Clients      Employees

How Malvertising Has Become More Dangerous


Ads have been widely accepted as a part of the user experience, from television and radio to websites and mobile applications. However, online advertising has become more than a minor nuisance in recent years as Internet criminals have ramped up their efforts to spread malware through ads.


Malvertising is the practice of hiding malicious code into seemingly safe online ads, causing the user’s computer to be infected with malware. Although malvertising has been happening for years, these attacks have become more sophisticated. Previously, malware could only be spread if a user clicked an ad. Modern malvertising campaigns can spread malware when the web page loads. This kind of “drive-by download” doesn’t require the user to click, making it extremely difficult to detect. The malicious ad then uses a browser exploit kit to search for and exploit vulnerabilities and deliver ransomware, spyware and other dangerous malware.


Malvertising used to be limited to somewhat disreputable websites, but recent attacks have been launched on trusted, high-traffic websites. In many cases, the websites themselves aren’t hacked. Instead, the advertising networks that deliver ads are compromised. This allows criminals to microtarget specific industries, such as defense and banking, or even specific organizations and users. Malvertisers use precise targeting criteria to zero in on certain zip codes, IP address ranges or users with certain browsing habits. They then leverage real-time ad bidding to guarantee delivery of their ads for minutes at a time to prevent detection.


According to the Online Trust Alliance, the number of malicious ad impressions rose to 12.4 million in 2013, a 225 percent jump from 2012. Although microtargeting is becoming a bigger problem, most malvertising campaigns are more widespread as criminals seek to infiltrate as many devices, networks and organizations as possible.


A recent malvertising campaign compromised three major ad networks in September and October of this year. Proofpoint, a corporate security solutions provider, estimates that more than 3 million users of websites such as Yahoo, AOL, and The Atlantic were attacked with malware each day. Although the issue has been addressed, millions of user computers may be infected with Cryptowall, a form of ransomware that prevents access to data unless the user pays hundreds or even thousands of dollars.


Prevention of malvertising attacks begins with a secure web gateway that inspects traffic multiple times, including before, during and after an attack. Before an attack, URL filtering can block known threats and certain categories of URLs, while web reputation filtering assesses a URL’s reputation based upon how long the URL has been free of malware. Because malware has been known to slip past these tools, real-time malware scanning should be used to block known threats before they reach user files and alert administrators. Retrospective security should continue after an attack to track, contain and remediate infected files.


An enhanced, more insidious version of the malware, Cryptowall 2.0, was just released several weeks ago. In a future post, we’ll discuss the specifics of Cryptowall 2.0 and steps you can take to protect your network from future attacks.