What is malvertising? And how to protect against it

Malvertising, the practice of sprinkling malicious code to legitimate-looking ads, affects both small and large websites. Protecting against it is harder than it seems.

1 2 Page 2
Page 2 of 2

Specifically, it serves unviewable ad impressions and executes non-human clicks on ads to generate revenue from ad networks. Though victims cannot see what Trickstack-3PC is doing, they could see significant performance degradation on their devices. 

How to protect against malvertising

Security researchers advise installing antivirus tools and to keep all software updated, including the operating system, browsers, Adobe Flash and Java. Even stronger protection can be achieved by avoiding the use of Flash and Java altogether.

Security experts don’t believe, however, that ad blockers are a solution because they could kill both the advertising industry and journalism. “Publishers like LA Times or NY Times rely on the ad dollars to pay journalists, photojournalists, editors, etc.,” says Devcon’s CEO, Maggie Louie. “If you just put an ad blocker browser up, you’ve essentially cut off all the revenue for the publisher.” Louie recommends tools such as Ghostery, which can filter bad ads while letting the good ones pass.

Most security companies believe that the malvertising problem cannot be solved by individual users. Media organizations, browsers and the advertising industry should all take more responsibility for what is happening, they say. Publishers, for instance, should only work with trustworthy ad companies, some researchers suggested, but even the reputable names in the industry have been impacted by malvertising. Phil Cowger, researcher at RiskIQ, recommends publishers and ad exchanges use security products “that give them visibility into the entire supply chain for advertising.”

Dangu has noticed a small improvement in how publishers deal with malvertising. More and more such organizations “are turning to real-time client-side detection that can block the malicious behavior right from the end-users’ browsers, while keeping the safe ads running.”

Browser vendors are also addressing malvertising, as attackers heavily rely on hijacking sessions using a technique called forced redirect. “HTML5 iframe sandboxing is a browser feature that's slowly gaining adoption to protect ad serving from hijacks,” Dangu says. “Google took its own initiative and developed a broader redirect blocker for cross-origin iframes.”

As malvertising groups become bolder and more devious, the best techniques to guard against them are a combination of an up-to-date system running security software and the necessary awareness to recognize scams, says Jerome Segura, head of threat intel at internet security company Malwarebytes.

“This is handled by the web protection component of solutions that can be a database of domains and IP addresses complemented by a heuristic engine,” he says. “Threat actors rotate their infrastructure quickly and rather than playing cat and mouse with them, you can identify many of their templates proactively.”

As for mobile malvertising, the best thing mobile users can do to stay safe is to avoid third-party app stores that don’t vet developers, says Covington. “We also recommend that organizations consider the use of a mobile threat defense solution to detect the broad set of risks that could possibly be delivered via malvertising.”

The future of malvertising

Security researchers believe that malvertising will likely thrive in the years to come, and criminal groups will become smarter, richer and more difficult to catch. Devcon’s Louie expects an increase in the use of polyglots. “I predict we will soon see many more advanced threats coming through the ads and a renaissance of watering hole attacks,” she says.

Dangu fears that threat actors will continue to blend in with the environment they operate in. “Just one or two short years ago, malvertising payloads were a lot more obvious in that the code looked like it didn't belong,” he says. “These days the attackers are getting better at leveraging native ad server functionality to look like they are part of the ad tech stack instead of third-party code.”

Most security companies expect malvertising groups to increasingly target mobile users, as some users don’t think they should install security products on their devices. In 2018, GeoEdge saw a 50% increase in mobile advertising attacks, and since the beginning of 2019, the company noticed a 67% increase in bad ads targeting the in-app environment.

Segura has noticed a similar trend. “Contrary to the desktop where multiple levels of protection already exist, mobile devices are very much prone to a variety of attacks due to lack of safeguards but also a lack of awareness from users themselves,” he says.

There are also a few silver linings. RiskIQ’s Cowger believes we’ll see a decline in the prevalence of JavaScript-based cryptocurrency miners, as a result of the death of Coinhive.

Others hope that the advertising industry will become more aware of the problem, which will lead to a growing demand for ad quality assurance tools and ad security. “User complaints lead more and more publishers to seek help, as they would like to protect their brand and assure a positive user experience,” says GeoEdge’s Silber.

Confiant’s Dangu is even more optimistic when it comes to what the advertising industry could do. Several initiatives aim toward sandboxed ad placement that the security community has contributed to, he says. “Once adoption around this achieves critical mass, most of these actors will be limited if they stick to their current efforts and will have to pivot to the next generation of malvertising payload, which remains to be seen.”

Editor's note: This article, originally published on March 9, 2019, has been updated to include information on the Trickstack-3PC malware.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations