What Is Malvertising?

Submitted by Mike Diamond on Monday, August 24, 2015 - 16:53

We have now entered an age where you can lose your files, photos, and music simply by visiting a reputable website.

Earlier this year, the Huffington Post unwittingly served up a malicious Hugo Boss advert to its visitors. The ad infected visitors' machines with the Cryptowall ransomware, which encrypted the users' files and extorted money from them to get their files back. The scary part? The user didn't have to click on anything to become infected. Since then, more occurrences of Malvertising have been reported.

What is going on, and how can you protect yourself?

Surprise attack by the Decepticons

These ads are not being served directly from the Huffington Post or any other "trustworthy" site that you visit. Even the first-party ad networks aren't directly loading the malware. The attack typically originates from an upstream ad network.

Ads are typically loaded by scripts, which load more scripts, which load more and more scripts. By the time all of an ad's scripts are loaded, your browser may have had to contact dozens of sites all across the Internet just to retrieve them all. At the end of the day, neither Huffington Post nor their ad network has any control or knowledge over where many of these scripts came from or what they contain. The attacker may have supplied a benign script for initial authorization by the upstream ad network, and later submitted a malicious one as a revision under lesser scrutiny.

The word "script" carries certain connotations. Scripts execute. They "do stuff" in your browser - they make things happen when you click, when your scroll, or in this case, even when you do nothing. In the case of the Malvertisement, the scripts take advantage of known and unknown vulnerabilities in other aspects of your system - typically Flash. You may remember that Flash is one plugin that's not available on your iPad. Well here's one of the reasons: It's notoriously insecure.

That "bad" script that was injected upstream will take advantage of a yet-to-be-published vulnerability in Flash, which in turn loads and launches a ransomware malware on your system. Next thing you know, all of your files are encrypted, and you have no choice but to ask one of the fine IT professionals in the SBCN for help. I've seen a sharp jump in calls from new customers asking to rescue them from the Cryptowall ransomware because infections are on the rise. You used to need to open an attachment that came in by email. Some people were wise to that and could avoid the infection. Those days are gone.

So what can be done to prevent the attack?

One way to protect yourself would be to turn scripting off in the browser, however that's not practical. You'd quickly find out that most of your favourite websites no longer work, as today's web relies pretty heavily on scripting. There are plugins available that allow you to selectively disable scripts one at a time. But remember my description above about how many scripts can be loaded just for one ad? This gets annoying very quickly, and therefore isn't practical either.

Uninstall Flash. While you're at it, uninstall Java too. Unless you need either one. And if you need Java because your kid plays Minecraft, then at least disable the browser plugin portion of it.

Use exploit prevention software, such as Malwarebytes Anti-Exploit, or Cryptoprevent. Use managed services from one of your trusted IT partners in the SBCN network to keep your anti-virus (for prevention) and backups (for recovery) monitored and up to date.

You could also use an ad blocker, but be aware of the impact you are having when doing so. Many websites you visit are only able to offer their content because it is sponsored by ads. In fact, web advertising vs. ad blocking is a hot topic these days because ad blocker usage is on the rise. You are effectively removing your support for the content by blocking the ad. It is however, 100% effective at avoiding this threat.

One (potential) alternative to ad blocking is Google Contributor. It is only an experiment at the moment, and there is a waiting list to sign up. It allows you to pay to not see ads (from their network). Your payment helps to support the site hosting the ad, so you still get to support the content. It's a neat compromise, and I hope it takes off. Joining the waiting list is a good way to show them you support the idea.

As usual, drop me a line if you want to discuss this further.
https://www.sbcncanada.org/whois/4524

Source 1: http://bit.ly/1LwlJJQ
Source 2: http://bit.ly/1LwmOkW
Malwarebytes Anti-Exploit: https://www.malwarebytes.org/antiexploit/
Cryptoprevent: https://www.foolishit.com/cryptoprevent-malware-prevention/
Google Contributor: https://www.google.com/contributor/welcome/