Malvertising: 5 Lessons for Companies & Employees - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Partner Perspectives
Commentary
12/16/2014
01:00 PM
Bianca Stanescu
Bianca Stanescu
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Malvertising: 5 Lessons for Companies & Employees

We could expect more from this repackaged e-threat.

In the last couple of years, malvertising has become more than simple click-fraud trapping unwary users with miraculous diet pills. In September 2009, an injected ad in The New York Times redirected readers to a site hosting malware. One year later, TweetMeme (which closed in 2012) suffered a scareware attack because of malvertising.

At Bitdefender, we have also discovered a similar campaign targeting online readers of National Geographic. These examples show malvertising can easily spread to a large number of legitimate websites and deliver huge infection rates. Silent malvertising also allows scammers to infect users with no clicking or direct interaction – yet another argument for companies and employees to start taking this e-threat seriously.

Let’s admit it: We find it everywhere. From social networks to reputable media outlets, this evolving threat continues to flood websites in many domains, affecting the entire advertising ecosystem. Billions of ad impressions are compromised by malvertising every year, and the recent attack targeting the US military industry also rings a wake-up call for enterprises and governments.

Malvertising is unwillingly supported by two key features of online advertising:

  • Dynamism: Internet ads form a versatile medium that also allows scammers to stay undetected. Ad content changes regularly and relies on multiple parties, including advertisers, ad networks, ad exchanges, ad services, and site publishers, so cyber criminals can obscure their trail.
  • Externalization: Companies pay ad networks to distribute ads on their websites without knowing their content and purpose. This allows cyber criminals to pose as legitimate clients. Some fraudulent commercials also slip through because big ad networks sublet some advertorial space to third parties, usually smaller platforms. The smaller networks can end up placing malicious ads on reputable websites.

Here are five lessons that can help enterprises and employees thwart malvertising attacks:

1. Never consider yourself or your company completely safe. Even the most tech-savvy employees can become victims. Malvertising lurks just around the corner on legitimate websites, behind videos, and in banners that look just like any other advertisement.

2. Employees interested in business and computers are the most exposed – one more reason to believe malvertising continues to target enterprises. Recent research by Bitdefender revealed that the two most lucrative web categories abused by malvertisers are business computers and software. The landing pages of such websites bring scammers more profit than pornographic content, and the ads they host are a preferred target for injecting malicious code.

3. Malicious advertising also comes along with “friends.” To extend the definition, spamvertising, fraudvertising, and phishvertising are also used to spread spam and fraudulent and phishing URLs through legitimate online advertising networks and web pages. Our research showed that almost 7% of ads found on 150,000 websites could not only infect users with malware, but also target them with fraud, spam, and phishing, leading to bigger financial losses. The neutral ads represented 46%, only one percentage point less than those considered “good.”

Figure 1: Distribution of good, bad and neutral ads - Bitdefender research
Figure 1: Distribution of good, bad and neutral ads Bitdefender research

4. Keep an eye on the most common infection vectors used by cyber criminals to place malicious code in advertisements. Here are some of them:

  • Pop-up ads for fictive downloads such as fake movie players, toolbars, plugins, and media converters
  • Hidden and obfuscated JavaScript code
  • Malicious banners
  • Third-party advertisements through sublet ad networks and content delivery networks
  • iFrames where malware can be embedded to avoid detection

5. Stick strictly to the company’s BYOD policy. Mobile malvertising is on the rise, and studies show that “fat-finger syndrome” works for scammers, too. Employees tend to drop their guard when surfing the Internet on the go, so it’s important to stick to a strict BYOD policy that includes beefed-up security on all devices.

Everyone should get involved in mitigating malvertising risks – from ad networks to companies and regular employees. If the inner structure of the system remains this open, with so many parties involved and without thorough security scanning, cyber criminals will take more frequent advantage of companies, advertising platforms, and end-users. By fighting with the right weapons, we can all enjoy a cleaner and much safer advertising ecosystem. 

Bianca Stanescu is Bitdefender's down-to-earth Security Specialist, who's always on to a cyber-trendy story. She's the fraud and social media scam detective who always keeps a close eye on the security movers and shakers to report their deeds from a fresh perspective. After 9 ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Ninja
12/18/2014 | 12:44:19 AM
Harming the Business Environment
An excess amount of ads can tilt the user towards a negative frame of mind, but the right amount can provide a lot of benefits in helping the user/business to locate a product or service which makes an earlier process easier. Advertisements in this regard can help the economy reach a certain level of scale -- malvertising is just making this entire process more difficult. If users are going to be fearful of potential landing pages, then contact might never be established.
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
News
Data Science Salary Survey Reveals Market Shift
Jessica Davis, Senior Editor, Enterprise Apps,  6/27/2019
Commentary
A Practical Guide to DevOps: It's Not that Scary
Cathleen Gagne, Managing Editor, InformationWeek,  7/5/2019
Slideshows
How to Land a Job in Cloud Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/19/2019
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll