Malvertising: 5 Lessons for Companies & Employees - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives
01:00 PM
Bianca Stanescu
Bianca Stanescu
Partner Perspectives
Connect Directly

Malvertising: 5 Lessons for Companies & Employees

We could expect more from this repackaged e-threat.

In the last couple of years, malvertising has become more than simple click-fraud trapping unwary users with miraculous diet pills. In September 2009, an injected ad in The New York Times redirected readers to a site hosting malware. One year later, TweetMeme (which closed in 2012) suffered a scareware attack because of malvertising.

At Bitdefender, we have also discovered a similar campaign targeting online readers of National Geographic. These examples show malvertising can easily spread to a large number of legitimate websites and deliver huge infection rates. Silent malvertising also allows scammers to infect users with no clicking or direct interaction – yet another argument for companies and employees to start taking this e-threat seriously.

Let’s admit it: We find it everywhere. From social networks to reputable media outlets, this evolving threat continues to flood websites in many domains, affecting the entire advertising ecosystem. Billions of ad impressions are compromised by malvertising every year, and the recent attack targeting the US military industry also rings a wake-up call for enterprises and governments.

Malvertising is unwillingly supported by two key features of online advertising:

  • Dynamism: Internet ads form a versatile medium that also allows scammers to stay undetected. Ad content changes regularly and relies on multiple parties, including advertisers, ad networks, ad exchanges, ad services, and site publishers, so cyber criminals can obscure their trail.
  • Externalization: Companies pay ad networks to distribute ads on their websites without knowing their content and purpose. This allows cyber criminals to pose as legitimate clients. Some fraudulent commercials also slip through because big ad networks sublet some advertorial space to third parties, usually smaller platforms. The smaller networks can end up placing malicious ads on reputable websites.

Here are five lessons that can help enterprises and employees thwart malvertising attacks:

1. Never consider yourself or your company completely safe. Even the most tech-savvy employees can become victims. Malvertising lurks just around the corner on legitimate websites, behind videos, and in banners that look just like any other advertisement.

2. Employees interested in business and computers are the most exposed – one more reason to believe malvertising continues to target enterprises. Recent research by Bitdefender revealed that the two most lucrative web categories abused by malvertisers are business computers and software. The landing pages of such websites bring scammers more profit than pornographic content, and the ads they host are a preferred target for injecting malicious code.

3. Malicious advertising also comes along with “friends.” To extend the definition, spamvertising, fraudvertising, and phishvertising are also used to spread spam and fraudulent and phishing URLs through legitimate online advertising networks and web pages. Our research showed that almost 7% of ads found on 150,000 websites could not only infect users with malware, but also target them with fraud, spam, and phishing, leading to bigger financial losses. The neutral ads represented 46%, only one percentage point less than those considered “good.”

Figure 1: Distribution of good, bad and neutral ads - Bitdefender research
Figure 1: Distribution of good, bad and neutral ads Bitdefender research

4. Keep an eye on the most common infection vectors used by cyber criminals to place malicious code in advertisements. Here are some of them:

  • Pop-up ads for fictive downloads such as fake movie players, toolbars, plugins, and media converters
  • Hidden and obfuscated JavaScript code
  • Malicious banners
  • Third-party advertisements through sublet ad networks and content delivery networks
  • iFrames where malware can be embedded to avoid detection

5. Stick strictly to the company’s BYOD policy. Mobile malvertising is on the rise, and studies show that “fat-finger syndrome” works for scammers, too. Employees tend to drop their guard when surfing the Internet on the go, so it’s important to stick to a strict BYOD policy that includes beefed-up security on all devices.

Everyone should get involved in mitigating malvertising risks – from ad networks to companies and regular employees. If the inner structure of the system remains this open, with so many parties involved and without thorough security scanning, cyber criminals will take more frequent advantage of companies, advertising platforms, and end-users. By fighting with the right weapons, we can all enjoy a cleaner and much safer advertising ecosystem. 

Bianca Stanescu is Bitdefender's down-to-earth Security Specialist, who's always on to a cyber-trendy story. She's the fraud and social media scam detective who always keeps a close eye on the security movers and shakers to report their deeds from a fresh perspective. After 9 ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/18/2014 | 12:44:19 AM
Harming the Business Environment
An excess amount of ads can tilt the user towards a negative frame of mind, but the right amount can provide a lot of benefits in helping the user/business to locate a product or service which makes an earlier process easier. Advertisements in this regard can help the economy reach a certain level of scale -- malvertising is just making this entire process more difficult. If users are going to be fearful of potential landing pages, then contact might never be established.
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll