Malvertising, a combination of the words malware and advertising, is a method used by cyber criminals to use legitimate websites to trick or scam their users into providing sensitive information or installing malware and viruses. Sometimes, these methods use web browser exploits to do what is known as a “drive-by download” to install malware or a computer virus on an unsuspecting website user’s device, completely undetected. Other forms of malvertising rely on age-old scams to trick users into willingly installing malicious programs or entering personal information.
At best, the experience is a nuisance, forcing a user from the intended page or content they were viewing to a very real looking website announcing they’ve won a prize or warning them that their device is “infected.” In these cases, it’s the rough equivalent of a letter indicating you’ve won the lottery in a country you’ve never been to. Most people know and understand that it is generally not possible to win a lottery that you’ve never played, but hey, if it is real they’re “rich!”
Likewise, many people enter information for a gift card from Amazon or their local cable television provider or they download the “malware tool” recommended by the fake website. In these cases, they often share user account information; sometimes credit card numbers are provided or a user willingly installs a virus or malware on their device.
These schemes are designed to play on human emotion.
For a less technical person, seeing a large red warning flashing on their screen indicating that their device has been compromised will often lead to taking the easy path of installing the recommended software to clean the device. For someone tight on cash, a $500 gift card would be great! Unfortunately, if it’s too good to be true, it probably is and these are no exception. If you sign up to win the gift card, you’ll likely win identity theft or fraudulent charges on your account. If you install the anti-malware software the webpage recommends, you will likely win a slow virus laden computer at best, sometimes users even pay a monthly subscription fee for the software. At worst, your computer might self-encrypt and you’ll be held hostage by ransomware.
The criminals that perpetrated the attack will move on to new victims, but the publisher website that the user was visiting will likely be blamed for the damage done. In reality, the publisher is as much a victim of this attack as the end user. The publisher takes a hit to reputation and may lose readers as a result of these attacks. Unfortunately, ever since the World Wide Web got its start, publishers have been trying to figure out how to best monetize their content [link to first ad on the web story] and a big part of that is digital display.
So why don’t publishers just block these malicious ads?
In reality, it’s a difficult task as cyber criminals come up with new and intensive methods to avoid detected. In January of 2018, security researchers reported a complex organization that created 28 fake digital agencies, with very real connections to 16 advertising exchanges, all for the purpose of pushing malicious redirect ads into legitimate ad networks.
Typically, these ads appear as legitimate advertisements to a majority of the users. The technology is written expressly to target a very specific user type and employ complex checks against the tools that security researchers typically use to search out malicious code and block it.
Ad networks, such as Google Ad Exchange, designed specifically for large publishers to monetize unsold inventory, do repeated file scans of every ad running through the platform. Google even has a website dedicated to helping publishers follow best practice to avoid Malvertising.
Unfortunately, the malicious ads are often designed to trick detection mechanisms, only activating the malware under certain conditions and times of day to minimize detection. Often, the ads redirect so quickly form the legitimate publisher website that unless a user was tracking all of the website calls made from their browser (hint: unless you’re a security researcher or IT professional, you most likely don’t), there’s no way to trace what ad call triggered the redirect.
With digital revenue’s often trailing traditional print and broadcast revenues, it’s a difficult ask to have publishers shut off these remnant networks entirely.
What can be done?
While the cat and mouse game between security professionals and ciber criminals continues, there are a few best practice recommendations that can be done to protect yourself while browsing the web.
Keep your device up to date.
Many of the exploits used to perpetrate attacks on website users are known and already fixed issues that can be avoided by simply keeping your device and the software on it up to date. Often, when security researchers find an exploit in the wild, they notify the software vendor and give those publishers 90 days to fix the bug before it is publicly released. If you are holding off on that operating system update that was pushed last week, or that newer release of your favorite web browser, you’re putting yourself at a disadvantage.
Anti-virus / Malware
Anti-virus software is unlikely to prevent malvertising from completing a forced redirect, but it can help prevent many of the known exploits from self-downloading and installing a virus or malware. Some anti-virus or anti-malware companies also offer site reputation services and scan inbound web traffic against their known database, warning users if a site is suspected of spam or is malicious in nature.
Ad Blocking Software
Many security sites will recommend that anyone using the web should use ad blocking technology. This is a sensitive topic and a difficult choice to be made. We’ve already discussed how much traditional print and broadcasting publishers rely on advertising revenue from direct sell and ad exchanges, so by turning on an ad blocker you are outright denying the owners of that website monetization of their content.
If you do opt to use an ad blocking software, many will offer the ability to “white-list” websites to display ads for publishes you wish to continue to support. Also, don’t be surprised if publisher websites redirect you to a pay wall or request that you white-list them in order to view their content if they detect an ad blocker is being used.
If despite all of your best efforts, you’ve taken every precaution, but still get infected with a virus or ransomware, your best bet is to restore to a known good backup of your files before the infection occurred. Unfortunately, if that backup is on your infected hard drive, or is an external drive that is connected to that device, it is possible the ransomware or virus has infected it as well. To counter this, you can rotate backup storage devices, keeping a known good hard drive detached from your device or rotating two external drives monthly to store backups. Alternatively, you could use a cloud backup service to store a remote copy of your files that would likely be untouched by the virus or ransomware, but this comes with its own inherit security and privacy concerns https://www.scientificamerican.com/article/how-secure-is-your-data-when-it-rsquo-s-stored-in-the-cloud/.