The Rise of “Malvertising”

by Jeff Wiener on August 28, 2015

While I would guess that most of us are annoyed by the unending deluge of online advertising that floods our online experience every day, just imagine how much more annoyed you’d be if simply having that advertising displayed on your screen was enough to infect your computer with a host of malicious software.

To put it another way, if malware was a headache for users and advertisers alike before, it’s a veritable migraine now, as a recent report from Cyphort Labs claims that malware threats imbedded in seemingly innocuous advertising has risen a staggering 325 percent over the last year.

The reasons behind the influx of malicious advertising are not hard to find. First, it’s incredibly easy money for hackers, as infecting advertising offers cybercriminals access to a large number of prospective victims. Second, given the success of so-called “malvertising,” hackers are increasing their efforts towards this vector, knowing that further investment on their part will reap even better results.

Truly it’s disconcerting to read how easy it is for hackers to infiltrate individual advertisements or entire ad networks. As E-Commerce writer John P. Mello writes, “Malvertising campaigns are launched through deceptive advertisers or agencies running ads, or through compromises to the ad supply chain, which includes ad networks, ad exchanges and ad servers…. That results in websites or Web publishers unknowingly incorporating corrupted or malicious advertisements into pages on their sites.”

This means that trustworthy sites, where ads are hosted on a legitimate advertising network, are still quite vulnerable, as hackers are savvy enough to create legitimate advertising, inserting malicious code at a later date, and removing it once the virus has been spread.

Of course consumers are first in the line of victims of this devious crime, as clicking on malvertising—or even in some cases simply going to a site with infected advertising—is enough to infect their computers or mobile devices. That said, advertising and content providers are also victims, in that once consumers realize that they’ve been a victim of a malware attack, they’re less likely to trust those advertisers and less likely to return to the offending site.

In fact, the Association of National Advertisers estimates that advertising fraud of this sort will cost global advertisers more than $6 billion this year alone, a number that will likely continue to rise if the advertising industry doesn’t take steps to control this.

Again, the most insidious thing about malvertising is that it doesn’t just appear in the dark corners of the Internet, but infects the very fabric of our online existence. No one would suspect legitimate sites like CNN or NBC to contain malicious advertising, but if hackers have infiltrated the relevant ad networks, malware can be channelled almost anywhere.

The problem is exacerbated by the operation of ad networks themselves, who often employ real time bidding for advertising spots, meaning advertisers bid to have their ads shown in a particular location at a particular time. If a hacker waits until the last second and wins the bid, the post is practically instantaneous and there’s little the networks themselves can do to vet the ads.

That’s not to say that ad networks are defenceless against malvertising, it’s just going to take either consumer backlash or significant lost revenues to motivate the change. In fact, some networks are already employing increased standards for advertisers, vetting the advertisers before they are allowed to post anything.

In the end, advertising is annoying; too bad it’s become dangerous as well.

Previous post:

Next post: