Product Code Database
Malvertising (a portmanteau of "malicious software (malware) advertising") is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and Web page. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising has been described as "attractive to attackers because it 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."
Malvertising can be extremely hard to combat because it can quietly work its way into a webpage or webpage advertisement and spread unknowingly: "The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from... infections delivered through malvertising silently travel through Web page advertisements." It is able to expose millions of users to malware, even the most cautious, and is growing rapidly: "In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising." Attackers have a very wide reach and are able to deliver these attacks easily through advertisement networks. Companies and websites have had difficulty diminishing the number of malvertising attacks, which "suggests that this attack vector isn’t likely to disappear soon."
Malvertising affects every part of the digital advertising chain differently. From platforms to publishers, and all the way down to the end-user who may have been the victim of a malvertising attack, everyone is affected. Malvertising often involves the exploitation of trustworthy companies. Those attempting to spread malware place "clean" advertisements on trustworthy sites first in order to gain a good reputation, then they later "insert a virus or spyware in the code behind the ad, and after a mass virus infection is produced, they remove the virus", thus infecting all visitors of the site during that time period. The identities of those responsible are often hard to trace, making it hard to prevent the attacks or stop them altogether, because the "ad network infrastructure is very complex with many linked connections between ads and click-through destinations."
Some malvertisements can infect a vulnerable computer even if the user never clicks on the (normal-appearing) advertisement.
In 2010, malvertising took off. Marketing analysts ClickZ noted that the Online Trust Alliance (OTA) identified billions of display ads, across 3500 sites carrying malware. In the same year the Online Trust Alliance formed a cross industry Anti-Malvertising Task Force. In 2011, Spotify had a malvertising attack which used the Blackhole exploit kit – this was one of the first instances of a drive-by download, where a user does not even have to click on an ad to become infected with malware. Symantec added malvertising as a section in their Internet Security Threat Report 2013 in 2012. Symantec used scanning software across a series of websites and detected that half of them were infected with malvertising. In 2012, the Los Angeles Times was hit by a massive malvertising attack which used the Blackhole exploit kit to infect users. It was seen as part of a general campaign of malvertising to hit large news portals – this strategy carried on into subsequent years with attacks on huffingtonpost.com and The New York Times. The growing intensity of malvertising continued in 2013, when a major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion. The malware exploit was based on the commonly used web attack, Cross-site scripting (XSS), number three in the top ten web attacks types identified by the Open Web Application Security Project (OWASP). The attack infected users' machines with the ransomware Cryptowall, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in seven days, to decrypt the data. In 2014, there were major malvertising campaigns on the DoubleClick and Zedo ad networks. Various news portals, including The Times of Israel and the Hindustan Times, were affected. As in previous attacks the cybercrime involved Cryptowall as the malware infection. This spate of malvertising was believed to have brought over $1 million of ransom money in by infecting over 600,000 computers.
According to McAfee's February 2015 Threat Report, malvertising was beginning to grow quickly on mobile platforms in late 2014 and early 2015. Additionally, in 2015, there were malvertising campaigns on eBay, Answers.com, talktalk.co.uk, and wowhead.com, among others. The campaigns involved breaches of ad networks, including DoubleClick and engage:BDR. There was also a report of possibly the first "political malvertising" campaign by pro-Russian activists, which was based on a botnet, which then forced users' machines to visit bogus sites that generated ad revenue for the activists. The users also ended up at several pro-Russian propaganda videos.
In 2021, ransomware gang REvil was spotted using paid positioning in Google Search results to deliver malicious files to victims. Malvertising cash or cryptocurrency giveaway campaigns with actors masquerading as popular figures including YouTuber MrBeast, Elon Musk, and others have been seen across many advertising platforms and social media sites. In 2022, reports surfaced of Native advertising on google search masquerading to be various software download pages (oftentimes open source), leading users to instead download ransomware, info stealer, or redirect them to tech support scams
|
|
