Malvertising Is Here: How to Protect Yourself

Malvertising is a means of slipping malware into online ads. Credit: Gunnar Assmy/chanpipat/Shutterstock  Malvertising is a means of slipping malware into online ads. Credit: Gunnar Assmy/chanpipat/Shutterstock

For most computer users, ads on a Web page are little more than minor distractions, and become frustrating only if they get in the way of the articles or videos you're viewing.

Yet online ads can be much more than mere nuisances. Online criminals spread computer viruses and other malware via advertisements, and such "malvertising" can infect your Web browser and computer.

MORE: Best Antivirus Software 2014

"Right now, the attackers have an upper hand, simply because of the scale of the issue, which is what worries me the most," warned Rahul Kashyap, chief security officer at security company Bromium. "If the attackers start to increase the [malvertising] attacks ... it can go out of hand very quickly."

What is malvertising?

Usually, you only need to worry about malware from disreputable websites, or from websites that have had page code altered by hackers. But malvertising doesn't require complicit administrators or breaking into servers. Rather, it exploits the chaotic nature of the online advertising industry to place malicious ads on any website — even the most trustworthy ones.

Ads have been used to spread malware for years, but only recently have criminals started adopting the method en masse. In 2013, 12.4 billion malicious ad impressions occurred — a 225 percent increase from 2012, according to the Online Trust Alliance (OTA), a Bellevue, Washington-based nonprofit that develops guidelines for online businesses.

This September, the so-called "Kyle and Stan" malvertising campaign placed ads on Google, Yahoo, YouTube and Grooveshark, as well as on 70 other websites. Later that month, another malvertising campaign used Google's own DoubleClick ad service to infect visitors to Last.fm and the Jerusalem Post.

"This is an attack happening at Internet scale," Kashyap said.

The websites on which the malicious ads appear are not themselves infected or altered. The malware comes in ads pushed from distant servers over which the targeted websites have no control, making it very hard for affected sites to protect their visitors.

How does malvertising infect users?

Malvertising infection usually happens in one of two ways, Kashyap said. In the first scenario, you have to click on the ads, which may be pop-ups or alerts warning that you're already infected and need to "save" your computer with the advertised software. Such "social engineering" tactics manipulate users into installing malware themselves — often a more effective method than trying to force installations through technological brilliance.

The second infection scenario, used by a growing number of malvertising campaigns, doesn't require users to click on ads. Instead, it involves what security experts call a drive-by download." In this scenario, the victim becomes infected simply by loading the Web page. The malicious ads contain links, embedded in lines of code called iframes, that make browsers silently fetch software from malicious Web pages. Most users won't realize it's happening.

"All of this happens in the background, in iframes," Kashyap said. “That's what makes it scary — because it's hidden behind the scenes."

In either scenario, the malicious link often leads to a browser exploit kit, an arsenal of malware that contains exploits for known flaws in common browser plugins such as Adobe Flash Player, Java or Microsoft Silverlight, as well as in the major browsers themselves. The exploit kit quickly determines the operating system and browser involved, systematically tries each possible exploit until it finds one that works, then installs "beachhead" malware that opens the door to yet more malware — and the process that began with the malicious ad is complete.

Just about any type of malware can be delivered via a browser exploit kit, from banking Trojans to ransomware to spyware. 

"The interesting thing is, many of these [malvertising] exploits are not [using] the really sophisticated malware," Kashyap noted. "They are not like what you would encounter in a targeted attack. This means the sophistication is yet to come."

Why malvertising is so successful

Malvertising is not only extremely effective, but also very easy to do and to get away with. Kashyap said advertising companies often can't tell who is responsible for the malicious ads pushed through their networks. 

This lack of attribution is a symptom of the decentralized online-ad marketplace, in which ad space on websites is offered, auctioned and sold in milliseconds by automated trading programs.

When you visit a website, the website sends your personal information (browsing history, previous behavior on that website, etc.) to an ad exchange. Ad networks then bid to put their ads in your Web browser, and the highest bidder wins. All this happens nearly instantaneously, without any direct input from the website's administrators.

Craig Spiezle of the Online Trust Alliance worries that malvertising methods could be used not only for routine criminal activity, but also for state-sponsored espionage and even cyberwarfare.

"This is starting to have a significant impact, not only on consumers and to the trusted websites they visit, but to our nation's critical infrastructure, based on the resiliency and scalability of these attacks," Spiezle told Tom's Guide.

Who's responsible for preventing malvertising?

"It's obvious that whatever defenses are in place are not good enough," Kashyap said. "It's just too easy for [cybercriminals] ... There are no standards for minimum compliance; there's no bar set for advertisers and ad networks."

Kashyap and Spiezle stressed that online-ad distributors need to find ways to prevent malicious ads from propagating across their networks.

"Ad networks in general have been dismissive of the issue," Spiezle said.

However, ad networks are responding. In September, the Interactive Advertising Bureau (IAB), a group of online advertising and marketing companies that claim to deliver 86 percent of online ads in the United States, announced the formation of a working group to address malvertising.

The IAB also released a set of Anti-Fraud Principles, which are basically suggestions that ad networks find ways to identify fraudulent ads, discover their sources and make the entire ad-delivery process as transparent as possible.

In responding to queries from Tom's Guide, the IAB declined to elaborate on any specific practices or detection methods in development. Instead, it pointed us to a June 2014 blog posting announcing an IAB partnership with law-enforcement agencies to investigate ad fraud and malware. The post also called on software makers to keep patching their products, to prevent exploit kits from delivering malware — which, of course, the software makers already do.

The IAB assured Tom's Guide that "the [working] group is meeting regularly and determining what actions and output to pursue in support of that mission statement."

