Lately, when digital bad guys reach into their bag of tricks, more often than not they’re looking for tools related to something called malvertising–a portmanteau of malicious advertising. Simply put, online criminals can inject malware-laden ads into legitimate online advertising networks and websites.
One of the more notable examples of malvertising happened back in 2011. My TechRepublic article, Malvertising: Adverts that bite, provides details on how advertising content on the New York Times website became compromised.
What makes malvertising so exciting to those so inclined is its ability to compromise the computers of online users, even those who consider themselves security conscious. “You could be researching business trends on a site like NYTimes.com, and without ever having clicked on an ad, be in trouble,” writes Wendy Zamora, content writer for Malwarebytes Lab. “A tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the right malware for you.”
SEE: Malware Protection Policy (Tech Pro Research)
Malvertising is becoming a bigger problem
In her post, Truth in malvertising: How to beat bad ads, Zamora mentions how bad guys are purposely targeting legitimate, high-traffic websites, adding, “In the ten years it’s been on the scene, malvertising has impacted major websites with traffic in the hundreds of millions (if not billions), including Yahoo!, NY Times, BBC, and AOL.”
Malvertising appears to be an effective bad-guy tool by its increasing popularity. “In 2015, Google disabled more than 780 million bad ads, a nearly 50 percent increase over 2014,” writes Zamora. “According to RiskIQ, in just the first half of 2015 malvertising increased 260 percent compared against all of 2014.”
Why is malvertising still a problem?
After 10 years, one might think third-party advertising content would be scrutinized for this type of malware, but according to Zamora that is not the case. As to why, Zamora offers the following reasons:
- Businesses wanting to advertise online are only required to sign up with a network and bid in real time to have their ads appear on popular websites
- Not all advertising networks have strict criteria for advertisers
- With the ability to buy advertising space automatically, there is little if any vetting
All of which, according to Zamora, creates lax conditions that allow online criminals to sneak their malware into the code of legitimate sites such as the New York Times. So lax that George Slefo writing for Advertising Age reports the FBI, Department of Justice, and Department of Homeland Security are becoming involved, looking for ways to better utilize information provided by the advertising industry’s Trustworthy Accountability Group to defeat malvertising or at least slow it down.
Ways to avoid malvertising
Besides staying off the internet, Zamora offers the following ways to reduce the chance of getting caught by malvertising:
- Tighten up vulnerabilities on your computer: This decades-old mantra still applies. Malware needs a security flaw to gain access to a computer. Zamora adds, “Keep your software patched, update your operating system, run the latest browsers, and remove any software (especially Flash or Java) that you don’t use or need.”
- Install an ad blocker: Ad blockers are a point of contention, as sites like NYTimes.com rely on advertising for revenue. However, ad blockers will prevent dynamic scripts from installing malicious content.
- Enable click-to-play plugins on your web browser: This type of plugin prevents Flash or Java from running automatically, allowing users to make informed decisions on whether to allow either platform to run.
- Employ an anti-exploit program to shield browser, OS, and software vulnerabilities: Malwarebytes does have such a program called Anti-Exploit for Business.