‘Malvertising’ Attacks on Record Pace

The number of “malvertising” attacks detected on top websites worldwide is on pace to hit a record this year, more than doubling the tally from just two years ago, according to research from cybersecurity vendor Cyphort Labs.

Malvertising is a type of malware that is launched through ads that are secretly placed on legitimate websites and redirect web browsers to hacker-controlled sites containing infected ads.

Cyphort Labs, which uses a crawler that works around the clock to search top sites for malicious code served though drive-by exploits, said the number of malvertising attacks is on track to hit 2,102, up from 1,654 last year.

If the pace holds, this year’s figure represents an increase of nearly 131 percent from the 910 detected in 2014.

“Malvertising is effective because users tend to trust mainstream, high-trafficked “clean” websites,” Nick Bilogorskiy wrote in a blog post for Cyphort Labs this week. “The attackers abuse this trust to infect them via third-party ad content.”

Once infected, victim devices and networks experience the same symptoms as other malware attacks: Viruses, locked files, compromised data and hijackings that allow machines to be used for other criminal acts.

Malvertising campaigns – first discovered in 2007 – are delivered by deceptive advertisers or agencies that slip malicious ads through ad networks, ad exchanges and ad servers.

Web publishers unknowingly use the corrupted ad on their page, which then automatically redirects visitors to the malware.

“This is done through an imitated Flash file download,” according to a Cyphort Labs special report, published last year. “This form of malware delivery is popular with attackers because infecting an ad is easier and requires less effort than finding a vulnerability in the site software.”

Attackers use a variety of strategies to avoid detection by the ad networks or host websites.

Sometimes, attackers delay launching of the malicious payload for some period of time after the ad is approved.

In other cases, attackers elect to only serve the exploits to selected users, like every 10^th or every 20^th visitor who views the ads.

Other tactics include inserting SSL redirectors in the malvertising chain, and veifying user agents and IP addresses.

Malvertising often uses the large, layered setup of real-time bidding platforms to conceal the attacks.

Online advertising networks receive millions of ads and any one could be malvertising. Ad networks have a broad reach and an infiltration can infect many people very quickly.

Users who land on a page with malvertising can trigger the infection without clicking anywhere.

One of the biggest malvertising campaigns occurred in 2009, when the New York Times was targeted during the Sept. 11 weekend. Visitors to the newspaper website saw messages informing them that their systems were infected and instructed them to install software that turned out to be malware.

In recent weeks, massive malvertising attacks have targeted the sites of entertainment blogger Perez Hilton, and AOL’s Huffington Post.

Cyphort experts say combatting malvertising requires vigilance by website owners, ad networks and web users, and suggest the following measures:

Ad networks should use continuous monitoring that automatically checks for malicious ads.

Scans should occur early and often, accounting for changes throughout the advertising chain, not just at the ad creative stage.

Ad networks should leverage the latest security intelligence to power monitoring systems and stay abreast of current global threats.

Web users should ensure computer systems are properly patched to minimize the risk from known vulnerabilities.

Send tips and news to [email protected].