Why Malvertising is Cybercriminals' Latest Sweet Spot

Written by: Dryden Media Group

Security is always a game of measure vs. countermeasure and malvertising is no exception. Now that smart attackers have discovered how to twist the nature of the online advertising to their criminal ends, awareness and a number of responses are necessary to counter the threat.

Malvertising will thrive as long as it is worth attackers’ money, meaning the Web’s large population of unaware or otherwise susceptible victims will remain at risk. The complexity of the threat means there is no single solution, but important steps can be taken across the board.

First, the ad networks need to do a better job of policing content they display. When even the largest and well-resourced ad networks, like Google’s, are found to be aiding attackers, it should sound a call-to-action for the entire industry. Online advertising underpins a huge slice of the Web economy, so it is obviously against many diverse stakeholders’ interests for the public to increasingly associating online ads with malware and abuse.

Secondly, the reputable, high-traffic sites regrettably implicated in malware attacks – because of ad content on their pages that they fundamentally cannot control – will likely press for better content screening at the ad networks’ side. It is conceivable they will even vote with their wallets and prefer to do business with demonstrably more secure ad partners.

Third, individuals and organizations need to keep focusing on awareness of the problem and can turn to a few safeguards, regardless of whether the security of ad networks improves. There are browser settings and plug-ins like AdBlock, for example, which block the dynamic scripts and quiet connections ads use to display dangerous content. However, these changes have the side effect of also disabling useful features and interfaces on popular sites as well, making them not worth the effort for some users.

In recent research, many traditional PC defenses like anti-virus and other endpoint protection software cannot reliably stop malvertising attacks. This is because these tools frequently cannot determine in time whether a Flash-powered banner ad, for example (which is not defined as malicious, itself), is simply serving ad content or something more sinister.

When you consider malvertising-linked outrage, financial losses and device restoration/clean-up costs, you have to agree that the Web’s malicious actors have – unsurprisingly, yet again – proven adept at turning e-commerce’s latest features to their own, criminal ends. Attackers are banking on the reality that we cannot block every ad or hold every ad network to any kind of uniform security screening.

It is therefore even more urgent for influential ad industry figures to step-up in response and for CIOs and CISOs to recognize and account for malvertising in the array of threats facing their devices and employees. Without focused action to curtail malvertising, we may soon long for the days when ads only planted songs in our heads instead of malware in our devices.

Rahul Kashyap is Chief Security Architect and Head of Research at Bromium.