A couple of weeks back, our SpiderLabs researchers told you about the latest transgressions of the Angler exploit kit, which is using online advertisements spiked with malicious code to infect computers of unsuspecting users visiting popular and reputable websites.
The kit's choice of infection vehicle - malicious advertisements (or "malvertisements") - have won increasing favor with cybercriminals, with one study finding that the threat has increased more than 300 percent from 2014 to 2015.
Saboteurs typically spread malicious ads across the advertising ecosystem by professing to be a legitimate advertiser - and then later sneaking malicious code into the ads and past the security filters of the ad network without anyone noticing before they are published on reputable websites.
Customers of the Angler exploit kit (not to be confused with the developers of the kit itself) operate with varying levels of sophistication. We recently told you about one of the more elaborate criminal groups that rely on Angler performed its own novel take on the above technique: The masterminds acquired an expired domain of a small, but probably legitimate, advertising company to place malicious ads on known ad provider networks.
It is uncertain if this innovative strategy will become commonplace, but the tactic is notable if for no other reason than it shows criminals are serious about fine-tuning their malvertising ploys and are embracing the potential return-on-investment that the scheme offers.
IT and security professionals must take note of the malicious ad threat and its potential impact on your organization, either through end-user infection or - if you house a prominent website - compromise to spread malware.
Here are eight reasons why you should be wary of malicious ads. Understanding each of the reasons will help you better impede the risk.
1. They are growing in number.
Malicious ads have been around since at least 2007, when the threat began steadily turning up on popular sites like social networking platforms. The menace continued in the years that followed, prompting the nonprofit Online Trust Alliance in 2010 to form the Anti-Malvertising Task Force, which resulted in the release of a best practices white paper (PDF) for all parties involved in the distribution and handling of online ads. Despite these laudable efforts, malvertising appears to have continued largely untrammeled and has become one of the preferred vectors by which cybercriminals install malware onto the computers of unwitting users.
2. They can end up on any website.
Nearly every popular site has ads on it, and its owner generally doesn't control which ads can or cannot be displayed - beyond some settings regarding the type of content (but not the actual code or from where it originates). Instead, it is the ad network that chooses which ads to display in real time to target specific users, based on the visitor's profile and other considerations.
Ultimately the code of the actual ad is provided by whomever signed up with the ad network as a publisher - and that can be a cybercriminal. Let's say a malicious actor wants to publish their malicious ad. They go to an ad network and submit the code for their ad. Their code loads a script from their (malicious or compromised) website to which they want to silently direct users, which is benign when they submit the ad. So if the ad network scans the ad, they see benign code loading a benign script. Once the ad has been approved, however, the crook replaces the benign script with a malicious one. But because the ad is already in circulation and is marked as "approved," it's nearly impossible for the ad network to flag the script change - and do so for every external resource of every single ad it allows on its network.
In essence, the ecosystem of online advertising allows for code from someone else that you know nothing about to run on your site - and consequently on your visitor's machines.
3. They are cheap and can be customized.
If you're a criminal, you can buy thousands of impressions ("displays" of your ad) for as low as a few dollars. These prices are considerably lower than the cost of compromising a site. Also, you can choose your target audience based on features such as their operating system, web browser or geolocation - meaning a cybercriminal can filter out unwanted traffic without paying for it and choose to pay a little more, but only pay for a certain type of traffic. For example, they can choose to exclusively target users of Internet Explorer because they know that their exploit works on IE, or only target the United States because their payload is a banking Trojan that is customized for American financial institutions.
4. They make more sense than compromising a single site.
The "old way" of delivering web exploits was that a site would get compromised, code would be placed on the site that redirects visitors of that site to a malicious page (typically an exploit kit's landing page), and any visitors to the site would be at risk of infection.
But this method has at least two notable limitations:
- To be successful, criminals need to compromise sites that attract huge amounts of traffic and non-repeat visitors. These tend to be the most popular sites, which tend to also have the best security controls in place to prevent this type of infection.
- Seeding a website with malicious code can be an expensive initial purchase. On the other hand, malicious advertising provides criminals with steady and certain traffic. In addition, they typically only pay a few cents to a few dollars for thousands of impressions. It's all automated and on-demand - criminals can begin a campaign whenever they desire.
5. They spread nasty payloads.
The aforementioned Angler exploit campaign directed visitors to websites laden with malicious ads to a rogue page hoisting a malware cocktail that included the Bedep Trojan and TeslaCrypt ransomware, a pernicious concoction our researchers described as "double the trouble." Ransomware, in particular, has become one of the most dangerous malware threats facing businesses, with some calling it a national cyber emergency and believing the worst is yet to come.
6. They neutralize the power of an educated user.
If in the past an educated user could avoid dodgy websites and remain relatively safe online, malvertising renders that intelligence and training irrelevant. That is because any site you visit may contain a malicious ad, and all the awareness in the world isn't going to help you.
Malicious ad exploitation happens in the background and without any user interaction, so it's not like there is a pop-up ad that your instincts will encourage you to avoid clicking. You also don't see the infection happening and you may not even know something bad has happened, unless you get a payload like ransomware - which (as mentioned above) will probably catch your attention.
7. They take advantage of overlooked patches.
Most web-borne malware will exploit either vulnerabilities in your browser or in commonly used third-party party applications, such as Flash Player, Adobe Reader, Microsoft Office or Microsoft Silverlight. It may sound like a broken record, but keeping all of those programs updated with the latest patches is critical.
Most attacks out there are not zero-days, but are known exploits that have fixes available. You have to ensure you deploy these patches across your organization (and at home for home users) as soon as they are released. Users and businesses also can consider uninstalling third-party programs not used or needed, such as Flash or Java.
8. They can evade legacy security solutions.
Malicious ads typically use obfuscated exploits that traditional security controls, such as anti-virus and firewalls, have difficulty sniffing out. They also make use of underground testing services to ensure that their malware goes by undetected on the victim machine and encryption services to ensure it remains that way. As such, businesses should turn to web security gateway solutions for protection against malvertising and exploit kits since these can scan for web-borne malicious content in real time and prevent such "undetectable" malware from reaching the victim machine in the first place.
Dan Kaplan is manager of online content at Trustwave. This blog was co-authored by SpiderLabs Lead Security Researcher Anat Davidi.