When Good Ads Turn Bad: The New Threat from Malvertising

This post originally appeared on BT SecureThinking:

Online advertising is a huge multi-billion dollar business, supported by large multi-layer ad network infrastructure. And it is effective not only for legitimate advertisers, but also for cyber criminals. Indeed, in our latest 2011 Web Threat Report, malvertising (as in Malicious Advertising) has come from nowhere to arrive at the number three position in their “top ten” methods for web attack in 2010.  Let’s look at how this new phenomenon works, and draw some conclusions about how best to confront it.

Ad networks operate on an Affiliate Marketing model, where advertisers place campaigns with a large number of publishers – large and small — that are paid media fees by referral on some measurable action that tracks traffic to the advertiser. With many degrees of separation and automation between the merchant placing the ad and the space where the ad ends up being placed, reputations and trust are often assumed or inherited through the layers of the affiliate network.

Cyber crime loves to leverage other people’s trust and reputation — as well as their infrastructure — to deliver malicious software to as many people as possible. Injecting a malicious ad into a legitimate ad network enables the cyber criminal to cast a very large net without necessarily making a splash that can be detected.

Like a sleeper cell in a spy novel, patience then pays. Taking time to develop clean reputations within ad networks, and passing multiple sweeps for malware, cyber crime develops valuable and trusted positions within Web advertising structures before launching attacks, leading to a very successful campaign. When the sleeper awakes, routing behind the ad is transformed to take the view or the click-through to a malware host, and the malware connections are able to do their worst in their targeted campaign. Then the next day, they’re gone.

When faced with malvertising, your security systems can’t rely on reputation to decide which ads to block. Instead, we need to look to advanced security systems that rate web properties and the ads they depend on in real-time. Cyber crime’s malvertising tactics tend to launch attacks over the weekend when IT resources are low, defense updates are waiting to be applied and an attack is less likely to be noticed. Remember, classic web defenses are geared towards updates – a new database has to be applied before the security systems can act on the new threat.

Similarly, we can’t rely on waiting for a “security update” to be applied to the user’s computer. It’s probably going to be too late. If your security system has any kind of regular “Click here to update definitions file” requirement, it will likely fail to protect your users, especially on the weekend.

Protecting users at home or on the road — or even at the office – has to be provided on-demand, and you should look to security systems that are based on some kind of cloud-based security model that offers pre-emptive awareness of modern malware techniques like malvertising, and offers on-demand protection against attacks.

Do you have the proper protection in place?

Posted by Dave Ewart in : From the Experts Secure, No Comments

LEAVE A REPLY

  • Resources

  • Archives

  • Latest Tweets

    threatresearchthreatresearch: @bc_malware_guy Thanks Chris, looking forward to exciting times ahead! Let's try to talk this week if you can.
    7 minutes ago
    bc_malware_guybc_malware_guy: @threatresearch welcome aboard! this is going to be fun... :)
    3 hours ago
    CISecurityCISecurity: The Exploit Kit "Four Horsemen" @bc_malware_guy @BlueCoat http://t.co/TSyLFWl3d9
    10 hours ago
    CISecurityCISecurity: Malnet: Wrath Of The Gods @bc_malware_guy @BlueCoat http://t.co/Behl3GOEsC
    10 hours ago