Malvertising is a means of slipping malware into online ads. Credit: Gunnar Assmy/chanpipat/Shutterstock
For most computer users, ads on a Web page are little more than minor distractions, and become frustrating only if they get in the way of the articles or videos you're viewing.
Yet online ads can be much more than mere nuisances. Online criminals spread computer viruses and other malware via advertisements, and such "malvertising" can infect your Web browser and computer.
"Right now, the attackers have an upper hand, simply because of the scale of the issue, which is what worries me the most," warned Rahul Kashyap, chief security officer at security company Bromium. "If the attackers start to increase the [malvertising] attacks ... it can go out of hand very quickly."
What is malvertising?
Usually, you only need to worry about malware from disreputable websites, or from websites that have had page code altered by hackers. But malvertising doesn't require complicit administrators or breaking into servers. Rather, it exploits the chaotic nature of the online advertising industry to place malicious ads on any website — even the most trustworthy ones.
Ads have been used to spread malware for years, but only recently have criminals started adopting the method en masse. In 2013, 12.4 billion malicious ad impressions occurred — a 225 percent increase from 2012, according to the Online Trust Alliance (OTA), a Bellevue, Washington-based nonprofit that develops guidelines for online businesses.
This September, the so-called "Kyle and Stan" malvertising campaign placed ads on Google, Yahoo, YouTube and Grooveshark, as well as on 70 other websites. Later that month, another malvertising campaign used Google's own DoubleClick ad service to infect visitors to Last.fm and the Jerusalem Post.
"This is an attack happening at Internet scale," Kashyap said.
The websites on which the malicious ads appear are not themselves infected or altered. The malware comes in ads pushed from distant servers over which the targeted websites have no control, making it very hard for affected sites to protect their visitors.
How does malvertising infect users?
Malvertising infection usually happens in one of two ways, Kashyap said. In the first scenario, you have to click on the ads, which may be pop-ups or alerts warning that you're already infected and need to "save" your computer with the advertised software. Such "social engineering" tactics manipulate users into installing malware themselves — often a more effective method than trying to force installations through technological brilliance.
The second infection scenario, used by a growing number of malvertising campaigns, doesn't require users to click on ads. Instead, it involves what security experts call a drive-by download." In this scenario, the victim becomes infected simply by loading the Web page. The malicious ads contain links, embedded in lines of code called iframes, that make browsers silently fetch software from malicious Web pages. Most users won't realize it's happening.
"All of this happens in the background, in iframes," Kashyap said. “That's what makes it scary — because it's hidden behind the scenes."
In either scenario, the malicious link often leads to a browser exploit kit, an arsenal of malware that contains exploits for known flaws in common browser plugins such as Adobe Flash Player, Java or Microsoft Silverlight, as well as in the major browsers themselves. The exploit kit quickly determines the operating system and browser involved, systematically tries each possible exploit until it finds one that works, then installs "beachhead" malware that opens the door to yet more malware — and the process that began with the malicious ad is complete.
Just about any type of malware can be delivered via a browser exploit kit, from banking Trojans to ransomware to spyware.
"The interesting thing is, many of these [malvertising] exploits are not [using] the really sophisticated malware," Kashyap noted. "They are not like what you would encounter in a targeted attack. This means the sophistication is yet to come."
Why malvertising is so successful
Malvertising is not only extremely effective, but also very easy to do and to get away with. Kashyap said advertising companies often can't tell who is responsible for the malicious ads pushed through their networks.
This lack of attribution is a symptom of the decentralized online-ad marketplace, in which ad space on websites is offered, auctioned and sold in milliseconds by automated trading programs.
When you visit a website, the website sends your personal information (browsing history, previous behavior on that website, etc.) to an ad exchange. Ad networks then bid to put their ads in your Web browser, and the highest bidder wins. All this happens nearly instantaneously, without any direct input from the website's administrators.
Craig Spiezle of the Online Trust Alliance worries that malvertising methods could be used not only for routine criminal activity, but also for state-sponsored espionage and even cyberwarfare.
"This is starting to have a significant impact, not only on consumers and to the trusted websites they visit, but to our nation's critical infrastructure, based on the resiliency and scalability of these attacks," Spiezle told Tom's Guide.
Who's responsible for preventing malvertising?
"It's obvious that whatever defenses are in place are not good enough," Kashyap said. "It's just too easy for [cybercriminals] ... There are no standards for minimum compliance; there's no bar set for advertisers and ad networks."
Kashyap and Spiezle stressed that online-ad distributors need to find ways to prevent malicious ads from propagating across their networks.
"Ad networks in general have been dismissive of the issue," Spiezle said.
However, ad networks are responding. In September, the Interactive Advertising Bureau (IAB), a group of online advertising and marketing companies that claim to deliver 86 percent of online ads in the United States, announced the formation of a working group to address malvertising.
The IAB also released a set of Anti-Fraud Principles, which are basically suggestions that ad networks find ways to identify fraudulent ads, discover their sources and make the entire ad-delivery process as transparent as possible.
In responding to queries from Tom's Guide, the IAB declined to elaborate on any specific practices or detection methods in development. Instead, it pointed us to a June 2014 blog posting announcing an IAB partnership with law-enforcement agencies to investigate ad fraud and malware. The post also called on software makers to keep patching their products, to prevent exploit kits from delivering malware — which, of course, the software makers already do.
The IAB assured Tom's Guide that "the [working] group is meeting regularly and determining what actions and output to pursue in support of that mission statement."
But advertising networks still have a long way to go to assuage concerns.
"Today, [malvertising] is perceived as a low-frequency event, but in reality, it is high-impact," Spiezle said. "Not unlike the auto industry installing air bags, or designing a building to withstand an earthquake, the ad industry must work to protect consumers from harm."
"We [the Online Trust Alliance] are making progress and [are] encouraged by the support of the majority of the largest websites; yet, to date, support is lacking from the largest ad networks and ad exchanges," Spiezle added. "We are aware of [the IAB's working group] and applaud their effort, but to date, they have not been willing to work collectively and have been focused on internal issues versus the harm occurring to end users."
How to protect yourself from malvertising
To prevent malvertising from infecting your computer, you need to deny exploit kits the opportunity to find a flaw. Spiezle urged people to make sure their Web browsers and browser plugins (such as Java or Adobe Flash), as well as operating systems, are up-to-date so that known flaws are fixed.
Another essential and simple step is to install a solid antivirus program, even on a Mac. (Built-in protection, such as Windows Defender, probably won't cut it.) An up-to-date, comprehensive antivirus solution will recognize exploit kits and stop most malware from installing, and can also remove malware that may have slipped past its initial defenses.
Next, set browsers to flag malicious content on a Web page. For example, Google Chrome can detect phishing and malware: In Settings, click Show Advanced Settings, scroll down to the Privacy section and check "Enable phishing and malware protection."
You should also create multiple computer user accounts, with different privileges, on each computer. Give one account administrative rights to install and modify software, and use it only for those purposes. For Web browsing and other online activities, use limited accounts that can't install software; in many cases, exploit kits that attack browsers running in limited accounts won't be able to infect the machines.
"While OTA does not advocate this for general users, in the absence of [ad networks adopting] voluntary practices, users are increasingly opting for this alternative," Spiezle noted of ad blockers. "Already, corporations and government agencies are moving to block all ads from employee devices."
- 13 Security and Privacy Tips for the Truly Paranoid
- Best Mac Antivirus Software 2014
- Best Antivirus Software 2014
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.