- April 06, 2016
- Info notes
Recently, security firms have reported an increase in malvertising activity. Some of the world's most popular websites have been unwittingly hosting/displaying malicious advertisements, potentially spreading malware to thousands of visitors putting their computer and data security at risk. This is unusual, as malicious advertisements are most often displayed on dodgy or untrustworthy websites. This Info note exposes what malvertising is, how it works, and gives pointers for protection.
What is malvertising?
Malicious advertising (malvertising) uses online advertising to spread malware. In malvertising, attackers inject malicious code in seemingly innocuous online advertisements. Then, they upload the harmful advertisements to advertising companies and the latter distribute them to websites.
Once a user visits a website contaminated by malvertising, the malicious advertisement loads and automatically redirects them to the attacker's server. The server usually hosts an exploit kit that automatically attempts to exploit vulnerabilities on the user's system and deploy various types of malware with the most prominent being ransomware. Exploit kits like Angler are very effective at exploiting vulnerabilities in popular web browsers and browser plug-ins like Flash.
Real Time Ad Bidding
The mechanism by which ads are displayed on web sites involves a great deal of background activity, commonly known as Real Time Ad Bidding. For every advertisement to be displayed on a web page, instantaneous auctions take place in the background. During the bidding process, advertising companies compete with each other to deliver their advertisements on the web page.
Online advertisements might follow a long path within an advertisement network before they are displayed on a web page. Thus a request for an advertisement to be displayed in a website might originate from one advertisement company and the actual advertisement might return from another one in the chain. This adds a layer of complexity in controlling the sources of online advertisements delivered in a website.
How the attack is performed
Malvertisers start by registering with legitimate ad brokers. At first they deliver legitimate advertisements to gain trust and build their reputation within the advertisement network. Once their reputation is established, they start delivering malicious advertisements until a target number of infected machines is reached. Then attackers deliver benign advertisements again. After a successful malvertising campaign attackers migrate to a new malicious server and initiate a new campaign. This kind of "hit and run" attacks are highly effective in distributing malware and avoiding detection.
There are different ways for the attackers to distribute their malicious advertisements:
Compromise an ad network and deliver malicious ads to first-tier publishing websites.
Use a technique called "domain shadowing": create subdomains under a legitimate domain, i.e. "ad.'legitimate domain'.com" which point to servers they control. Disguising themselves into a legitimate entity boosts their reputation in the ad network and enables them to trick advertisement companies to distribute their malicious advertisements.
Purchase or register expired domains previously owned by legitimate advertising companies in order to use their reputation as well as their established clients and affiliates for their malicious purposes.
Malvertising is a multi-faceted issue and there is often a debate over liability and accountability amongst the website owners, the advertisement companies and end-users. In a nutshell malvertising should be countered in different layers.
For advertising companies
The security firm Invincea reported a case study on successfully defeating malvertising presenting an advertisement company's (engage:BDR) approach. The implementation of multi-layer policies has resulted in zero instances of malvertising abuse and can be used as a reference point by other advertising companies as well:
- Malware scanning. Online advertisements are thoroughly scanned before they are authorised to be published and constantly scanned afterwards as well. The use of several malware scanning technologies from different service providers allows the advertisement company to be effective under various circumstances. In addition, the company developed a technology that loads the online advertisements to check against auto-redirects to malicious domains and on-click actions to verify whether any malware is downloaded. If any abuse is reported the fraudulent account is terminated.
- Privatization of the Real Time Bidding Platform. The company's Real Time Bidding Platform is only accessible via invites. The potential advertiser is scrupulously vetted. A compliance officer performs a thorough background check on the advertiser and its representatives in an attempt to identify any inconsistencies. Finally the applicant must commit on a minimum monthly amount of $5000 spend as a measure to discourage potential miscreants from misconduct.
- Member of the Interactive Advertising Bureau's (IAB) Anti Malware Working invite-only Group. This group's goal is to share information amongst its members and develop standards and best practices in the fight against malware distribution.
