Malicious advertising offers broad reach and quick rewards for malware perpetrators

Dynamic, expanding advertising scene opening juicy targets for Internet bandits

A burgeoning and dynamic online advertising market is creating an abundance of opportunity for cyber criminals.

[Yahoo recovers from malicious advertising attack]

It's doing that by giving online bandits a vehicle for infecting millions of users through some of the biggest names on the Internet with malicious advertising. The ads are fed into web pages of legitimate sites without the site operator's knowledge and can infect visitors to those pages unbeknown to them, too.

Malicious advertising has been around for years. In 2009, for example, New York Times web pages were discovered serving up ads that fostered a bogus anti-virus scam popular at the time. Now though, the malaise is more subtle and much more vicious. Earlier this year, both Yahoo and YouTube were victims of malvertising schemes designed to silently plant pernicious programs on the machines of visitors to those websites.

In addition to growing more virulent over the years, the malpractice has also grown in size. At the end of 2010, Dasient, a web security company since acquired by Twitter, estimated three million malicious advertising impressions were being posted to the Internet daily. Two years later, the Online Trust Alliance estimated that in 2012 alone, 10 billion malicious impressions were posted to the Net, and that one in every three ad networks was serving up malicious ads.

And the problem continues to worsen. "Last year [2013], I'm sure I wrote more blog posts on malvertising-based attacks than I had in all the previous years combined," said Chris Larsen, a senior malware researcher at Blue Coat, a web filter appliance company.

Added Oscar Marquez, chief product officer for Total Defense, a cloud security network provider: "We have started to see it more and more, and we're seeing it more vigorously, as well."

"In the past, we saw attackers dipping their toe trying to test it," he continued. "Now we're really seeing them using it as an attack platform."

That attractiveness as an attack platform has ripened with the growth and evolution of advertising on the Net. "There's not a ton of regulation covering advertising, and it's a very fast moving industry and the gaps that fast moving industries leave are opportunities for bad guys," explained Lookout Principal Security Researcher Marc Rogers.

[Malvertising continues to pound legitimate web sites]

One of those gaps was created by the increased use of third-party code. Rather that write code for something like a shopping cart, for instance, a website developer disinclined to reinvent the wheel might use open source code for the cart at a site they were creating. When that practice was extended to advertising, it opened up a world of opportunity for Internet bottom feeders.

With third party code came third party advertising. That meant advertising was being funneled into web pages from sources outside the administration of the website operator. "Third party advertising meant that anyone that used it on a website was not in full control of what shows up on their site and what's passed through their site," noted Rob Beeler, self-proclaimed content czar at 8 Meter Media, an event planning company.

Not only did website operators lose control over their sites, but ad networks also began to lose control over who fed them ads. "It was no longer a matter of not having control of the ad networks using your site," Beeler explained, "it was the networks' partners and their partners and their partners' partners. And as you go down the line, without adequate safeguards, all you need is one bad apple and some very reputable websites can serve up very bad things."

"The ad ecosystem is becoming more distributed, so there are more and more players that are able to enter that ecosystem through ad exchanges and network chaining," added Lou Manousos, founder and CEO of RiskIQ and co-chair of the Anti-Malvertising Work Group. "That fundamental change in the ecosystem has created additional opportunities for malvertising."

[Cisco: There's no place safe for web surfers]

Making matters worse, the complexity of ads fed into websites changed making them better vehicles for cyber criminals. "The days when ads were simply jpegs or other graphic files are long gone," said Larsen, of Blue Coat. "Everybody wants analytics. They want to know details about their customers so they can better target them with ads so there's a lot of Javascript that gets flung around and that Javascript can do anything."

Because all ads are more dynamic, it can be difficult to distinguish bad ads from good ones. For example, Black Hats commonly use malicious ads to redirect a visitor to a website to a location where their machine can be infected with malware. "If you click on any ad, you'll see that there are several levels of redirection because the ad companies themselves are logging things like clicks for the purpose of statistical analysis," said Jaeson Schultz, a threat researcher with Cisco Systems. "At any of those levels, you can inject malicious code."

The problem is compounded by the fact that malvertisers are targeting legitimate websites. "Because malvertising is propagated via legitimate website, it's pretty effective because most of your Web proxies and browser plug-ins will not blacklist legitimate websites," explained Anup Ghosh, CEO of Invincea, a security software maker.

While service providers and companies may be reluctant to block websites serving up malicious ads, consumers may be less inclined to do so. However, they do so at their own peril. "Consumers can implement a no-scripting-type plug-in that blocks ads in general but oftentimes when you do that, you're blocking legitimate content, and it breaks pages," Ghosh said.

"In the past, the amount of protection you might get from blocking the web ad category wouldn't be worth the pain you might cause," added Larsen, of Blue Coat, "but that equation may be shifting."

Malvertisers use a number of ways to distribute their pernicious payloads. They can use fake identities and stolen credit card numbers to buy advertising space with ad networks then push ads containing infected links to the customers of those networks. Some Net marauders break into ad servers, steal credentials and use them to poison other people's ads.

Yet another way is to set up a rogue ad server and plug it into an ad network. Then not only do the criminals get the fruits of their infections, but they get paid for serving infected ads to the public. What's more, they can be very sly about how they win trust for their ad server from legitimate advertisers. "We've seen cases where the bad guys have served ads in the beginning that are not malicious and then go rogue," Larsen said.

[Rogue ads overtake porn as top mobile malware attack method]

Like their legitimate counterparts, dark hucksters use targeted marketing to boost their success rates. "Advertisers try to target ads based on geolocation and interest," said Manousos, of RiskIQ. "That's especially attractive to malware authors. It increases the economics for the bad guys. It lets them push the right exploits to the right people and generate revenue for them faster."

Once a visitor lands on a web page with an infected ad, the online miscreant will use an exploit kit to infect the innocent. "The exploit kit will detect the operating system of the visiting system and then probe it," explained Alex Balan, head of Product management at BullGuard, an antivirus software maker. "Based on that, it will deliver a cocktail of exploits tailored for that system."

Advertisers haven't been sitting on their hands while information highwaymen invade their distribution infrastructure. "Over the years, vetting of advertisers by the networks has improved," said Jamz Yaneza, threat research manager at Trend Micro. "There are new infrastructure and new technologies out there making it easier to perform background checks."

However, the systems break down the further down the ad food chain you go. "Yahoo, for example, which suffered some horrendous problems with hostile advertising at the start of the year, isn't selling the advertising space to the bad guys who push out the bad adverts," explained Rogers, of Lookout. "They're selling to a brokerage, who is selling to another advertising firm or even another brokerage. So the further away you get from the company that's actually running the adverts, the harder it is to apply scrutiny to see what they're doing."

"There's also less penalty for the guys all the way down at the end of the chain," he added. "They don't care that the account they used got burned with Yahoo. They'll just go create another one."

Getting advertisers to accept the urgency of the malvertising problem can be challenging. "This is a low frequency issue in the scope of all the ads that are out there," said Craig Spiezle, executive director of the Online Trust Alliance, which has been in the forefront of battling malvertising through recommending best practices to advertisers. "So if you're thinking – hypothetically – that this is only a one percent problem, to ask everyone in the ecosystem to make a change that would delay and add friction into the process, it's hard for people to accept."

[3 reasons trustworthy sites can no longer be trusted]

"Friction adds more steps to a process that's highly automated," he added. "It means more work, but we believe it's achievable and reasonable to do."

Even if advertisers tighten up their practices, it may not be enough to dampen the feeding frenzy that's to come. "I definitely see malvertising as an increasing way that people are breaking into websites and users' computers," said Schultz, of Cisco.

"At the end of the day," he continued, "we have more and more mobile devices, more and more people using the Web and with that, more sites using third-party content. Hackers are recognizing that trend. So while malvertising isn't something new, it's something that will be increasing in prominence."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)