering a few pixels. A typical user looking at it wouldn’t suspect a thing, but steganography “requires some extra JavaScript (not in the image) to know the patterns and offsets to find the exploited pixels and reassemble them into executable JavaScript,” Devcon wrote on a blog post.
Polyglot exploits go one step further: They can be seen as both an image and valid JavaScript at the same time, hence the name. Another feature is that they don’t need an external script to extract the payload.
In this case, the malicious actor employed BMP images and played with the file’s hexadecimal bytes. It manipulated them so that instead of the image size, the computer could read the character codes for /** — the combination of characters that creates a comment in JavaScript. When the JavaScript Interpreters sees that, it ignores everything written in-between.
The attacker added the sequence =’ and then the payload string. After this, the file could run in the browser in two ways: as an image ignoring the JavaScript or as a script, ignoring the image data.
Mobile malvertising
Smartphones and tablet PCs are becoming increasingly attractive for malvertising groups because users tend to worry less about these devices’ security. It’s also common to accidentally tap an ad when you’re using a smartphone.
Recent malvertising campaigns have targeted both Android and iPhone users. One such example is PayLeak, caught at the end of 2018. A Pulitzer Prize-winning publication based on the American West Coast served its readers with malicious ads. When the user clicked on it, the ad called a malicious domain registered in China. This malware was interested, for instance, in finding out what kind of device the victim was using, if it was protected by antivirus, and whether the victim was in motion or at rest. Android users were lured with an Amazon gift card which redirected them to a phishing site. Meanwhile, iPhone users received successive popups, which included fake instructions to update their Apple Pay account.
Mobile malvertising is in its infancy, says Michael Covington, vice president of mobile security company Wandera. “Attackers are still trying to determine what they can do with these often-unprotected channels to the device,” he says.
Mobile malvertising tends to fall into three general categories of intent. “The most prevalent use of malvertising is to deliver very clever in-app phishing attacks,” Covington says. Cryptojacking (using someone else’s computer to mine cryptocurrency) via the ad channel comes second. Wandera noticed that the number of devices impacted by cryptojacking grew by almost 300% month-over-month in late 2018.
The third type of malvertising campaign is one that’s designed to deliver malware payloads to the device. “While this is typically the least successful attack via ads, the attackers are constantly on the hunt for new means of sending bad apps to unsuspecting users,” says Covington.
In November 2020, The Media Trust reported it had found new mobile malware, called Trickstack-3PC, that was delivered through compromised tags attached to ads. The tags are actually JavaScript code that creates a JavaScript object that uses the victim’s computer to commit ad fraud.