Attacks on highly-automated ad networks serving major Websites
demonstrate that attackers are finding ways to exploit the
poorly-defended online ad market.
For two days in mid-March, visitors to major news and
information sites—such as the New York Times, Newsweek, The Hill and the
Weather Network—may have been redirected to Web servers that attempted
to infect visitors' systems with a variant of the Angler exploit kit
and, ultimately, ransomware.
So far, the impact of the attack is unknown, but a single antivirus vendor, Trend Micro,
recorded 41,000 infection attempts
among its users between March 12 and 14. The attack hit visitors to
AOL, the BBC, NFL, The Hill, Newsweek, the New York Times, MSN,
Realtor.com, The Weather Network and the Xfinity portal, according to Malwarebytes, an endpoint security firm.
Another attack used ads on the site of a major British newspaper, The
Daily Mail, to attempt to infect visitors the same week, but was likely
part of a different campaign, the firm stated.
Overall, the attacks demonstrate that attackers can readily exploit
weaknesses in the complex ad market and take advantage of the trust in
publisher brands that have little to do with the trustworthiness of the
ad content, Craig Young, security researcher with the vulnerabilities
exposures research team (VERT) at Tripwire, told
eWEEK.
"It is exploiting the fact that people have trust for popular Websites,"
he said. "If you go to the Website of a major newspaper, you are going
to expect that it will have sanitized content. You would expect that an
attacker would have to breach the security of the publisher to put
something on the site."
However, malvertising makes an end-run around that assumed security, he said.
"Shady" ad networks
No wonder, then, that malvertising is—at least anecdotally—on the rise.
Such attacks are happening more often—albeit, not always on such
well-known sites—because attackers are becoming more sophisticated and
more at ease with the complexities of the ad market, Jerome Segura,
senior security researcher with Malwarebytes, told
eWEEK.
"There are daily attacks and they typically happen via ad networks that
are a bit shady, and by 'shady,' I mean companies that have very lax
security practices," Segura said.
The advertising ecosystem is very complex, and that complexity allows
attackers to thrive in the "shady" parts of the ecosystem—those areas
where top-line publishers, advertisers and ad networks may not have
visibility, he said.
Norman Guadagno, chief evangelist for data-backup and security firm
Carbonite and a former ad agency representative, also argued that the
complexity makes malvertising a tough problem to solve. Every day,
advertising networks deliver some 314 billion ad impressions to Website
visitors, according to Guadagno, citing numbers from the Goodway Group,
an online marketer.
"It is a problem that is rooted fundamentally in the complexity of the ad ecosystem," he told
eWEEK.
"Between all the ad networks, all the sites, all the ads being served,
all the code being used to make ads—it is a big, insanely complex
ecosystem that has vulnerabilities."
Ad-savvy attackers
While the complexity of the advertising ecosystem helps malvertising
hide, attackers are also becoming more knowledgeable about how to take
advantage of that complexity.
In a recent study of one malvertising campaign, Malwarebytes found that
attackers used targeted ads to focus on certain segments of the consumer
marketplace and have started adding code to their ad banners that
fingerprint the targeted computer, determining its operating system,
browser and what secThis tactic also lets the attacker look for the telltale signs that a
visitor is not a human, but an analyst's machine testing the
advertisement for malicious activity, Malwarebyte's Segura said.
"Attackers are highly motivated and they are looking for new vectors all
the time," he said. "Ad banners not only redirect to Websites, but they
fingerprint the Website. Rather than direct people to the exploit kit,
they wanted to figure out the potential victims—and hide from
researchers—for longer periods of time."
The study looked at more than 100 fake advertising domains that had fake
profiles and used malicious GIF advertisements to target only
residential IP addresses. More than 40 percent of infections affected
computers in the United States at a cost of 19 cents per 1,000
impressions.
"The fingerprinting techniques—coupled with geolocation and IP
checks—are effective but have been (historically) employed relatively
late in the infection chain," the report stated. "It only made sense to
add them at the traffic redirection phase to ensure only 'qualified'
users were being redirected to exploit kits."
The complexity of advertising networks and the ability of
attackers to easily hide in a way that is not apparent to users raises
questions about the best way to fight malvertising.
Advertising networks and advertisers need to focus on being aware
of who is supplying their content and forming a chain of trust from the
publisher all the way down to the advertiser, said experts.
Unfortunately, with real-time bidding and programmatic advertising
making the ad-buying process faster, there is less time for anyone in
the chain to make a decision on the content of an ad, said Christopher
Budd, global threat communications manager with Trend Micro.
"Advertising is a very fast market, and one thing we know in security is
that speed kills … whether we are talking about shortened development
time or trying to push things out and not spending enough time on a
security architecture review," he said. "Doing it really well requires a
more methodical approach."
The speed factor was on display in the latest attack. The majority of
the traffic sent to potential victims came during a 12-hour period late
in the day on March 13—a Sunday, according to
data from Trend Micro.
Malvertising underscores the security problems in the advertising
ecosystem posed by the inconsistent vetting of third-party content
suppliers. While users are the ultimate victims, there is very little
they can do to force publishers and advertising networks to insure that
their content is non-malicious.
However, users can harden their systems and treat with suspicion any odd
Website behavior, Trend Micro's Budd said. Endpoint security
software—whether an antimalware program, a network-based service such as
OpenDNS, or an application firewall such as Little Snitch—can help
catch malvertising before it infects a system.
"At the end of the day, the more people make themselves non-viable
targets, the more that this particular attack vector will evaporate," he
said. "The criminals are not going to go away, unfortunately. If we
make malvertising not worth the time, however, they will move onto
something else."
eweek
urity software it may be running,
according to the firm.