Besides IAB's Anti Malware Working Group the Trustworthy Accountability Group (TAG), a cross-industry accountability program focuses amongst other in eliminating fraudulent digital advertising traffic and combating malware. TAG has proposed certain anti-fraud principles for advertising networks and publishers on how to identify and mitigate fraudulent traffic.
Users should keep their system and software updated and avoid software that is known to be vulnerable and widely targeted by exploit kits. Most browsers can be configured to refrain from running Flash and Java applets automatically, but only after confirmation by the user. This prevents automatic exploitation of Java and Flash vulnerabilities. Although anti-virus and anti-malware software is not always able to prevent an exploit kit from infecting a system with malware, anti-exploit software that blocks attempts of exploitation from known exploits is also an effective measure.
Users are also advised to use an "ad blocker" in an attempt to mitigate malvertising. Ad blocking software is controversial: its use cuts websites from what is sometimes their only revenue source, but it is also legal to use, as recently ruled by a German regional court in Munich. Certain online publishers often encourage or even force users not to use an "ad blocker" to be able to access their content. ENISA would rather encourage ad brokers and publishers to adopt a more accountable stance against malvertising than forcing users in not using ad blocking software. Furthermore, when using ad blocking software users are advised to whitelist advertisement companies and publishers that promote a reliable stance against malvertising as a gesture of reward and recognition of their efforts against malware distribution. Whitelisting "ethical" ad brokers might motivate more companies in promoting and adopting accountability, malware traceability and transparency.
For website owners
Website owners are responsible for the entirety of the material they host and display in their websites, even if they do not control all of it. Website owners must establish a vetting and evaluation process before selecting the advertisement companies to partner with and make sure these companies have proper mechanisms in place against malvertising.
Once a trusted ad network is selected, website owners can employ Content Security Policy (CSP). CSP is a header delivered via an HTTP response that instructs the web browser of the approved sources it can load content from. CSP can be used to define a white-list of approved and trusted advertising companies as sources for iframe content. CSP is just an extra layer of protection whilst its original purpose is to confront XSS attacks.
"Domain shadowing" is one of the ways attackers abuse subdomains for malvertising purposes. Website owners should have proper monitoring mechanisms to ensure that no new non-authorised subdomains are created without their knowledge. They also need to have proper processes in place to renew domain names on time and avoid their take-over by third parties.
Finally website owners should not use Domain-Validation (DV) but use Extended-Validation (EV) certificates instead. When Certificate Authorities issue DV certificates they only verify that a domain is controlled by the domain owner, they do not verify the domain owner's identity. Consequently if an attacker manages to create a subdomain under a legitimate domain using DV certificates they might gain seemingly legitimate identity without the domain owner being aware of it. On the contrary EV certificates incorporate extensive identity validation measures to verify the legitimacy, authenticity and ownership of a domain and its subdomains. Thus, when a website owner uses an EV certificate they take one more whilst indirect measure against malvertising.
Malvertising is lurking on more and more popular corners of the Internet and affects thousands of innocent users. The latest spike in malvertising is depicted on the various incidents available in the "Annex". There is a big opportunity for ad brokers to limit losses due to end-users installing ad blockers, by improving their stance on ad security. Due to its distributed nature though, malvertising should be confronted collectively by all the different actors that are affected.
Annex: articles about the recent outburst of malvertising
- Let's Encrypt Now Being Abused By Malvertisers
- Angler Takes Malvertising to New Heights
- Massive Malvertising Campaign in US Leads to Angler Exploit Kit/BEDEP
- Large Angler Malvertising Campaign Hits Top Publishers
- Crypto-ransomware Spreads via Poisoned Ads on Major Websites
- PC maker pushes out malicious Angler exploit kit
- Certified Ethical Hacker website caught spreading crypto ransomware
- Malvertising hits eBay subsidiary
- Social Sites 'Likes' And 'LiveJournal' Hit With Malvertising
- Malvertising Attack Hits Top Australian Classified Site
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the "Info Notes" series (firstname.lastname@example.org).