Malvertising was in the news this week – which made me think of this today. Info-security Magazine reported: L.A. Times, Salon.com Hit By Large-Scale Malvertising Campaign. Blue Coat security also wrote a deeper examination: Untangling a Major Malvertising Network.
Malvertising is actually one of those seemingly “new but old” problems. It’s “old” – the technique for bad guys has been around for a while – but it’s “new” in that we are seeing it in the news recently. It is one of those online threats that most end users are not as familiar with. Maybe it’s just out of sight – out of mind. Bad ads are not as obvious or recognizable as the clear spam we see occasionally pervade our inboxes.
So what is Malvertising? Wikipedia has an entry, which cites:
Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place “clean” advertisements on trustworthy sites first in order to gain a good reputation, then they later “insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus”, thus infecting all visitors of the site during that time period.
The Online Trust Alliance (OTA) describes Malvertising as follows:
Malvertising is the cybercriminal practice of injecting malicious or malware laden advertisements into legitimate online advertising networks. It can occur through deceptive advertisers or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges and ad servers. It is a growing threat to the integrity of the ad supply chain and vector to distribute malware to unsuspecting users. A malicious advertisement exhibits behavior including, but not limited to, conducting a drive-by-download, delivering deceptive downloads such as fake anti-virus pop-ups and/or redirecting the user to sites that the user has not elected to visit.
This is basically it – bad actors exploit the advertising/publisher plumbing and economy of the internet. Simply place a normal, clean, safe ad with an ad-network, or directly with a publisher. Once the ad passes approval processes and gets served onto a specific website or venue, the bad actor switches out the ad, either with a replacement ad for a different – maybe illegal product, or worse – changes the path or destination of the click, such that the user passes through an unsafe site that drops malware on their machine. This is known as a “drive-by“.
The Online Trust Alliance has long had an active role in the online community on the issue of Malvertising. (Disclosure: I currently serve on the Board of Directors at OTA).
In July 2010, OTA formed this cross-industry working group to share data and develop best practices to counter this growing threat. The group has generated a number of great resources, including a Malvertising Response & Remediation Guide, Anti-Malvertising Guidelines and New Advertiser Risk Evaluation Tools.
To check out OTA’s Overview on Malvertising, and other resources, visit their Anti-Malvertising website.
The website Anti-Malvertising.com was created by Google’s Anti-Malvertising Team to help individuals and businesses find out if they are being tricked by ads, or if and ad or advertiser is dangerous. Users can search an advertiser’s name, company name, and any urls and domains associated with an ad. They also have additional Sleuthing Tools and Resources.
It is not a small problem, though it is tricky to pin down. In 2012, the OTA working group estimated nearly 10 billion ad impressions were compromised by malvertising.
So for me, this an the “old” problem that is somewhat “new” again. It’s a bit of a hidden problem anyway, so we can all help eachother by becoming aware. Share your web security knowledge with friends and family. StaySafeOnline.org has some great guidance on this and other online threats to end users – be sure to at least check out the Top Security Practices guide – geared towards a general audience.
What about you? Is Malvertising something you know about? Had any direct experiences with it – either as an end user, business operator, or security specialist? Let us know, we’d love to learn from your experiences.