Malvertising: The word hasn't entered the zeitgeist yet, but that will happen. It even sounds unpleasant, like a disease, and in many ways that's what it is. Just ask advertising executives and their professional networks — their brands and reputation are at stake when malware masquerading as advertising pops up on screen. The issue is serious but lacking a concrete solution, and that leaves publishers and consumers alike pointing fingers at their ad partners.
Cyber-criminals now find it absurdly easy to compete with legitimate ads on just about every kind of site. By creating booby-trapped ads and bidding for placement via popular ad networks, they expose millions of computers to malware infections. It's an ongoing problem getting more and more common: Just a few weeks ago, a major campaign went after Yahoo, along with very popular sites like Weather.com and Drudge Report. Last week, Malwarebytes researchers detected a new malvertising attack on MSN.com.
These ads are nothing more than a vehicle to convey malicious code that makes a home on your computer. There's a wide range at play here, all the way from password stealers that capture keystrokes when logging into, for example, a bank’s website, to ransomware, which encrypts personal files and demands a ransom in exchange for freeing them. Worst of all, they're drive-by downloads — they can happen while consumers are just browsing from site to site without clicking on anything. And it can take a while to realize the system has been compromised.
Consumers aren’t the only victims: When they justifiably deploy ad-blockers to keep malvertising at bay, it severely hurts ad networks and site publishers who rely exclusively on ad revenue to keep content free. And it eventually hurts the consumers who don’t get free content anymore.
Sure, we can chalk it up as an unavoidable problem of the digital era. And if we have some malvertising now, chances are we’ll have a lot more soon. But there are ways to fight back.
Remember, the ads themselves are not the problem, and ad-blockers are not necessarily the solution. The root cause is the level of software vulnerabilities that criminals exploiting with ease. That’s why, instead of ad-blockers, consumers need to deploy a layered defense, with anti-exploit, antivirus and anti-malware technology. With this approach the chances of being compromised becomes so small that, for the malvertising professionals, it’s just not worth the effort.
That said, this is not the sole responsibility of consumers. For their part, ad networks and agencies need to implement more advanced detection systems to root out vulnerabilities. If the people behind the malware can find weak spots so easily, it’s likely because the defenses are outdated.
To be clear, no solution is 100% foolproof; and even if it is now, it won’t be tomorrow. But there’s plenty of opportunity to put in better defenses that drastically reduce the possibility of malware getting through.
Think of it this way — in the digital era, every aspect of communications has changed and continues to change. The fact that the ad-to-consumer dynamic is being disrupted this way is not a surprise at all. As with any other corner of the industry, it’s time to come up with better technologies that offer better options.
Segura is a senior security researcher at Malwarebytes Labs, focusing on web-based threats and scams. After spending over eight years cleaning malware off personal computers and compromised websites, he now focuses on studying cybercrime trends and new exploitation techniques.
