Malvertising – the new silent killer

21.10.2015
Malvertising is the latest way for criminals to infect your computer with malware – and the only thing you need to do to allow it is to visit your favorite website that relies on advertising. 

That's because they're slipping bad code into ads that are put onto those websites through advertising networks. Big name websites like Forbes, Huffington Post and the Daily Mail have been the focus of attacks.

In a recent report by Cyphort found that malvertising has spiked 325 percent in 2014. A more recent report shows that malvertising reached record levels this past summer

"The technology aspect presents this great opportunity for malvertising people," says Fengmin Gong, co-founder and CSO of Cyphort. "That's why they've latched onto this opportunity." 

Not getting a handle on this issue could have profound effects on the revenue these websites draw from advertising, too, because too many of these breaches could push more readers to use ad blockers, and using their data's safety as rationale. 

Malvertising is so effective because you don’t even know it’s happening. There's no bad link they need to click, or file they must to download for the malware to get onto their computers. They just go through a regular routine that includes reading stuff on the web. 

[Related: Dancing on the grave of Flash

"You go to a website you've gone to 1,000 times before and unbeknownst to you, the ad we've all gotten good at ignoring is controlled by the criminal," says John Wilson, Field CTO at Agari. The ad exploits security flaws any way they can – in browsers, PDF views, Flash players – and runs bits of code until they find one that works. 

One reason malware is spiking now is because the complexity of online ads allows it. The days of an ad being an image and a link are over. All that code that allows ads to move and dance and sing also presents more opportunities for bad code to slip from the ad onto your computer. "That technology has gotten so sophisticated," says Gong. "From a technology point of view, it's the perfect fit for this malicious element." 

Another problem: Most users don't know their computer is infected until something disappears – their identity, their money … . "As a consumer, the first time that you know anything's wrong is probably going to be someone initiated a $30,000 wire transfer out of my bank account and I have no way of understanding how that even happened," says Wilson. 

As consumers, there's not much to be done except make sure our computers are up to date with every security patch and fix – though Wilson points out that may not be enough to stop new bad code before it slips in. 

[Related: Advertising network takes on malvertisers

For sites that use these ad networks, limiting who can advertise on your site can cut back on the chance you're going to serve up malvertising. "Most of these ad networks allow you a wide array of which type of ads you'll accept," says Wilson. "I'll accept ads from IBM, Dell and Oracle, but I'm not going to accept ads from just any random unknown person." 

Websites that use ad networks should also make sure their security is up to date, says Kowsik Guruswamy, CTO of Menlo Security. In a March report, Menlo Security found that of the top million ranked domains on Alexa, one third are running software with security gaps. "There are domains out there running software that hasn't been updated in years," he says. "We're seeing sites that are running software from 2010 that have known vulnerabilities." 

Running regular scans against your own website can help, too. "That's a little bit tough because the ad is going to be different every time you go to the site," says Wilson, but it's worth doing.

(www.cio.com)

Jen A. Miller