Malvertising: 5 Lessons for Companies & Employees - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives
01:00 PM
Bianca Stanescu
Bianca Stanescu
Partner Perspectives
Connect Directly

Malvertising: 5 Lessons for Companies & Employees

We could expect more from this repackaged e-threat.

In the last couple of years, malvertising has become more than simple click-fraud trapping unwary users with miraculous diet pills. In September 2009, an injected ad in The New York Times redirected readers to a site hosting malware. One year later, TweetMeme (which closed in 2012) suffered a scareware attack because of malvertising.

At Bitdefender, we have also discovered a similar campaign targeting online readers of National Geographic. These examples show malvertising can easily spread to a large number of legitimate websites and deliver huge infection rates. Silent malvertising also allows scammers to infect users with no clicking or direct interaction – yet another argument for companies and employees to start taking this e-threat seriously.

Let’s admit it: We find it everywhere. From social networks to reputable media outlets, this evolving threat continues to flood websites in many domains, affecting the entire advertising ecosystem. Billions of ad impressions are compromised by malvertising every year, and the recent attack targeting the US military industry also rings a wake-up call for enterprises and governments.

Malvertising is unwillingly supported by two key features of online advertising:

  • Dynamism: Internet ads form a versatile medium that also allows scammers to stay undetected. Ad content changes regularly and relies on multiple parties, including advertisers, ad networks, ad exchanges, ad services, and site publishers, so cyber criminals can obscure their trail.
  • Externalization: Companies pay ad networks to distribute ads on their websites without knowing their content and purpose. This allows cyber criminals to pose as legitimate clients. Some fraudulent commercials also slip through because big ad networks sublet some advertorial space to third parties, usually smaller platforms. The smaller networks can end up placing malicious ads on reputable websites.

Here are five lessons that can help enterprises and employees thwart malvertising attacks:

1. Never consider yourself or your company completely safe. Even the most tech-savvy employees can become victims. Malvertising lurks just around the corner on legitimate websites, behind videos, and in banners that look just like any other advertisement.

2. Employees interested in business and computers are the most exposed – one more reason to believe malvertising continues to target enterprises. Recent research by Bitdefender revealed that the two most lucrative web categories abused by malvertisers are business computers and software. The landing pages of such websites bring scammers more profit than pornographic content, and the ads they host are a preferred target for injecting malicious code.

3. Malicious advertising also comes along with “friends.” To extend the definition, spamvertising, fraudvertising, and phishvertising are also used to spread spam and fraudulent and phishing URLs through legitimate online advertising networks and web pages. Our research showed that almost 7% of ads found on 150,000 websites could not only infect users with malware, but also target them with fraud, spam, and phishing, leading to bigger financial losses. The neutral ads represented 46%, only one percentage point less than those considered “good.”

Figure 1: Distribution of good, bad and neutral ads - Bitdefender research
Figure 1: Distribution of good, bad and neutral ads Bitdefender research

4. Keep an eye on the most common infection vectors used by cyber criminals to place malicious code in advertisements. Here are some of them:

  • Pop-up ads for fictive downloads such as fake movie players, toolbars, plugins, and media converters
  • Hidden and obfuscated JavaScript code
  • Malicious banners
  • Third-party advertisements through sublet ad networks and content delivery networks
  • iFrames where malware can be embedded to avoid detection

5. Stick strictly to the company’s BYOD policy. Mobile malvertising is on the rise, and studies show that “fat-finger syndrome” works for scammers, too. Employees tend to drop their guard when surfing the Internet on the go, so it’s important to stick to a strict BYOD policy that includes beefed-up security on all devices.

Everyone should get involved in mitigating malvertising risks – from ad networks to companies and regular employees. If the inner structure of the system remains this open, with so many parties involved and without thorough security scanning, cyber criminals will take more frequent advantage of companies, advertising platforms, and end-users. By fighting with the right weapons, we can all enjoy a cleaner and much safer advertising ecosystem. 

Bianca Stanescu is Bitdefender's down-to-earth Security Specialist, who's always on to a cyber-trendy story. She's the fraud and social media scam detective who always keeps a close eye on the security movers and shakers to report their deeds from a fresh perspective. After 9 ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll