Booming attack vector offers mass malware distribution, stealthy targeting.
Feature Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.
Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.
Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year’s end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks.
Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions.
It is a scourge that is, according to malvertising research, will inflict up to US$1 billion in damages this year, making the threat difficult to overstate. June was at the time the worst month for malvertising in history. The record was usurped the next month. Now some researchers say August might be next.
The threat, coupled with privacy concerns, is driving users to block ads. PageFair statistics indicate some 198 million users operate ad blocking software, up by 41 percent globally since last year, and digging a $22 billion hole in the online ad industry.
“Malvertising is one of the biggest vectors for mass compromise out there,” says Jason Schultz, technical leader of Cisco’s Talos threat research team. “There is not much vetting (of ad buyers) going on at all, and unfortunately the big sites are displaying these ads.”