Revelations by security researchers this week are showing just how prevalent malicious advertising, better known as malvertising, has grown on the biggest publishing sites on the web. According to reports out from Black Hat, this year has seen nearly a three-foldase of malvertising on the web as attackers take advantage of the third-party trust inherent in complicated advertising networks. Meanwhile, the industry saw this trend in action as news broke this week of two separate large-scale malvertising attacks underway, one of which hit Yahoo for the better part of the last week.
Malicious advertising has been a hot-button issue for several years now, as business savvy crooks take advantage of the numerous layers present within the programmatic advertising ecosystem, which uses software to buy and sell advertising.
“Malvertising campaigns exploit a number of systemic weaknesses within the web’s ecosystem. These campaigns target verification and validation weaknesses in the ad networks and platforms," says Lane Thomas, security research and software development engineer at Tripwire. "Then, after successfully gaining access to these ad systems, the associated attackers take advantage of scale and lax patching. Scale is an issue here because one successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads."
For example, in the recent Yahoo attack, the malicious ad was placed through the web giant's relationship with a trusted advertising distribution partner, AdJuggler. It was actually AdJuggler which was hit by malicious actors who placed ads within that advertising platform. By doing so, they were able to pass ads laden with malcode through the distribution company and onto sites like Yahoo. As in many instances of malvertising, the malicious ad worked in the background to silently redirect user machines to websites hosting the Angler Exploit Kit to infect them on the sly.
The inability of the security and advertising communities to truly address these inherent weaknesses has lead to a drastic rise in malvertising of late. Published by RiskIQ, one report out at Black Hat showed that across the 2 billion publisher pages and 10 million mobile apps monitored by the company, the prevalence of malvertising has shot up in the first half of the year by 260 percent compared to the same time period in 2014. Additionally, the number of unique malvertising attacks jumped up by 60 percent. Meanwhile, another report out last week from Bromium Labs showed that 58 percent of malvertisements were delivered through reputable news websites. According to the report, notable sites unknowingly hosting malvertising in the first half of the year included cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com.
When attackers want to trick users into installing malware using malvertisements, the most common lure is Fake Flash updates, which overtook fake antivirus and fake Java updates for the number one spot this year, according to the Risk IQ report. Overall, Risk IQ reports that fake software updates that require user consent this year surpassed exploit kits that silently infect machines as the most common technique used by malvertisers.
But the fact is that exploit kits are still wildly popular among malvertisers, as evidenced not only by the Yahoo attack but also another campaign that researchers with Trustwave spilled the beans on in the run up to Black Hat. They reported that they've been tracking an ongoing malvertising campaign over the last six weeks that has served been served up to 3.5 million people and infected over 1.3 million victims using a different crimeware kit called the Rig Exploit Kit.
Exploit kits just exacerbate the weaknesses Thomas detailed, as many endpoints are poorly patched today.
"Exploit kits focus largely on vulnerabilities in Adobe Flash, Java, and Silverlight along with vulnerabilities in the core web browsers themselves, and exploit kits thrive because so many end users don’t keep their software patched and updated," he says.
He believes the industry has two areas that it needs to work on in order to tackle the malvertising problem.
"First, ad networks and platforms need to enhance their verification and validation processes. Attackers have a huge incentive to penetrate these systems. Further, ad networks and platforms have a lot to lose in terms of consumer trust. If large scale malvertising campaigns such as this continue, consumers will lose more and more trust in these ad services, which can ultimately lead to financial losses for the ad organization," he says. "Second, end users need to be vigilant when clicking advertising links and should always keep their software patched and updated.”