Cybercriminals do not take holidays off — in fact, they often use them to their advantage. That’s how a group of hackers celebrated President’s Day in the United States. They launched a massive malicious advertising (malvertising) campaign that involved more than 800 million ad impressions on legitimate websites between February 16-19, 2019, according to Confiant security researchers. The ads were designed to trick users into entering personal and financial information in order forms for fake products.
A Serious Problem
Malvertising is a serious problem. Avast notes that it is one of the top five endpoint threats affecting small businesses. That’s because cybercriminals are increasingly posting malvertising on legitimate websites in order to:
- Obtain sensitive data. Like in the President’s Day campaign, hackers use malvertising to obtain sensitive data, such as payment card or bank account information.
- Deliver exploit kits. These kits are designed to find known vulnerabilities in systems, and If a vulnerability is found, it is used to install malware or carry out other types of malicious activities.
- Deliver malicious payloads directly. Pop-up ads, for example, can deliver malware as soon as they appear or after people click the “X” button to close them.
The Devious Ways in Which Malvertising Works
To understand how malvertising works, you need to know how web browsers render web pages. When you visit a web page, your browser automatically receives the page’s content so it can display the page.
What the malvertising does next depends on whether it includes malicious code. For instance, suppose hackers want to deliver an exploit kit. One way they can do this is to create ads that try to lure you into clicking a link. The ad itself does not contain any malicious code. However, if you click the link, you will be sent to a server that delivers an exploit kit, and If the kit finds a vulnerability, it is used to install malware on your device.
Even worse, some malicious ads deliver exploit kits without you doing anything other than going to your favorite website. In this case, the malvertising contains code that automatically redirects your browser to a server, which delivers the exploit kit. The redirection occurs behind the scenes, without you clicking a single link.
How Hackers Get Malicious Ads on Legitimate Websites
Hacking into legitimate websites and inserting malicious ads is a lot of work. That’s why cybercriminals typically pose as business people to get their malvertising online. This ruse is successful because there are many different ways to get ads on websites (e.g., through advertising agencies, using advertising networks) and there is no standard vetting process. The groups involved in getting ads often do not request much information from the people submitting them. Plus, while some groups check ads before accepting them, others do not.
How to Protect Your Business
While the digital ad industry knows about malvertising and is taking steps to mitigate the problem, it will be awhile before these ads are no longer a threat. Thus, you need to proactively protect your business. Here are some of the measures you can take:
- Educate employees about malvertising. Be sure to discuss the dangers of clicking links in ads, as the ads might be malicious.
- Tell employees about the dangers of allowing pop-ups and redirects. Most modern web browsers block pop-ups and redirects by default, but this functionality can be manually disabled.
- Uninstall browser plug-ins and extensions not being used. This will reduce the computers’ attack surface. Update software regularly, including browser plugins and extensions. Exploit kits look for known vulnerabilities in software. Patching these vulnerabilities helps eliminate entry points into devices.
- Install ad blockers. Ad blockers remove or modify all ad content on web pages. However, they might unintentionally block non-ad content, causing a web page to display improperly or not at all.
We can help you develop a customized strategy to protect your business’s devices from malvertising and other types of cyberattacks.