Malvertising Explored

Introduction

Malvertising is a malicious form of online advertisement used to inject malware into legitimate online advertising networks and webpages. Advertisements are produced with significant effort to attract users and sell or advertise a product, which makes for a prime platform for spreading malware. Malvertising can exist even on the most popular and reputable websites without directly compromising them.

Watch this companion CSIAC Video Podcast: https://www.csiac.org/podcast/malvertising-explored/

Malvertising is a stealthy way of distributing malware because it can work its way into a webpage and unknowingly spread through a system. The malware doesn’t require any user’s interaction such as clicking on the link, in order to compromise the system or exploit vulnerabilities of the hosting website or server. The malware can travel silently through the webpage’s advertisements. Internet users are exposed to advertisements on a day to day basis which increases the likelihood to malware compromises, no matter how cautious one may be. Malvertising is a major factor to the spreading of ransomware and coin mining of bitcoin, and other similar malicious payloads such as WannaCry, Petya, Cryptolocker and Locky.

Malvertising was first seen back in late 2007 and early 2008, with 2014 being the year of the outbreak with a 325% attack increase according to security firm, Cyphort. In 2015, malvertising soared with mobile platforms, as well as seeing the first political malvertising campaign with pro-Russia propaganda according to Trustwave. Currently in 2018, it can be seen spreading crypto ransomware and hijacking Google’s DoubleClick Ad service in order to mine bitcoin.

The Infection Process

It’s important to note that malicious infection does not only occur when a user clicks on the advertisement; however, it may be delivered by doing nothing more than just visiting a webpage hosting the malicious advertisement. A successful ‘drive-by-download’ attack involves 5 stages:

• Stage 1: Entry point
  • Simply visiting a website that is running malicious code can infect the user with malware without even noticing.
• Stage 2: Distribution
  • Most malware will redirect the user to the malicious exploit server where sophisticated malware packaged in an “exploit kit” will find a vulnerability on the targets machine. It will look for vulnerabilities in the operating system, web browser and other 3^rd party software installed.
• Stage 3: Exploit
  • After the exploit kit has determined the operating system in use or software installed, it will attempt to leverage vulnerabilities against them.
• Stage 4: Infection
  • This occurs after a vulnerability has been identified and begins downloading what is known as a “payload” that installs itself on the user’s computer. It can be made to steal data or extort money from the user.
• Stage 5: Execution
  • The final stage of a drive-by-download is the execution of the payload. Depending on the maker’s intent, the malware can be made to extract sensitive data like credentials, banking or credit card information, or can be used to hold the user’s files hostage until the user pays to have them released, also known as ransomware.

Like traditional software, malware has evolved with different functionalities depending in the intent of the developer. For example, clicking an advertisement link could activate the malware could directly infect or redirect users to malicious sites. Redirection to another site is typically expected when a user clicks on any advertisement, making the spread of malware often successful. If users are redirected from legitimate services to fraudulent ones, this can lead to download of malicious payloads, as well as the gathering of data without consent.

Malvertising Campaigns

The evolution of malvertising tactics grow from exploiting weak advertisement management panels to now, more sophisticated methods with deceptive techniques. Currently, Angler Exploit Kit is one of the most popular toolkit cybercriminals use to attack vulnerabilities in systems to distribute malware. The Angler Exploit Kit uses several evasion techniques that helps avoid detection and it contains multiple layers of obfuscation, such as hidden executable code which is very difficult for cybersecurity analysts to discover during routine threat hunt mission.

Earlier malvertising campaigns displayed fraudulent advertisement stating the user’s computer has been infected with a virus with a pop-up message to download software to remedy the infection. For example, one of the most notable malvertising events was linked to the New York Times’ banner feed being exploited during the weekend of September 11 to 14. In these exemplars the software being installed was malicious in nature. According to Cyphort, the malicious actor solicited the New York Times as a national advertiser with legitimate ads for a week, perception of reputable advertising agency.

Another notable malvertising attack involved Kovter, an ad-fraud Trojan that simulates a user visiting pages with ads and automatically ‘clicking’ online advertisements. These type of page visits are known to generate revenue for the ad-hosting website. In 2015, Cyphort Labs discovered when users visited the Huffington Post website, multiple scripts were executed from the advertising network. Cyphort Labs revealed that the script would load an external function through HTTPS from Google AppSpot, which then loads additional function for a redirect through HTTPS which lead to the malware payload. This method made it very difficult to trace route to the origin of the malware redirect. This type of malware attacks required no user interactions.

A recent malvertising campaign incorporated Google’s DoubleClick ad serving service to deliver malicious payload to cryptocurrency miners. Trend Micro, a security news outlet, identified that advertisements found on high-traffic sites were using a crypto mining service named Coinhive which is noted as one of the top malicious threat to web users. Coinhive is a cryptocurrency mining service that resides on hacked web sites which is designed to pilfer processing power from the site’s servers dedicated to mine sequences of the Monero cryptocurrency.

Cyber Attribution

Cybersecurity experts are occasionally complexed when confronted with identifying malicious advertisements due to the unceasingly changes of different ads being exhibited on disparate webpages. The constant changing of ads resultantly could deliver a virus to one user while another user could potential avoid malicious payload on the same webpage. Due to the large daily submissions of online advertisements the advertising networks have difficulties with conducting thorough security vulnerability analysis before going live on their websites. Most advertisers only will perform deep analysis when a complaint is filed against an advertisement. Many of the leading websites that interact with mass number of users rely on third party vendors or software to display ads, causing a decrease in direct oversight and amount of vetting taking place.

Preventive Measures

There are a few recommended approaches a user may take to help mitigate susceptibility to malvertising attacks. Users may start by either removing unneeded software and/or ensure that all authorized software and extensions are kept up-to-date help protect devices and to keep them running smoothly lessen potential malware infections. In addition, using an anti-virus program may help protect against known threats to include proper removal of malicious software from the system. Lastly, consider deploying an ad blocker software or web browser plugins to prevent automated scripts from running on sites hosting malicious advertisements.

References

• https://arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
• https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/
• https://news.sophos.com/en-us/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
• http://go.cyphort.com/rs/181-NTN-682/images/Malvertising-Report-15-RP.pdf
• https://en.wikipedia.org/wiki/Malvertising
• https://www.cisecurity.org/malvertising/
• https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/