• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CSIAC Reports / Malvertising Explored

Malvertising Explored

Posted: 12/17/2018 | Leave a Comment

Introduction

Malvertising is a malicious form of online advertisement used to inject malware into legitimate online advertising networks and webpages. Advertisements are produced with significant effort to attract users and sell or advertise a product, which makes for a prime platform for spreading malware. Malvertising can exist even on the most popular and reputable websites without directly compromising them.

Watch this companion CSIAC Video Podcast: https://www.csiac.org/podcast/malvertising-explored/

Malvertising is a stealthy way of distributing malware because it can work its way into a webpage and unknowingly spread through a system. The malware doesn’t require any user’s interaction such as clicking on the link, in order to compromise the system or exploit vulnerabilities of the hosting website or server. The malware can travel silently through the webpage’s advertisements. Internet users are exposed to advertisements on a day to day basis which increases the likelihood to malware compromises, no matter how cautious one may be. Malvertising is a major factor to the spreading of ransomware and coin mining of bitcoin, and other similar malicious payloads such as WannaCry, Petya, Cryptolocker and Locky.

Malvertising was first seen back in late 2007 and early 2008, with 2014 being the year of the outbreak with a 325% attack increase according to security firm, Cyphort. In 2015, malvertising soared with mobile platforms, as well as seeing the first political malvertising campaign with pro-Russia propaganda according to Trustwave. Currently in 2018, it can be seen spreading crypto ransomware and hijacking Google’s DoubleClick Ad service in order to mine bitcoin.

The Infection Process

It’s important to note that malicious infection does not only occur when a user clicks on the advertisement; however, it may be delivered by doing nothing more than just visiting a webpage hosting the malicious advertisement. A successful ‘drive-by-download’ attack involves 5 stages:

  • Stage 1: Entry point
    • Simply visiting a website that is running malicious code can infect the user with malware without even noticing.
  • Stage 2: Distribution
    • Most malware will redirect the user to the malicious exploit server where sophisticated malware packaged in an “exploit kit” will find a vulnerability on the targets machine. It will look for vulnerabilities in the operating system, web browser and other 3rd party software installed.
  • Stage 3: Exploit
    • After the exploit kit has determined the operating system in use or software installed, it will attempt to leverage vulnerabilities against them.
  • Stage 4: Infection
    • This occurs after a vulnerability has been identified and begins downloading what is known as a “payload” that installs itself on the user’s computer. It can be made to steal data or extort money from the user.
  • Stage 5: Execution
    • The final stage of a drive-by-download is the execution of the payload. Depending on the maker’s intent, the malware can be made to extract sensitive data like credentials, banking or credit card information, or can be used to hold the user’s files hostage until the user pays to have them released, also known as ransomware.

Like traditional software, malware has evolved with different functionalities depending in the intent of the developer. For example, clicking an advertisement link could activate the malware could directly infect or redirect users to malicious sites. Redirection to another site is typically expected when a user clicks on any advertisement, making the spread of malware often successful. If users are redirected from legitimate services to fraudulent ones, this can lead to download of malicious payloads, as well as the gathering of data without consent.

Malvertising Campaigns

The evolution of malvertising tactics grow from exploiting weak advertisement management panels to now, more sophisticated methods with deceptive techniques. Currently, Angler Exploit Kit is one of the most popular toolkit cybercriminals use to attack vulnerabilities in systems to distribute malware. The Angler Exploit Kit uses several evasion techniques that helps avoid detection and it contains multiple layers of obfuscation, such as hidden executable code which is very difficult for cybersecurity analysts to discover during routine threat hunt mission.

Earlier malvertising campaigns displayed fraudulent advertisement stating the user’s computer has been infected with a virus with a pop-up message to download software to remedy the infection. For example, one of the most notable malvertising events was linked to the New York Times’ banner feed being exploited during the weekend of September 11 to 14. In these exemplars the software being installed was malicious in nature. According to Cyphort, the malicious actor solicited the New York Times as a national advertiser with legitimate ads for a week, perception of reputable advertising agency.

Another notable malvertising attack involved Kovter, an ad-fraud Trojan that simulates a user visiting pages with ads and automatically ‘clicking’ online advertisements. These type of page visits are known to generate revenue for the ad-hosting website. In 2015, Cyphort Labs discovered when users visited the Huffington Post website, multiple scripts were executed from the advertising network. Cyphort Labs revealed that the script would load an external function through HTTPS from Google AppSpot, which then loads additional function for a redirect through HTTPS which lead to the malware payload. This method made it very difficult to trace route to the origin of the malware redirect. This type of malware attacks required no user interactions.

A recent malvertising campaign incorporated Google’s DoubleClick ad serving service to deliver malicious payload to cryptocurrency miners. Trend Micro, a security news outlet, identified that advertisements found on high-traffic sites were using a crypto mining service named Coinhive which is noted as one of the top malicious threat to web users. Coinhive is a cryptocurrency mining service that resides on hacked web sites which is designed to pilfer processing power from the site’s servers dedicated to mine sequences of the Monero cryptocurrency.

Cyber Attribution

Cybersecurity experts are occasionally complexed when confronted with identifying malicious advertisements due to the unceasingly changes of different ads being exhibited on disparate webpages. The constant changing of ads resultantly could deliver a virus to one user while another user could potential avoid malicious payload on the same webpage. Due to the large daily submissions of online advertisements the advertising networks have difficulties with conducting thorough security vulnerability analysis before going live on their websites. Most advertisers only will perform deep analysis when a complaint is filed against an advertisement. Many of the leading websites that interact with mass number of users rely on third party vendors or software to display ads, causing a decrease in direct oversight and amount of vetting taking place.

Preventive Measures

There are a few recommended approaches a user may take to help mitigate susceptibility to malvertising attacks. Users may start by either removing unneeded software and/or ensure that all authorized software and extensions are kept up-to-date help protect devices and to keep them running smoothly lessen potential malware infections. In addition, using an anti-virus program may help protect against known threats to include proper removal of malicious software from the system. Lastly, consider deploying an ad blocker software or web browser plugins to prevent automated scripts from running on sites hosting malicious advertisements.

References

  • https://arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
  • https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/
  • https://news.sophos.com/en-us/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
  • http://go.cyphort.com/rs/181-NTN-682/images/Malvertising-Report-15-RP.pdf
  • https://en.wikipedia.org/wiki/Malvertising
  • https://www.cisecurity.org/malvertising/
  • https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

Download Files:

You must be logged in to download this CSIAC Report. Click here to login.

Author

Nicholas Maida
Nicholas Maida
Mr. Maida is a Cybersecurity Engineer with Quanterion Solutions Inc. in Utica, NY. He has over 5 years in the field and has obtained multiple certifications. He has earned his Masters degree in Cybersecurity Operations from Utica College with a concentration in cyber operations. Areas of expertise include work in Risk Management Framework, computer and network security, information assurance, and cloud computing. Other research and development include IDS/IPS, implementation of current cybersecurity best practices, and scripting.

Technology Areas: Cybersecurity Tags: Cryptocurrency, Malware, Ransomware

Previous CSIAC Report:
« Cultivating Cybersecurity Talent Internally
Next CSIAC Report:
5th Generation (5G) Technology White Paper »

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Cully Patch

An internal CSIAC SME with a passion for learning, teaching, and supporting the warfighter, Mr. Cully Patch has been a member of the CSIAC staff for 5 years. Cully was instrumental in leading the development and instruction of an extensive course on DoD Cybersecurity Analysis and Reporting (DoDCAR) - a threat-based approach to addressing system cybersecurity. As a senior program manager for cybersecurity and intelligence, Mr. Patch has extensive experience in providing cybersecurity training and education to both university students and military operators. Cully is a retired US Air Force military officer with career accomplishments in the fields of research, Intelligence, cybersecurity operations, planning, and technical course instruction. CSIAC is honored to have Mr. Patch as a subject matter expert, where he leads teams of technologists through problem solving, training program development, scientific and technical information generation, and analysis of complex system requirements.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Cybersecurity Maturity Model Certification (CMMC): The Road to Compliance Series: The CSIAC Podcast
  • Deep Learning for Radio Frequency Target Classification Series: CSIAC Webinars
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
View all Podcasts

Upcoming Events

Mon 12

18th USENIX Symposium on Networked Systems Design and Implementation (NSDI)

April 12 - April 14
Boston MA
Organizer: USENIX
Tue 13

Identity Management Day

April 13
Organizer: Identity Defined Security Alliance (IDSA)
Thu 29

Data Connectors Phoenix Virtual Cybersecurity Summit

April 29
Organizer: Data Connectors
636-778-9495
May 17

SANS Purple Team Summit & Training 2021

May 17 - May 28
Organizer: SANS Institute
May 27

DockerCon LIVE 2021

May 27 @ 06:00 - 14:00 EDT
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT