Malvertising, a relatively new threat, continues to evolve. Compared to other threat vectors such as spam or botnets, it is less researched and its true impact is unknown. Yet the number of malvertisements continues to grow at an alarming rate.
Malvertising is up 260% in the first half of 2015 compared to the same period in 2014, according to data from two billion web pages and 10 million mobile apps crawled daily by RiskIQ. The number of unique malvertisements has increased 60% year over year.
The growth in malvertising correlates directly with the rise of programmatic buying in advertising. With the human element removed, the system is easily abused, as it was not optimized for cyber security.
Historically, the responsibility for stopping malvertising sat firmly in the realm of ad operations. However, CISOs are beginning to recognize the impact malvertising can have on brands and the challenge of preventing its spread.
Malvertising has the lowest barrier to entrance for running malware on websites. RiskIQ Director of Research James Pleger explains,
The major increase we have seen in the number of malvertisements during the past 48 months confirms that digital ads have become the preferred method for distributing malware.
There are a number of reasons for this development, including the fact that malvertisements are difficult detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.
Conventional Sensors Are Blind to Malvertising
Malvertising combines access, scale and targeting for a cost effective and high impact threat vector. Conventional cyber security sensors typically go only as far as the endpoint while malvertising jumps into pages via third-party sources beyond the defensive perimeter of the firewall. Because malicious ads come from the ad ecosystem and not native infrastructure, traditional cyber security sensors cannot detect them.
Malvertising is to malware as laser guidance systems are to missiles. All weapons need guidance systems. If your weapon is malware, you need guidance systems for targeting people. People who use the Internet are targeted all day, everyday by ads.
Every online action is tracked, including the websites we visit, the terms we search for in search engines, the links we click and more. This data is then packaged and sold to advertisers by ad tech companies who connect advertisers with eyeballs.
Subsets of this data are valuable to cyber thieves. For example, some exploit kits rely on vulnerabilities present on specific devices and software. Malvertisers use data about a victim’s device, OS or browser to drop the most effective exploit kit on a victim. Otherwise, lures are needed to convince victims to download malware.
In 2014, the top malvertising lures were exploit kits which automatically installed malware on victims’ devices if the required vulnerabilities were present. In 2015, fake software updates have surpassed exploit kits as the malvertising threat of choice.
Malvertisers match malicious ads with the sites we’re visiting, when and where we’re visiting them. Deployed by programmatic buying portals with geo-targeting capabilities, malicious ads follow us around the Internet. These ad tech platforms also enable malvertisers to optimize for conversions and ultimately, ROI for their campaigns, just like advertisers do. This lowers collateral damage, making malvertising campaign detection difficult.
The ability target high value victims and vulnerable individuals makes malvertising a powerful weapon for cyber criminals. It’s 2015 -- what is your cyber security program doing about malicious digital ads?