Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click

Share this…

MALVERTISING IS WHEN hackers buy ad space on a legitimate website, and, as the name suggests, upload malicious advertisements designed to hack site visitor’s computers.

The news page looked perfectly innocent. Apart from the reams of celebrity gossip stories and throw-away magazine layout, nothing about the the website for UK news site The Daily Mail seemed particularly malicious. But, if you visited the site in October, you might have fallen victim to a sophisticated hacking campaign without even realizing it.

In the background of The Daily Mail, third-party advertisements were surreptitiously and automatically redirecting readers to powerful exploit kits, designed to install malware on their computers.

This is the booming trade of malvertising: where cybercriminals rent out ads on sketchy corners of the Internet and popular sites alike, in order to infect the computers of as many people as possible.

Plenty of Popular Sites Have Been Targeted

Malvertising dates back to at least 2009, when some visitors to the New York Times were met with a pop-up posing as an anti-virus scanner. The Daily Mail attack was only one of many recent examples to hit mainstream sites.

Popular porn sites YouPorn and Pornhub dished out malicious ads in September as well, and a month earlier, the Huffington Post, a site with 100 million unique monthly visitors, was serving up malware. In fact, that wasn’t even the first time that HuffPo had fallen victim to such an attack: a similar campaign also went up in December 2014, which continued through January of this year. Both DrudgeReport and Yahoo! were also hit by malvertising campaigns this year, and Forbes fell victim in September.

If that sounds like a lot, it’s because it is: Researchers at malware-security company Cyphort reported a 325 percent increase of malvertising attacks between June 2014 and February 2015.

Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click

How Malvertising Works

Although each attack can vary, malvertising follows a fairly standard process. First, an attacker signs up on an ad network. These are the companies that pump ads into the sites you use, and which sell ad space to companies that want to show off their products.

They act as middlemen between the website wishing to sell its spare ad space, and the party with the advertisement. The ad creator uploads their content to the ad network’s central server, which then sends the ad’s code off to the website when needed.

Next, the hacker takes advantage of this exchange, impersonating a reputable business to upload their own ad—most likely a Flash-based piece of content, or one that contains a load of malicious Javascript, according to Jérôme Segura, a senior security researcher from Malwarebytes.

When you visit the site, the kind of ad you’re served is determined when you arrive. This is done through a process called Real Time Bidding (RTB): ad buyers pay for a certain number of ad impressions beforehand, and for a specific user demographic. Then, when someone visits the site, whoever has the biggest bid for that particular demographic of user wins, and gets their ad served on the site.

But, if it’s a case of malvertising, once you load the page, the ad appears and its code then redirects you to a webpage hosting an exploit kit, without you even clicking on the ad. This will likely happen in the background, through an iFrame–a piece of web content invisible to the naked eye–without any interaction from you. In fact, it might not even be obvious that it is happening at all.

“The landing page’s job is essentially to determine if there are any vulnerable plugins within the computer,” Segura said. It might see what browser you are using, then look for Flash, or another piece of vulnerable software.

Finally, the page will push the exploit, and download to your computer whichever malware the attacker is using. Malvertising sometimes delivers ransomware, the crafty hack that locks a computer’s files until the victim pays a fine, while other forms of malvertising send out banking trojans to steal financial information.

It’s important to note that not everyone visiting an affected site is guaranteed to get hacked. Indeed, some ads will only load for people in certain countries or demographics, because of targeted RTB. And if you have taken adequate protections, your computer might not even be vulnerable to that particular attack at all.

That said, many malvertising campaigns use the popular Angler exploit kit, which, according to a recent Cisco report, can have a success rate of up to 40 percent globally. On top of this, a spate of recent attacks have utilized zero day exploits, which means that even fully up-to-date software could be compromised—but attacks using those are relatively rare at this point.

More recently, hackers have been taking advantage of HTTPS, making it more difficult to track them down.

How Can Malvertising Be Stopped?

It’s up to users, site developers and the ad networks themselves to mitigate the problem of malvertising.

Hélène Barrot, a representative from Google, told WIRED in an email that DoubleClick, the company’s ad platform (which has inadvertently been a partof malvertising campaigns), has taken a number of different approaches. It collaborates with industry partners, publishes research into malvertising, and uses malware detection tools. “In 2014, we disabled more than 524 million bad ads and we banned more than 214,000 bad advertisers,” Barrot said.

Segura doesn’t think that better ad scanning is going to help, though: There are just too many things to watch out for. Instead, he feels the barrier of entry should be raised, by imposing a large minimum fee for people signing up for ad networks, creating a bigger financial risk for criminals to take.

At the moment, malvertising is incredibly cheap for cybercriminals to carry out. For some ad networks, hackers are “able to put malicious ads in front of a thousand people for only 30 cents. You can’t get any cheaper than that,” Segura said.

Segura suggests that if publishers don’t want to risk subjecting readers to malvertising, perhaps they could consider other forms of supporting themselves, such as native advertising or sponsored content. But that is not a reasonable option for most major web publishers, because many rely on thebillion-dollar advertising industry to keep the lights on.

What you can do to protect yourself is keep your software totally up to date, and Segura recommended using anti-virus software too. You could also think about running an ad blocker. Even if you don’t agree with their use, or think they only tackle the symptom of malvertising rather than the problem itself, blockers do give readers control over what their system is exposed to.