What's in a Malvertisement? More Magecart and a 186% Spike in Drive-by Delivery

External Threat Management

What’s in a Malvertisement? More Magecart and a 186% Spike in Drive-by Delivery

August 22, 2019

By Team RiskIQ

What's in a malvertisement?

The answer to that question is always changing because malvertising is ever-evolving. However, a six-month sample of RiskIQ's cyber threat detection data shows a fascinating cross-section of the current malvertising landscape.

The data shows a 186% increase in cases of drive-by malvertising (malvertisements that don't require a user click) over the previous six months, as well as more instances of malware. Meanwhile, there's been a slight scaling back of phishing and scams, possibly due to client efforts aimed at blocking that behavior and improving the user experience.

So, what's in a malvertisment? Here's what RiskIQ sees:

The amount of malvertisements RiskIQ detects fluctuates, but the big-picture in malvertising remains similar: cyber threat actors are after hijacking user sessions, delivering their malicious payloads, stealing PII, and inflating traffic to their sites. Some techniques go out of style. For instance, with the death of Coinhive, we saw a decline in the prevalence of JavaScript-based cryptocurrency miners (.8% of the current total). However, other JavaScript-based threats have risen to take their place. RiskIQ researchers recently discovered that Magecart Groups (17% of the current total), which have traditionally compromised sites directly or via third-party JavaScript to skim credit cards from users purchasing items, have also compromised creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once.

The most significant changes RiskIQ researchers have seen in the malvertising industry have come in the sophistication of delivery and fingerprinting methods. The bad guys have gotten much more advanced in how they detect and filter out cyber security companies attempting to help solve the problem and target the end-users most susceptible to their nefarious ends. You can read more about fingerprinting techniques here.

While malvertisements are only about .02% of the total of ad impressions we scan, given the sheer number of ads served, they continue to prey on countless end users. Malvertising and the economics behind it mirror the same economics that governs legitimate advertising—profitability is a numbers game that requires a large number of conversions for a scheme or campaign to be economically worthwhile.

Stopping Malvertising: It's on Us

To prevent malvertisements, consumers will continually turn to solutions like ad blockers, which drains the lifeblood of the free service internet. Also, simply staying off of sketchy sites and not clicking on suspicious-looking ads is no longer enough with the rise of drive-by malvertisements - ads that can be loaded through any network and drop a payload on a computer without a single interaction from the user.

Ultimately, the bulk of the work against malvertising shouldn’t fall on the end-user; it needs to be done by the entire digital advertising ecosystem. Because malvertising transcends the delivery chain, every party involved has a lot to lose. For publishers, it's a sure-fire way to lose the trust of your user base. For demand-side platforms, it will get you shut out from exchanges. For brands, it will waste marketing budget and erode brand equity.

Every participant in the ad delivery chain must undertake due diligence on the integrity of their ad inventory in order to ensure a safe advertising supply chain. Taking part in the solution is not only good for the individual companies involved but also good for the industry as a whole because ultimately, its the ad consumers that are the victims.

Why RiskIQ?

RiskIQ enables advertising and ad technology teams to take immediate action to identify and remove malicious malvertisement hosts and advertisers from your network or publisher website and minimize the cyber threat to your end-users. Our cloud-based service intelligently and continuously scans billions of pages and tens of millions of mobile apps per day to track advertisements as they move through the ad supply chain, as well as sandbox scanning of creative inventory.

Contact us to find out more about RiskIQ malvertising solutions.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event