As the practice of delivering malware through online ads becomes increasingly popular among cyber criminals, the advertising industry has to rethink how it handles online advertisements.
In the month of August alone, researchers at the antivirus firm Malwarebytes have found and reported several so-called malvertising campaigns, including the big campaign that inserted malicious ads into the ad network used by Yahoo and its subsites, such as News, Finance, and Games. The same bad actor also tricked the ad network used by eBay. Similar campaigns impacted visitors to dating site PlentyOfFish and the media content site for Australian telecommunications provider Telstra this week, and the same ad network displayed malicious ads on MSN, Malwarebytes said.
The malvertising campaign that tripped up Yahoo.com visitors was the work of a Russian threat actor called Fessleak, said Patrick Belcher, director of security analytics at Invincea. Fessleak purchased video display advertisements via a real-time ad bidding network to target Yahoo visitors and infect them with click-fraud bots and deliver ransomware. It turns out Fessleak always includes Flash zero days in his campaigns, making it easier to target a large number of victims who would have no chance to patch those flaws.
The zero-day exploits from the Hacking Team, the maker of government surveillance software, breach becoming public last month "was a bonanza" for Fessleak, Belcher said. While Adobe has patched the vulnerabilities, users who have not yet applied the updates are susceptible to the attack.
The mechanics of malvertising
A malvertising campaign is essentially two parts: The advertisement itself, which typically redirects victims to a different website, and the attack website, which typically hosts an exploit kit, such as Angler or Nuclear.
The exploit kit is packed with several different attack methods and looks for unpatched software or other vulnerabilities to push the payload -- malware for click fraud and botnets, ransomware, and banking Trojans, to name a few types -- onto user machines. Exploit kits including Flash zero days are popular at the moment, Belcher said.
In the case of Telstra, visitors saw a malicious ad purporting to be a Lamborghini Gallardo for sale, but the shortened URL (via Google's link shortener) sent users to a separate website with a Nuclear exploit kit pushing a banking Trojan, according to Jerome Segura, a researcher with Malwarebytes.
The criminal doesn't really have a specific site or user group in mind when introducing malicious ads into the ad network, but rather a category of sites or a profile of a typical victim. The network decides when and on which site to display the ad, depending on the categories specified by the advertiser. Fessleak targets commerce sites, for example, but another popular target is the broadband category, which include sites owned by ISPs and telcos, such as Telstra, Belcher said.
Malvertising campaigns increased 325 percent in the past year, according to a report from Cyphort Labs this week. A similar report from Risk IQ found malvertising grew 260 percent in the first half of 2015 compared to the same period in 2014. And earlier this month, Invincea found malvertising as one of the biggest threats to endpoint security, causing an estimated $525 million in damages in the first six months of 2015. The findings prompted Belcher to dub June "the worst month of malvertising basically ever."
Tricking the ad network
To start a campaign, the criminal first has to trick the ad network into accepting its advertisements. Many ad networks make it easy to get started as an advertiser, with an open enrollment form and a fairly low fee. If the attacker is using compromised credit card or money earned from other online scams, $400 or so is not a serious barrier to entry, Belcher said.
This easy access is why some of the smaller ad networks recently have banded together to establish best practices, such as banning open enrollment and imposing higher entry fees, he said. Requiring in-depth background checks and spending commitments as much as $5,000 a month generally stops the scammers.
"Malvertisers are notoriously cheap," Belcher said. They are trying to maximize their profits and don't want to pay higher fees monthly.
Another way malvertisers trick ad networks into treating them as legitimate advertisers is by initially showing clean, innocuous collateral. Once the ad network has approved the ads, the advertiser can swap in malicious ads pointing to an attack website without the network noticing. This is even easier if the advertiser is allowed to host ads on its own servers instead of on the ad networks' servers.
This lets malvertisers look at incoming IP addresses so that it knows to show the clean collateral to the ad networks' scanners and the malicious one to everyone else.
While some of the larger ad networks require all the ads to be hosted on their servers, that isn't always the case. The ad networks may not want to pay for the cost of serving up all the ads, or advertisers may want to keep the ads in order to collect better metrics. If the ads are all hosted by the network, it would be harder for the ads to be swapped, but the advertising industry as a whole hasn't moved toward that practice yet.
The industry recognizes malvertising problem and is working to establish best practices, Belcher said. It's not necessarily a technology problem, since the criminals are able to defeat the scanners and other mechanism in place. This is where best practices and new processes have to be in place to ensure only legitimate advertisers can get into the networks, he said.
The fact that Hacking Team's exploits were included in the kits used in the recent spree of malvertising attacks didn't surprise researchers, since kit maintainers regularly update their tools to include Flash zero days. Angler and Nuclear, both named in recent malvertising campaigns, are among the handful of exploit kits popular among cyber criminals today. In fact, Angler is one of the quickest to adopt newly revealed zero days into its list of attacks and was the first to weaponize zero days from Hacking Team.
Thanks to exploit kits, criminals no longer need to have a high level of skill to launch a campaign with sophisticated tools, said George Kurtz of Crowdstrike. "The marketplace lets you buy what you need," Kurtz said.
Forming a defense
Malvertising exploits normal Web behavior, where users go to websites and see advertisements alongside whatever content they are interested in, and as a result, it's a difficult attack vector to block. Enterprises and users should keep the operating system and installed software up to date with the latest patches so that exploit kits don't have easy flaws to target. Antimalware and other security software can check and block actual payloads as they are downloaded, so it's essential they are always up to date. Enterprises can adopt other tactics, such as whitelisting URLs, filtering URLs based on the Web reputation, or using technologies like secure Web gateways to analyze links in real time.
Turning off Flash in browsers and making all third-party plug-ins click-to-play stop some bad ads, but it's important to keep in mind that not all malvertising relies on Flash vulnerabilities. However, if the attack vector is relying on advertisements on the Web page, then it seems rational that the best way to protect against malvertisements is to use ad blockers so that none of the ads get delivered to the Web browser in the first place.
Advertisers don't like ad blockers, but they may need to reconsider their stance. Adobe and PageFair estimated loss of global revenue due to blocked advertisements in 2015 at more than $21.8 billion, and while their numbers may be biased, the fact remains that ad-blockers threaten the industry's bottom line.
But ad-blockers are increasingly popular. Adblock Plus, one of the better-known ad blockers, has seen download numbers between 2.5 million and 3 million per week, said Ben Williams, a spokesperson for Adblock Plus. The numbers went up in 2014 after a series of malvertising attacks against well-known brands and have been constant since then. "Just goes to show you that more and more people are aware of the dangers posed by renegade ads and know how to protect themselves against them," Williams said.
Ad-blockers ensure no ads -- good or bad -- reach the users. The advertising industry needs to figure out how to protect users from malicious ads proliferating and infecting millions of Internet users with malware. The industry doesn't need more reasons for people to dislike ads.