Ad-ditional Hazards: The Deceptive World of Malvertising and How to Stay Safe

Written by alexcybersmith | Published 2024/01/30
Tech Story Tags: cybersecurity | advertising | malvertising | malvertising-attacks | malicious-code | cyber-threats | malware | hackers

TLDRMalvertising is a significant online threat where ads spread malware. Attackers trick users into clicking harmful links and exploit software vulnerabilities to evade detection. Methods like using children's SSNs for synthetic ID theft are common. Protecting against malvertising involves regular audits, monitoring, and strict security policies for SaaS tools. Awareness and technical measures are key in safeguarding against these cyber threats.via the TL;DR App

Malvertising is a unique kind of online threat where malware is spread to users' devices through ads. In other words, advertisements act as carriers, transmitting harmful links via websites that users typically trust and regard as reputable.

Malvertising Attack Methods and Effects

Malvertising attacks are effective because they trick users into willingly clicking harmful links. Attackers study and infiltrate search focus groups that align with users' interests. As a result, users, driven by their passions and interests, end up downloading harmful content, unaware of the lurking threat.

Attackers bypass the user's defense mechanisms because there are no immediate warning signs of danger from the website or search engine. In addition, the download of the malicious code does not happen right away. It is during the second stage, when the individual has psychologically let their guard down, that the harmful download occurs.

Hackers often employ scripts and macros to carry out malvertising attacks. In particular, the attackers used to hone their techniques using Microsoft Word macros. Originally designed to boost productivity, macros have been manipulated by cybercriminals to serve their malicious purposes. As a result of this misuse, Microsoft decided to cease developing and promoting this potent functionality. However, getting rid of similar scripting mechanisms on the Internet turned out to be impossible. The inability to completely eliminate such scripts is a primary reason for the increasing commonality of malvertising attacks in recent times.

Let's look at the example of a cyberattack. Attackers create phishing web pages that mimic legitimate sites, offering downloads for popular applications. Currently, some of the most frequently targeted applications in search queries prone to malvertising attacks include TeamViewer, Tor Browser, Thunderbird, AnyDesk, Notepad++, etc.

The infection process starts as soon as the user downloads and installs the software from a fraudulent site. For example, alongside the legitimate version of Python, a Trojan-infected version is also installed on the operating system. This Trojan then establishes a connection with Cobalt Strike, a favored tool among hackers. Using Cobalt Strike, attackers can gather information about the installed operating system, copy user data, and search for files, directories, and services that have poorly configured access controls, making them vulnerable to exploitation.

Using PsExec, cURL, and BitsAdmin, attackers download additional tools. They can also escalate privileges within the system to execute their harmful code. There have been instances where the system's antivirus programs were either disabled or circumvented using specialized scripts, further facilitating the attackers' objectives.

Beyond attacks involving software downloads, malvertisers are also targeting various lucrative sectors of the online industry, such as entertainment and finance. They entice users to phishing sites where unsuspecting individuals believe they are investing their money into legitimate businesses. However, in reality, they are unwittingly handing over their funds directly to the hackers.

Advertisements and the Malware Detection Challenge

To place an advertisement in search results, you simply need to pay a fee and go through a preliminary verification process. The ease of implementing this procedure is well known. For example, in November 2022, it came to light that cybercriminals were able to display online ads for the popular graphics editor GIMP in Google search results. Users would encounter these ads when they were searching for alternatives to Photoshop. The malicious ad initially included a link to the legitimate gimp.org website, but due to some internal manipulations, it redirected users not to the official site but to a fake one that was infected with a Trojan.

In response to this and other attacks, the FBI issued recommendations to the public. They emphasized the importance of using specialized software called ad blockers. In their guidelines, the FBI advised users not to click on links directly but instead to copy and paste them into the address bar to verify their destinations first. While it is difficult to assess the effectiveness of this protection method, it does offer a way to mitigate risks.

It has been observed that there are persistent challenges in detecting malvertising code using antivirus tools. This issue is mainly attributed to the fact that, as reported by WatchGuard, a significant 93% of malware is currently concealed within encryption. According to the Threat Lab, the majority of malware operates covertly behind the protective cloak of SSL/TLS encryption, which is commonly used to establish secure connections to Internet resources. For this reason, the frequency of covert infiltration of malicious code is constantly growing.

