In the last couple of years, malvertising has become more than simple click-fraud trapping unwary users with miraculous diet pills. In September 2009, an injected ad in The New York Times redirected readers to a site hosting malware. One year later, TweetMeme (which closed in 2012) suffered a scareware attack because of malvertising.
At Bitdefender, we have also discovered a similar campaign targeting online readers of National Geographic. These examples show malvertising can easily spread to a large number of legitimate websites and deliver huge infection rates. Silent malvertising also allows scammers to infect users with no clicking or direct interaction – yet another argument for companies and employees to start taking this e-threat seriously.
Let’s admit it: We find it everywhere. From social networks to reputable media outlets, this evolving threat continues to flood websites in many domains, affecting the entire advertising ecosystem. Billions of ad impressions are compromised by malvertising every year, and the recent attack targeting the US military industry also rings a wake-up call for enterprises and governments.
Malvertising is unwillingly supported by two key features of online advertising:
Here are five lessons that can help enterprises and employees thwart malvertising attacks:
1. Never consider yourself or your company completely safe. Even the most tech-savvy employees can become victims. Malvertising lurks just around the corner on legitimate websites, behind videos, and in banners that look just like any other advertisement.
2. Employees interested in business and computers are the most exposed – one more reason to believe malvertising continues to target enterprises. Recent research by Bitdefender revealed that the two most lucrative web categories abused by malvertisers are business computers and software. The landing pages of such websites bring scammers more profit than pornographic content, and the ads they host are a preferred target for injecting malicious code.
3. Malicious advertising also comes along with “friends.” To extend the definition, spamvertising, fraudvertising, and phishvertising are also used to spread spam and fraudulent and phishing URLs through legitimate online advertising networks and web pages. Our research showed that almost 7% of ads found on 150,000 websites could not only infect users with malware, but also target them with fraud, spam, and phishing, leading to bigger financial losses. The neutral ads represented 46%, only one percentage point less than those considered “good.”
4. Keep an eye on the most common infection vectors used by cyber criminals to place malicious code in advertisements. Here are some of them:
5. Stick strictly to the company’s BYOD policy. Mobile malvertising is on the rise, and studies show that “fat-finger syndrome” works for scammers, too. Employees tend to drop their guard when surfing the Internet on the go, so it’s important to stick to a strict BYOD policy that includes beefed-up security on all devices.
Everyone should get involved in mitigating malvertising risks – from ad networks to companies and regular employees. If the inner structure of the system remains this open, with so many parties involved and without thorough security scanning, cyber criminals will take more frequent advantage of companies, advertising platforms, and end-users. By fighting with the right weapons, we can all enjoy a cleaner and much safer advertising ecosystem.Bianca Stanescu is Bitdefender's down-to-earth Security Specialist, who's always on to a cyber-trendy story. She's the fraud and social media scam detective who always keeps a close eye on the security movers and shakers to report their deeds from a fresh perspective. After 9 ... View Full Bio