The Internet is awash with advertising. Companies like Google & Facebook earn billions of dollars a year serving ads. The news sites you likely visit serve ads. Blogging moms earn livings serving ads. But could those ads pose a threat to users and, by extension, your organization?
You bet.
What is Adware?
At its most basic level, adware is just software that generates revenue for a developer by generating online advertisements. For example, Gmail is supported by adware. While you check your email, ads are served that Google thinks is relevant to you.
So far, so good.
The problem occurs when adware starts to become malware.
Malware vs. Adware
Some malware functions like adware, serving ads to you in order to use a piece of software.
Except, in many cases, malware installs itself without the knowledge or consent of the user. Often, malware presents unwanted advertisements to the user, forcing them to engage it to close the ad. You may have seen these kinds of ads before – they’re the ones with the uncloseable boxes that force you to close the browser tab, curse the dregs of society, and move on.
In other cases, it may track user activity and display ads in places where it shouldn’t have access.
Worse, sometimes this malware becomes spyware, and actually observes a user’s behavior, before reporting it back to the software developer.
At best, these things can be a mild nuisance.
At worse, they expose a vector for attack.
Malvertising
One way this malware can be installed on a machine is by downloading infected software, perhaps from a seemingly legitimate mirror site or via TOR.
In other instances, they can be installed via a Drive-by-Download event.
In still others, they may be installed via completely innocuous activities like reading, say, the New York Times or listening to Spotify.
In these instances, the user doesn’t click anything. They may not even interact with the ad directly.
Enter the world of malvertisting (malicious advertising).
With malvertising, malicious code is hidden inside an online (often display or popup) ad and, when your browser makes a request, the malicious payload is delivered alongside the other (legitimate) requests.
Note: In case you’re unaware, it’s not uncommon for a single web page to make dozens of requests to third-party applications, libraries, or even iframes. Malvertising works because malicious code can be hidden in one of these kinds of requests.
The malvertisement’s code may register an iframe that navigates to another page, where malware is hosted. The malware then infects the user’s system, looking for vulnerabilities. Finding them, it installs it’s payload and the user’s system is compromised.
How Malvertisers Get Away with It
One of the hardest things about combating malvertising is its ability to post as a legitimate ad.
Attackers effectively enter the same bidding competitions that legitimate advertisers do. They bid with real money in real auctions using essentially “booby-trapped” ads.
After the ad wins an auction, it gets propagated to the whole ad network, just like a legitimate ad.
Moreover, they can end up in rotation with regular ads for some time before they’re identified and snuffed out.
Unfortunately, they can also be hard to catch because they look and function like legitimate ads. Minus the exploity part.
How to Protect Yourself & Your Organization
First things first, make sure you have control over what kind of software users in your organization are allowed to download. At the very least, consider restricting download authorization to a limited few people in your organization. When a user needs a new piece of software installed, they will have to file a ticket or request help from someone with the appropriate authority to download the software.
Sure, your users will find that annoying.
But, it’s the best way to make sure they don’t inadvertently download something that may contain adware.
Secondly, make sure you’ve got good protections in place, including virus protection, anti-exploit, and/or anti-malware software. At a minimum, install ad blockers on user browsers and install tools to scan downloads before they’re downloaded.
These practices reduce the vectors available for malicious advertising to take root.
Thirdly, make sure you provide your users with the proper education needed to understand the risks they – and the organization – are exposed to. Oftentimes, users are merely unaware of the threats that are out there.
You want to make sure you educate them. You may not only save the organization, but also their personal data if they take some of those lessons to heart when they go home for the evening.
Finally, what makes malvertising-delivered malware so bad is its ability to infiltrate an organization so surreptitiously.
While media providers are responsible for – and take action towards – preventing malvertisers on their network, they are hard to catch. Having a good SIEM that’s mining system logs and monitored by a security operations team with expertise in deciphering events from incidents and preventing the latter will help to ensure that you catch threats before they become problems.