But advertising networks still have a long way to go to assuage concerns.

"Today, [malvertising] is perceived as a low-frequency event, but in reality, it is high-impact," Spiezle said. "Not unlike the auto industry installing air bags, or designing a building to withstand an earthquake, the ad industry must work to protect consumers from harm."

"We [the Online Trust Alliance] are making progress and [are] encouraged by the support of the majority of the largest websites; yet, to date, support is lacking from the largest ad networks and ad exchanges," Spiezle added. "We are aware of [the IAB's working group] and applaud their effort, but to date, they have not been willing to work collectively and have been focused on internal issues versus the harm occurring to end users."

How to protect yourself from malvertising

To prevent malvertising from infecting your computer, you need to deny exploit kits the opportunity to find a flaw. Spiezle urged people to make sure their Web browsers and browser plugins (such as Java or Adobe Flash), as well as operating systems, are up-to-date so that known flaws are fixed.

Patches don't always come as quickly as you need them, and no software can ever be completely exploit-proof. But you can improve your chances by opting for "click-to-run" browser settings so that Flash ads don't play automatically, or disabling Java (but not JavaScript) in all or most browsers.  

Another essential and simple step is to install a solid antivirus program, even on a Mac. (Built-in protection, such as Windows Defender, probably won't cut it.) An up-to-date, comprehensive antivirus solution will recognize exploit kits and stop most malware from installing, and can also remove malware that may have slipped past its initial defenses.

MORE: Free PC Antivirus Reviews 2014

Next, set browsers to flag malicious content on a Web page. For example, Google Chrome can detect phishing and malware: In Settings, click Show Advanced Settings, scroll down to the Privacy section and check "Enable phishing and malware protection."

You should also create multiple computer user accounts, with different privileges, on each computer. Give one account administrative rights to install and modify software, and use it only for those purposes. For Web browsing and other online activities, use limited accounts that can't install software; in many cases, exploit kits that attack browsers running in limited accounts won't be able to infect the machines.

The most proactive defense against malvertising is to use an ad-blocking browser plugin. Alternatively, a plugin such as NoScript for Firefox would let you choose which Web domains run JavaScript and applets in your browser. However, ad and script blockers block legitimate ads and prevent the websites you visit from earning revenue.

"While OTA does not advocate this for general users, in the absence of [ad networks adopting] voluntary practices, users are increasingly opting for this alternative," Spiezle noted of ad blockers. "Already, corporations and government agencies are moving to block all ads from employee devices."

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
This thread is closed for comments
3 comments
Comment from the forums
    Your comment
  • Skylyne
    This is nothing new, and it is far from "the next digital threat." This has been around for years, and it will only go away when advertisers either go out of business, or every computer user blocks all ads (which won't happen).

    The next digital threat is more likely going to be along the lines of RF snooping on wired keyboards, or "keyloggers" for people who use touch screen/on-screen keyboards. Even more frightening would be a next-gen computer infection that bypasses any/all security software, disables your security software, and then forces the user to play Lose/Lose, or an updated version of the Casino virus game. If that existed, then THAT is something people should worry about.

    Malvertising is nothing new, and has been relatively easy to bypass/avoid for quite some time.
  • aldaia
    Best protection is not using windows to navigate. Use virtual machines with Linux. Linux is much more secure (mostly because almost all virus/malware target windows), and even in the remote case that your system gets infected, the infection affects only your virtual machine. If you are truly paranoid you can have several virtual machines: one for sensitive sites like banks and important accounts, another for regular navigation and a 3rd one for navigating suspicious sites. Then you can keep your windows machine clean and safe for its real purpose: GAMING :D
  • Skylyne
    Anonymous said:
    Best protection is not using windows to navigate. Use virtual machines with Linux. Linux is much more secure (mostly because almost all virus/malware target windows), and even in the remote case that your system gets infected, the infection affects only your virtual machine. If you are truly paranoid you can have several virtual machines: one for sensitive sites like banks and important accounts, another for regular navigation and a 3rd one for navigating suspicious sites. Then you can keep your windows machine clean and safe for its real purpose: GAMING :D

    Actually, this is horrible advice. Not only does running dual virtual machines slow down performance immensely, but it also gives you no genuine security benefits over running your computer from the standard OS environment. Yes, this would protect your original OS from virus infections spreading to your most sensitive documents, but you are forgetting the most important part: there are many devices that can easily be compromised, and could then help the infection to spread from the virtual environment to your OS. This is something that is relatively easy to exploit, as USB devices are growing in popularity. The only real way to prevent an infection from spreading from your virtual machine to your daily OS is to take a large number of steps... and it would be pointless to list it out, because that alone would take an hour to type out.

    And you're partially right. Linux is more secure than Windows, but only to a certain extent; it's just like running Mac OS on your machine; it's the way the OS is written that helps prevent automatic spreading of an infection. On the flip side, there are methods that can bypass this kind of security measure, and there are also people who enter their password whenever prompted, with no thought as to why (malicious programmers take advantage of this). The security benefits are relatively minor, when properly compared in a real world setting, and only the truly paranoid will ever be able to reap all the juicy security benefits from Linux.

    If you wanted to be correct, the absolute most secure method of running a clean OS is to run a live OS (Linux is great for this). By running a live OS (ideally a CD), you do not risk infecting your OS for any longer than your computer is turned on. Also, the only way an infection could spread is to be designed to spread itself through the user's documents, and not the OS files (which is not a method that is widely used, and is used for more specific infection purposes). The only real problem with running a live OS is the fact that you have to burn a brand new copy every single time a new update is released; if you don't, then you're likely open to new security threats. Is it worth it? That is all speculation.