You're one click away from being infected! Malvertisements

Malvertisements or malvertising are a malicious variety of online advertisements generally used to spread malware. However, that definition is somewhat dated as the term has evolved. While it’s easy to call an ad that redirects to malware a malicious one, it is often hard to differentiate between fraudulent and legitimate online ads.

The real problem with malvertising isn’t ads it’s vulnerable software on your system that could be compromised by just clicking a link to a malicious website. Even if all ads vanished from the web overnight, the core problem would remain.

Websites are hacked every day, and assuming that your adblocker is going to protect you is a false sense of security. If you are vulnerable, and a ton of people are, even a single click can infect your system.

For example, there are any number of legal online ads that any reasonable observer would characterize as malicious or fraudulent. On the other hand, there are likely benign ads that are flagged by some advertising networks as malicious or fraudulent on superficially technical grounds. However, there are also vast swaths of online ads that are completely and unquestionably malicious.

Compromised computers can be used to create powerful botnets that can be used to carry out identity theft, corporate espionage or other illegal activity.

Allow me to begin with the outright malicious advertisements:

The most obvious, easily definable type of malicious advertisements are those that when clicked on redirect users to websites that will infect the user with malware or install some other unwanted software, unless that person is running an antivirus product capable of blocking the infection. Users running out-of-date operating systems and browsers are especially vulnerable to this and other forms of malware infection.

You could visit a newspaper’s website and an advertising script on the website would download an ad from the ad network. The malicious advertisement would then attempt to compromise your web browser.

This unwanted or malicious software can serve any number of functions. If it’s malware, it could contain a keylogger for stealing login credentials or other sensitive data, it could pull users into a spam-spewing botnet, it could be a banking trojan, a rogue antivirus application, ransomware like CryptoLocker, or virtually any other type of malware that’s been written about here or elsewhere.

A recent example is the ad network AppNexus, who was accused of posting malvertisements on the websites of TMZ, Java.com and others. “These websites have not been compromised themselves, but are the victim of malvertising,” This type of malvertisement is easy to spot and universally accepted as illegal.

That’s the core bit of malvertising it takes advantage of flaws in software you’re using to infect you on “legitimate” websites, eliminating the need to trick you into visiting a malicious website. But, without malvertising, you could be infected in the same way after just clicking a link away from that newspaper’s website. Security flaws are the core problem here.

Now let’s transition into the grey area:

As many have pointed out, malvertisements don’t necessarily have to contain what is universally considered malware. They could install tracking cookies without proper permission to do so, they could install a legitimate piece of software without your consent, they might clandestinely collect user information or exceed their stated scope in some other way.

These sorts of malicious or fraudulent online advertisements are certainly frowned upon. In many cases, an advertising network could suspend these types of ads or require that they be changed in order to comply with the appropriate guidelines. Some ad networks have shady guidelines and will let nearly any type of advertising fly.

Then there are the legit ads that seem clearly fraudulent:

This is definitely the hardest category, but nearly everyone will be familiar with what I am referencing. These promote pills and tricks that can’t possibly be real and advertise for jobs where you can make tens of thousands of dollars per month working from home. Some claim “you’ll never believe what [some person] did!” Others make hyperbolic references to your past being exposed online or new rules near where you live that will affect you in some way.

Some of these kinds of ads leads to well-meaning businesses, for sure. At the same time, a lot of these ads straddle the line between fraud and legitimacy. In the end, someone decides these are appropriate.

Legitimate advertisements: Initially, a criminal may place a series of malware-free advertisements on a trusted site that runs third-party ads and leave them alone for several months in order to establish a good reputation. Later on, the criminal will inject a malicious payload into the ad, infecting as many computers as possible in a short amount of time before removing the malicious code or discontinuing the ad.  This type of attack is often run on websites that run third-party ads. 

Pop-up ads:  A pop-up ad can deliver a malicious payload as soon as the ad appears on the viewer’s screen. Scareware, which is malicious code disguised as an anti-virus application, is often delivered through pop-up ads. In some cases, the malware will execute when the viewer clicks the “X” to close the pop-up window.   

By infiltrating popular syndicated online ad services, thousands of sites can be infected at once. Unfortunately, websites that run third-party ads can do little to protect their visitors because syndicated ads are not under their direct control. In fact, the company from whom they receive the ads may use ads from other publishers, so the original source of the advertisements can be several parties removed.

Malvertisement infections are becoming so prevalent that many security experts recommend that users block all pop-up ads and create an application whitelist that will only allow their computer to run programs that have been positively approved.

How do you protect yourself?

Don’t click on shifty looking ads, even if they boast pictures of attractive people, issue seemingly relevant warnings or offer fast money and magic pills. My personal recommendation is that you only ever click on ads for things that you would actually want to buy. If someone is offering you something with an advertisement, then think twice, because advertisements generally attempt to get you to buy something.

Currently, almost all malvertising attacks take place against Windows computers. However, users of other operating systems shouldn’t get too cocky. The recent malvertising attack against Firefox targeted Firefox on Windows, Linux, and Mac.

As we’ve seen with crapware moving over to Apple’s operating system, Macs aren’t immune. An attack on a specific web browser or a plug-in like Flash or Java usually works the same way across Windows, Mac, and Linux.