What is malvertising? And how to protect against it

Malvertising definition

Malvertising, a word that blends malware with advertising, refers to a technique cybercriminals use to target people covertly. Typically, they buy ad space on trustworthy websites, and although their ads appear legitimate, they have malicious code hidden inside them. Bad ads can redirect users to malicious websites or install malware on their computers or mobile devices.

Some of the world’s most popular websites, including those of the New York Times, Spotify and the London Stock Exchange have inadvertently displayed malicious ads, putting their users in jeopardy. What’s worrying is that people can get infected even if they don’t click on the images: Often it’s enough if they just load. This method is called “drive-by download,” because all a victim has to do is “drive by” a web page.

Cyber criminals use malvertising to deploy various forms of money-making malware, including ransomware, cryptomining scripts or banking Trojans. For attackers, this endeavor can be very profitable. “Today, malvertising groups are highly organized businesses,” says Jerome Dangu, co-founder and CTO of Confiant, a company that develops solutions against bad ads.

Malvertising vs adware

Malvertising is sometimes confused with adware. Malvertising refers to malicious code initially included in ads, which affects users who load an infected website. Adware is a program that runs on a user’s computer. It’s often installed hidden inside a package that also contains legitimate software, or lands on the machine without the knowledge of the user.

How common is malvertising?

Malvertising is growing at a fast pace. Confiant calculates that 1 in every 200 online ads is malicious, while GeoEdge, which sells anti-malvertising solutions, estimates that up to 1 in 100 ads is not safe. In 2017, Google blocked 79 million ads that attempted to send people to malicious websites and removed 48 million ads that suggested the installation of unwanted software.

Users face multiple threats through bad ads. “The most common attacks are auto-redirects, where the user is thrown out of the page into a different location, in which he or she is exposed to many threats: phishing scams, malware ransom attacks, malicious ads leading to exploit kits and auto file downloads,” says Tobias Silber, vice president of marketing at GeoEdge.

Auto-redirects accounted for 47.5 percent of all malvertising in the last quarter of 2018, according to GeoEdge. Meanwhile, malicious ad pre-clicks (drive-by-downloads or malicious code embedded in the main scripts of a page) made up 25 percent of incidents. Additionally, malicious ad post-clicks (after users click on the ad, they get infected directly or get redirected to a malicious website) accounted for 7 percent.

Malvertising groups will continue to prosper, because often it’s difficult to bring them to justice, says Michael Tiffany, president & co-founder of White Ops. At the end of 2018, his company worked with Google and a few dozen other organizations and law enforcement agencies to take down one of the most sophisticated ad fraud operations, called “3ve” (pronounced “Eve”). The group created fake versions of websites and fake visitors to make money.

In this case, the perpetrators were arrested, but that’s not what usually happens when it comes to ad fraud. “Bringing consequences to the bad guys is still rare,” Tiffany says. “3ve was the first time consequences of that magnitude were brought down on sophisticated cybercriminals doing ad fraud.”

How malvertising works

Malvertising has continued learning new tricks since it was first seen in the wild in late 2007 or early 2008. Back then, a vulnerability in Adobe Flash allowed attackers to distribute malicious advertising through several websites, including MySpace.

A few years later, in 2011, one of the first cases of a drive-by download was uncovered. Spotify was at the center of a malvertising attack that used the notorious Blackhole exploit kit, which was available for rent for a few hundred dollars a month.

Throughout the years, however, malvertising’s modus operandi has remained the same. Typically, attackers buy ad space from ad agencies and then submit infected images hoping not to get caught. Sometimes, they start by sending a legitimate ad first, and insert malicious code later. After they infect enough people, they can clean up after themselves and remove the bad code.

These cybercriminals often take advantage of the complex mechanisms used by the advertising industry. In many cases, there can be a long supply chain between the advertiser and the publisher that includes an ad network and one or more resellers. As recent malvertising attacks have shown, this entire supply chain can be manipulated. Security company Check Point Software Technologies noticed that a legitimate online advertising company might have been at the center of a malvertising scheme.

In July 2018, Check Point researchers uncovered a massive operation that distributed malvertising to users who drove by thousands of compromised WordPress websites. The ads had malicious JavaScript code that exploited unpatched vulnerabilities in browsers and browser plug-ins, including Adobe Flash Player. These attackers used multiple exploit kits, including the prolific RIG, which combines different web technologies (DoSWF, JavaScript, Flash and VBscript) to obfuscate attacks.

Check Point noticed something even more alarming. “AdsTerra, a famous ad-network company, has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities,” Check Point wrote on its website.

Dangu has noticed that malvertisers build relationships with the most reputable ad platforms. “There's a growing awareness in the ad tech industry that it is infected by malvertisers at its core,” he says. “Whenever a malicious ad gets served to a user, it evaded multiple layers of detection through the ad tech ecosystem.”