In 2020, a significant incident occurred where malicious links spread through over 120 compromised ad servers. The malicious ads received hundreds of millions of views. Notably, the primary targets of these attacks were users of iOS and Android mobile devices. This highlighted the shift of malvertising attacks towards mobile platforms, catching many off guard. This is because mobile systems are protected in their own specific ways, and ads are typically enabled in most apps.

Evasion Techniques in Malvertising Attacks

Clearly, when conducting malvertising attacks aimed at a specific group of victims, there must be a specific method for choosing these targets. Such a mechanism does indeed exist and is actively employed.

Attackers employ a variety of tactics to evade detection for as long as possible. When selecting a method for delivering online advertising, they often use a camouflage approach. This involves tailoring content to match the user's interests, preferences, and location.

In essence, you need a specific trigger that can effectively engage the right type of user while concealing the presence of malicious code during checks. To achieve this, various parameters provided by web browsers are utilized, including location data (such as country and city), the browser type (e.g., Chrome, Firefox, or search robots), IP address (whether it is private, corporate, or VPN), and the current time of day (whether it is working hours or the weekend). If any of these parameters do not align with the attack's objectives, the script displays a harmless page that does not raise suspicions and may even redirect to official websites.


To evade detection by antivirus tools, attackers occasionally exploit limitations within software products. For example, many antivirus programs often postpone scanning large files, typically those exceeding 100 MB.

Defending Against Malvertising With Ad Blocker

Clearly, the most effective defense against malvertising attacks would be for the search networks to take action. However, Google and many websites rely heavily on revenue generated from ads. The owners of Internet resources are not inclined to combat malvertising even if it risks damaging their reputation. They often attempt to shift the blame onto ad networks.

End users have the option to employ ad blockers on their devices. However, this approach also presents several challenges. Ad elements are often deeply intertwined with the page code, causing the site to function incorrectly when ads are removed. Furthermore, some website owners intentionally block users with ad blockers to safeguard their revenue.

Securing Organizations from Malvertising Dangers

The growing number of incidents prompted the US Federal Cybersecurity and Infrastructure Security Agency (CISA) to recommend that all government agencies implement ad blockers. However, CISA also warned that ad blockers would not serve as a complete solution to thwart malicious advertising. One of the reasons here is that some ad blockers accept payments from advertisers, ensuring that their ads will not be blocked.

There is a proposal for both private and government organizations to adhere to industry security standards when using web browsers. The variety of web browsers and their different versions in use provides attackers with numerous avenues for exploitation.

Another suggestion is to isolate the web browsersinstalled within institutions from the primary operating environment and operate them within sandboxes. Additionally, there is a recommendation to extensively leverage domain name system (DNS) technologies.

Web content filtering can also be deployed to prevent malware from entering through online advertising and to neutralize data collection threats. To block undesirable traffic at Internet access points, some tools employ artificial intelligence to detect and identify threats.

Protection Tips for Individual Users

While ad blockers are good, to further strengthen your personal cybersecurity and protect against malvertising, it is crucial to employ additional methods. Here are some examples:

  • Be cautious when clicking on any ads, especially on unfamiliar websites. Stick to trusted and reputable websites for your online activities.

  • Learn to recognize common signs of malvertising, such as overly aggressive or suspicious ads, unexpected pop-ups, and requests for personal information.

  • Use a VPN to encrypt your traffic and add an extra layer of security when browsing.

  • Use reliable antivirus and anti-malware software, and regularly scan your computer for potential threats.

  • Consider disabling Java in your browser.

Conclusion

Malvertising methods are widely used to install malware. These attacks also extend to online platforms involving financial transactions, including retail, financial services, and the entertainment industry. Google Ads stands out as a prominent conduit for malicious advertising. Being aware of malvertising threats can diminish their impact, yet to ensure adequate protection, a combination of technical measures is essential.


Written by alexcybersmith | Security Expert, Journalist, Editor
Published by HackerNoon on 2024/01/30
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy