Working in ad security and verification at GeoEdge, I get a ringside seat to see how the Security Lab develops the technology to protect against malvertising attacks and infections. And it makes me think about how malvertising came to be. So I decided to look into the matter further – and then share the info with you good people.
2007/2008: The first recorded sighting of malvertising in the wild was back in late 2007 / early 2008. This threat was based on a vulnerability in Adobe Flash (something that has continued to this day – see later) and affected a number of platforms including, some of the oldies but goodies, MySpace, Excite and Rhapsody (remember those?).
2009: The NY Times online magazine was found to be serving up an ad that was part of a larger click fraud scam that created a botnet network of malware infected computers, nicknamed the Bahama botnet, that then went onto be used to carry out click fraud on pay per click ads all over the web.
2010: Malvertising really takes off. Marketing analysts ClickZ noted that the Online Trust Alliance (OTA) identified billions of display ads, across 3500 sites carrying malware. In the same year the Online Trust Alliance formed a cross industry Anti-Malvertising Task Force.
2011: Spotify has a malvertising attack which used the ‘Blackhole’ exploit kit – this was one of the first instances of a drive-by download, where a user doesn’t even have to click on an ad to become infected with malware. According to Bluecoat Security Systems Report, 2011 saw an increase of 240% in malvertising based malicious sites.
2012: Symantec includes malvertising as a section in their Internet Security Threat Report 2013 which looked back at the landscape in 2012. Symantec used scanning software across a series of websites and detected that half of them were infected with malvertising. In 2012, the LA Times was hit by a massive malvertising attack which used the Blackhole exploit kit to infect users. It was seen as part of a general campaign of malvertising to hit large news portals – this strategy carried on into subsequent years with attacks on huffintonpost.com and the NY Times.
2013: A major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion. The malware exploit was based on the commonly used web attack, Cross Site Scripting (XSS), number three in the top ten web attacks types identified by the Open Web Application Security Project (OWASP). The attack infected users machines with the ransomware, ‘Cryptowall’, a type of malware that extorts money from users by encrypting their data and placing a ransom of up to $1000 in bitcoins, to be paid in 7 days, to decrypt the data.
2014: There is a 325% increase in malvertising attacks according to security firm, Cyphort. 2014 saw major malvertising campaigns against Google DoubleClick and Zedo ad networks. Again news portals including Times of Israel and the Hindustan Times were affected. As in previous attacks the cybercrime involved Cryptowall as the malware infection. This spate of malvertising was believed to have brought over $1 million of ransom money in by infecting over 600,000 computers.
2015: Malvertising has truly come into its own. This year has seen attacks against, eBay, answers.com, talktalk.co.uk, wowhead.com and many others. There have been breaches of ad networks, including, DoubleClick and engage:BDR. Cybercriminals are becoming even more sophisticated in inserting malware through ad platforms, for example using ‘bait and switch’ type strategies, putting in bogus but clean ads, as a way of creating trust in their service, then replacing with infected ads. The hackers continue to use the very successful ‘redirection to exploit kit’ as well as using drive-by downloads as their way in to seamlessly infect a computer.
There has also been a report of possibly the first ‘political malvertising’ campaign by pro-Russian activists, which is based on a botnet. This attack forced users’ machines to visit bogus sites that generated ad revenue for the activists. The users also ended up at several pro-Russian propaganda videos.
2015 is also the year that malvertising has really hit the mobile user. McAfee has identified, in their Threat Report for February 2015 that malvertising is growing quickly on mobile platforms and is expected to continue to grow rapidly, targeting mobile users.
Too Hot to Handle
Looking back and then ahead, it seems that malvertising will continue to grow, not only in the online and mobile space, but also in video ads as they emerge as the fastest growing format in the non-mobile, display-related market.
Users can keep their software applications updated and that certainly helps to prevent malvertising linked infection, but unfortunately, that’s not enough. Ad network providers and publishers need help from ad security solutions that offer comprehensive security protection -- in online, mobile, and video. If you are a publisher, exchange, or platform, click here to find out more details on how to prevent malvertising infections from your sites and users.