Sometimes, cybercriminals don’t even need to go through this whole process if they can hack large websites directly, tricking them into serving people with malicious ads. It happened, for instance, to Equifax right after its notorious breach, security blogger Randy Abrams discovered.

From a regular user’s perspective, malicious ads are compelling because they often provoke strong emotions and promote calls-to-action. They can also promise products at a bargain, including an iPhone for just $1, tricking users into giving their credit card data.

Confiant found that malvertising activity is 36 percent higher during weekends, the preferred day of the week for malvertisers to attack being Sunday. The holidays or shopping seasons such as  Black Friday when people are actively looking for discounts also see a spike in malvertising.

What is state of malvertising today?

The malvertising industry is getting more sophisticated when it comes to its malware delivery methods. The beginning of 2019 brought an increasing number of drive-by malicious ads that don’t require a user’s click, says Phil Cowger, researcher at cybersecurity company RiskIQ.

Currently, the most common attack is the gift card scam, says Confiant’s Dangu. At the end of 2018, the company uncovered a massive malvertising campaign targeting iOS devices owned by U.S. citizens. The cybercriminal group known as ScamClub hijacked 300 million browser sessions in just two days. “Attackers collect vast amounts of private data willingly shared by victims, thinking they will receive a reward,” Dangu says referring to the free Amazon gift card scam. “The data collected includes buying intent, health-related data, and is resold to data providers by the attackers.”

Another group, eGobbler, also targeted U.S.-based users. The massive operation was connected to Presidents' Day weekend. When victims clicked on an ad, it redirected them to malicious websites, many of which invited the victims to enter personal and financial data.

Dangu says that the complex mechanisms of the advertising industry hold part of the blame. “One of the most recent eGobbler campaigns was served via direct relationships with seven ad platforms,” he says. “This is a staggering number and shows how deeply rooted [malvertising groups] are in the ad tech environment.”

eGobbler targets HTML5 libraries like CreateJS and GreenSock to hide its malicious code, making it very difficult for security analysts to find and for automated scanners to detect. The group leverages sophisticated anti-bot techniques to hide from scanners, according to Dangu.

Polyglot images and steganography

One of the tools malvertising groups like to use is steganography. The concept of concealing a message inside another text or an image is at least 2,500 years old, and a couple of examples were mentioned by Herodotus in his Histories.

Malvertising groups often use the same approach the embed malicious code into an unseen image hidden in an ad’s image. The number of such incidents has been growing exponentially in the last quarter of 2018 and into 2019, according to GeoEdge.

One of the victims was Experian, a multi-billion-dollar global information services company. “One of their ads was innocently targeted with a second image, one that was not visible to the user but hidden inside the ad request, which called up the embedded malicious code,” says Silber. “Once the ad appears on a user’s desktop or phone, the malicious code is enabled. In this instance, the malicious code was an auto-redirect to a phishing site targeting U.S. users.”

Steganography was also employed by a malvertising group called VeryMal, which targeted Mac users, according to a report. In this case, JavaScript malware was hiding inside image files.

Criminal groups are always looking to improve, so steganography recently got an even more clever sibling: polyglot images. Researchers at Devcon discovered a cybercriminal group that used this sophisticated technique.

Steganographic exploits use data hidden in an image by altering a few pixels. A typical user looking at it wouldn’t suspect a thing, but steganography “requires some extra JavaScript (not in the image) to know the patterns and offsets to find the exploited pixels and reassemble them into executable JavaScript,” Devcon wrote on a blog post.

Polyglot exploits go one step further: They can be seen as both an image and valid JavaScript at the same time, hence the name. Another feature is that they don’t need an external script to extract the payload.

In this case, the malicious actor employed BMP images and played with the file’s hexadecimal bytes. It manipulated them so that instead of the image size, the computer could read the character codes for /** -- the combination of characters that creates a comment in JavaScript. When the JavaScript Interpreters sees that, it ignores everything written in-between.

The attacker added the sequence =’ and then the payload string. After this, the file could run in the browser in two ways: as an image ignoring the JavaScript or as a script, ignoring the image data.

Mobile malvertising

Smartphones and tablet PCs are becoming increasingly attractive for malvertising groups because users tend to worry less about these devices’ security. It’s also common to accidentally tap an ad when you’re using a smartphone.

Recent malvertising campaigns have targeted both Android and iPhone users. One such example is PayLeak, caught at the end of 2018. A Pulitzer Prize-winning publication based on the American West Coast served its readers with malicious ads. When the user clicked on it, the ad called a malicious domain registered in China. This malware was interested, for instance, in finding out what kind of device the victim was using, if it was protected by antivirus, and whether the victim was in motion or at rest. Android users were lured with an Amazon gift card which redirected them to a phishing site. Meanwhile, iPhone users received successive popups, which included fake instructions to update their Apple Pay account.

