Hackers that employ malvertising techniques to target victims are getting more sophisticated, and that's bad news for publishers and marketers hoping to guard themselves against such threats.
Attackers are preying on users’ trust of certain sites to infect them via third-party ad content.
For example, from Sept. 8 to Sept. 15, 2015, the Forbes.com website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits, which then find security holes to infect users with malware, according to FireEye. The Daily Mail and YouTube were also hit around the same time period.
Cyphort, a California-based advanced-threat defense company, predicts that malvertising could soon become the No. 1 tactic of hackers, saying that attacks are rapidly increasing in both scale and sophistication. Some cybercriminals have gotten so sophisticated, they can infect viewers of these trusted sites even if they don’t click on the ad.
A big part of the problem is that security vendors can’t blacklist sites like Forbes or The Daily Mail, which millions of consumers use every day, making them all that more appealing to cyber criminals.
Here's what marketers need to know about malvertising threats.
Apple users are no longer safe
Mac users are not immune to new and clever malvertising.
Until recently, Mac users were less likely to be affected by these types of attacks, primarily because the numbers are normally not favorable for hackers: According to Net Applications, the number of Macs in use stands at about 7.7% compared to 90.5% for Windows PCs.
But a new approach to malvertising allows a compromised website to determine which browser a viewer is using. Once it’s done so, the victim is pushed in different directions depending on the result.
If the browser runs on Windows, the criminals deliver a multi-exploit toolkit; if it's Safari, which runs only on OS X, they steer the victim to a fake user support URL almost identical to the one Apple offers for legitimate technical support. Once there, users are offered bogus software and services they are told will fix their computers.
This latest approach is raising the risk of malvertising for Apple users, which were previously less likely to fall victim to such attacks.
'Ad injection' malware, the latest threat
"Ad injections," the newest kind of online ad fraud malware, have become a growing threat for publishers and web users, ad fraud detection companies told the Wall Street Journal.
For ad tech platforms and publishers alike, ad fraud is an ongoing and growing concern. But while bot-driven clicks — the best-known type of online fraud — leave marketers paying for ads that are never actually viewed by real people, ad injection hits publishers that are serving ads on their sites. Visitors to websites end up seeing fraudulent ads layered over legitimate ads or in places where ads wouldn't normally be seen.
“From what we’re seeing, growth in ad-injection infection rates is higher than bots," Michael Tiffany, chief executive of WhiteOps, an ad fraud detection firm, told the Wall Street Journal. "There’s no question that ad bots inflating views is still profitable crime. I don’t want to say that’s unprofitable and there’s a switch, but we do think some people are shifting their payloads so that they’re doing less ad bot monetization and more ad injection monetization.”
Last week, the Trustworthy Accountability Group (TAG) took another step toward fighting various forms of ad fraud, like ad injections, and introduced its “Verified by TAG” system. The new system includes a payment ID system that requires vetting by TAG, and a whitelist of advertisers and publishers that have been approved by the group. Google, AOL and Omnicom are among many industry supporters.
How can marketers protect users from malvertising?
Malvertising has seen a rapid rise in sophistication in just the last few months. So what can marketers do about it?
For starters, marketing and publishing teams can keep in close communication with their company's IT team, and receive similar training prescribed to those team members. Although the biggest risks may be attributed to a small number of users, education must be provided to all users — even C-suite executives.
It's important that chief information officers (CIO) at your companies are aware of malvertising threats. To help protect employees, devices, and networks, CIOs should ensure the security vendors they work with are up-to-date on the latest outside threats and able to respond to them in real time. The solution they employ should provide continuous monitoring and utilize strong web security devices to prevent access to websites associated with malvertising campaigns.
Separately, marketers can convert to HTML5, which might help because as an open-source software, anyone can inspect it for vulnerabilities and submit fixes.
But the problem can't be solved by in-house staff alone, as ad networks can be infected by malvertising.
When it was revealed that Yahoo's ad network had been attacked by malvertising, Malwarebytes' Jermore Segura explained to Ad Age that even though ad networks may already have systems in place to detect for fraud, "they need to prepare themselves for what to do when they happen: what is the response, how fast can they react to an incident. Each second that goes by, somebody else is getting infected."
Segura suggested that when new advertisers sign on, that they start with running campaigns on lower profile sites and have certain features disabled by default, rather than letting them push out campaigns on the main page.
"For example, they might only be able to carry text-based ads until they've been around for long enough that they're trusted and can now introduce more dynamic ads," he said.
Segura's advice for publishers was less rosy — unfortunately, there's not much they can do to mitigate the risk, outside of opting to work only with the most popular and well-regarded ad networks, such as Google's DoubleClick.
"These [ad networks] traditionally have more resources and stricter controls in terms of quality assurance in terms of the type of ads that go through," Segura said.