Search Learning Center for

Malvertising

AppSec Threats 8.2k Views

What is malvertising

Malvertising is an attack in which perpetrators inject malicious code into legitimate online advertising networks. The code typically redirects users to malicious websites.

The attack allows perpetrators to target users on highly reputable websites, e.g., The New York Times OnlineThe London Stock ExchangeSpotify and The Atlantic, all of which have been exposed to malvertising.

The online advertising ecosystem is a complex network that involves publisher sites, ad exchanges, ad servers, retargeting networks and content delivery networks (CDNs). Multiple redirections between different servers occur after a user clicks on an ad. Attackers exploit this complexity to place malicious content in places that publishers and ad networks would least expect.

Malvertising vs. Ad malware

Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.

Adware is a program running on a user’s computer. It’s usually packaged with other, legitimate software, or is installed without the user’s knowledge. Adware displays unwanted advertising, redirects search requests to advertising websites, and mines data about the user to help target or serve advertisements.

Differences between malvertising and ad malware include:

  • Malvertising involves malicious code which is initially deployed on a publisher’s web page. Adware, however, is only used to target individual users.
  • Malvertising only affects users viewing an infected webpage. Adware, once installed, operates continuously on a user’s computer.

How malvertisements affect web users

Malvertising might perform the following attacks on users viewing the malvertisement without clicking it:

  • A “drive-by download” — installation of malware or adware on the computer of a user viewing the ad. This type of attack is usually made possible due to browser vulnerabilities.
  • Forced redirect of the browser to a malicious site.
  • Displaying unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.How Malvertisements Affect Web Users

Malvertising can do the following when users actually click a malicious ad:

  • Execute code that installs malware or adware on the user’s computer
  • Redirect the user to a malicious website, instead of the target suggested by the ad’s content
  • Redirect the user to a malicious website very similar to a real site, which is a operated by the attacker—a phishing attack

How malvertisements affect publishers

The threat to publishers is damaged reputation, loss of traffic and revenues, and legal liability to damages caused to users visiting their sites.

While publishers are aware of the problem, they find it difficult to test for or block malicious ads. Ad networks serve ads from millions of advertisers, and display ads dynamically according to real-time bidding, making it very difficult to test all the ads that are actually shown to users.

Examples: How malware is inserted into ads

Attackers use several delivery mechanisms to insert malicious code into ads:

  • Malware in ad calls — when a website displays a page that contains an ad, the ad exchange pushes ads to the user via many third parties. One of these third party servers may be compromised by an attacker, who can add malicious code to the ad payload.
  • Malware injected post-click — when the user clicks on an ad, they are typically redirected between several URLs, ending with the ad landing page. If an attacker compromises any of the URLs along this delivery path, they can execute malicious code.
  • Malware in ad creative — malware can be embedded in a text or banner ad. For example, in HTML5 it is possible to deliver an ad as a combination of images and JavaScript, which might contain malicious code. Ad networks that deliver ads in Flash (.swf) format are especially vulnerable.
  • Malware within a pixel — pixels are code embedded in an ad call or landing page, which send data to a server for tracking purposes. A legitimate pixel only sends data. If an attacker intercepts a pixel’s delivery path, it can send a response, containing malicious code, to the user’s browser.
  • Malware within video — video players do not protect against malware. For example, a standard video format called VAST contains pixels from third parties, which could contain malicious code. Videos can infect users by displaying a malicious URL at the end of the video.
  • Malware within Flash video — videos based on Flash can inject an Iframe into the page, which downloads malware, even without having the user click on the video. Flash files might also load a pre-roll banner (a static image that the user can view while the file is loading). Attackers can inject malicious code into the pre-roll banner, and it can run even without the user clicking on the video.
  • Malware on a landing page — even on legitimate landing pages served by reputable websites, there may be clickable elements that execute malicious code. This type of malware is particularly dangerous because users click an ad, land on a real, legitimate landing page, but are infected by a malicious on-page element.

Prevention and mitigation of malvertising

Malvertising is an attack which is difficult to detect and mitigate, and requires action by end users and publishers alike.

How can end-users help mitigate malvertising?

  • Antivirus software can protect against some drive-by downloads or malicious code executed by malvertising.
  • Ad blockers offer good protection against malvertising, because they block all ads, together with their malicious elements.
  • Avoiding the use of Flash and Java can protect users from many vulnerabilities that are commonly exploited by malvertising.
  • Updating browsers and plugins can prevent many malvertising attacks, in particular those which operate before the user clicks the ad.

How can publishers help mitigate malvertising

  • Carefully vet ad networks and inquire about ad delivery paths and security practices.
  • Scan ad creative intended for display to discover malware or unwanted code.
  • If possible, enforce a policy of only showing specific file types in an ad frame (JPG, PNG, etc) without allowing JavaScript or other code.
  • Imperva’s Web Application Firewall (WAF) can help protect against some malvertising threats, by using signature, behavioral and reputation analysis to block malicious code execution or requests arriving from non-trusted sources, along the ad delivery chain.