Mobile malvertising is in its infancy, says Michael Covington, vice president of mobile security company Wandera. “Attackers are still trying to determine what they can do with these often-unprotected channels to the device,” he says.

Mobile malvertising tends to fall into three general categories of intent. “The most prevalent use of malvertising is to deliver very clever in-app phishing attacks,” Covington says. Cryptojacking (using someone else’s computer to mine cryptocurrency) via the ad channel comes second. Wandera noticed that the number of devices impacted by cryptojacking grew by almost 300 percent month-over-month in late 2018.

The third type of malvertising campaign is one that’s designed to deliver malware payloads to the device. “While this is typically the least successful attack via ads, the attackers are constantly on the hunt for new means of sending bad apps to unsuspecting users,” says Covington.

How to protect against malvertising

Security researchers advise installing antivirus tools and to keep all software updated, including the operating system, browsers, Adobe Flash and Java. Even stronger protection can be achieved by avoiding the use of Flash and Java altogether.

Security experts don’t believe, however, that ad blockers are a solution because they could kill both the advertising industry and journalism. “Publishers like LA Times or NY Times rely on the ad dollars to pay journalists, photojournalists, editors, etc.,” says Devcon’s CEO, Maggie Louie. “If you just put an ad blocker browser up, you’ve essentially cut off all the revenue for the publisher.” Louie recommends tools such as Ghostery, which can filter bad ads while letting the good ones pass.

Most security companies believe that the malvertising problem cannot be solved by individual users. Media organizations, browsers and the advertising industry should all take more responsibility for what is happening, they say. Publishers, for instance, should only work with trustworthy ad companies, some researchers suggested, but even the reputable names in the industry have been impacted by malvertising. Phil Cowger, researcher at RiskIQ, recommends publishers and ad exchanges use security products “that give them visibility into the entire supply chain for advertising.”

Dangu has noticed a small improvement in how publishers deal with malvertising. More and more such organizations “are turning to real-time client-side detection that can block the malicious behavior right from the end-users’ browsers, while keeping the safe ads running.”

Browser vendors are also addressing malvertising, as attackers heavily rely on hijacking sessions using a technique called forced redirect. “HTML5 iframe sandboxing is a browser feature that's slowly gaining adoption to protect ad serving from hijacks,” Dangu says. “Google took its own initiative and developed a broader redirect blocker for cross-origin iframes.”

As malvertising groups become bolder and more devious, the best techniques to guard against them are a combination of an up-to-date system running security software and the necessary awareness to recognize scams, says Jerome Segura, head of threat intel at internet security company Malwarebytes.

“This is handled by the web protection component of solutions that can be a database of domains and IP addresses complemented by a heuristic engine,” he says. “Threat actors rotate their infrastructure quickly and rather than playing cat and mouse with them, you can identify many of their templates proactively.”

As for mobile malvertising, the best thing mobile users can do to stay safe is to avoid third-party app stores that don’t vet developers, says Covington. “We also recommend that organizations consider the use of a mobile threat defense solution to detect the broad set of risks that could possibly be delivered via malvertising.”

The future of malvertising

Security researchers believe that malvertising will likely thrive in the years to come, and criminal groups will become smarter, richer and more difficult to catch. Devcon’s Louie expects an increase in the use of polyglots. “I predict we will soon see many more advanced threats coming through the ads and a renaissance of watering hole attacks,” she says.

Dangu fears that threat actors will continue to blend in with the environment they operate in. “Just one or two short years ago, malvertising payloads were a lot more obvious in that the code looked like it didn't belong,” he says. “These days the attackers are getting better at leveraging native ad server functionality to look like they are part of the ad tech stack instead of third-party code.”

Most security companies expect malvertising groups to increasingly target mobile users, as some users don’t think they should install security products on their devices. In 2018, GeoEdge saw a 50 percent increase in mobile advertising attacks, and since the beginning of 2019, the company noticed a 67 percent increase in bad ads targeting the in-app environment.

Segura has noticed a similar trend. “Contrary to the desktop where multiple levels of protection already exist, mobile devices are very much prone to a variety of attacks due to lack of safeguards but also a lack of awareness from users themselves,” he says.

There are also a few silver linings. RiskIQ’s Cowger believes we’ll see a decline in the prevalence of JavaScript-based cryptocurrency miners, as a result of the death of Coinhive.

Others hope that the advertising industry will become more aware of the problem, which will lead to a growing demand for ad quality assurance tools and ad security. “User complaints lead more and more publishers to seek help, as they would like to protect their brand and assure a positive user experience,” says GeoEdge’s Silber.

Confiant’s Dangu is even more optimistic when it comes to what the advertising industry could do. Several initiatives aim toward sandboxed ad placement that the security community has contributed to, he says. “Once adoption around this achieves critical mass, most of these actors will be limited if they stick to their current efforts and will have to pivot to the next generation of malvertising payload, which remains to be seen.”