How to protect your organization against ad-based JavaScript exploits

Cybercriminals continue to exploit weaknesses in JavaScript to try to steal sensitive data from consumers through advertising, according to DEVCON.

JavaScript has long been a favorite target of cybercriminals who take advantage of security holes in the web-based code to deploy malware against unsuspecting victims. One specific type of attack that exploits JavaScript is malvertising, or ad threats, which uses online ads to spread malware. 

Released Wednesday, DEVCON's 2019 Holiday Threat Report illustrates how criminals are using ad-based attacks and offers advice on what organizations can do to better protect themselves against these types of campaigns.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic) 

Ad threat is defined by DEVCON as the weaponization of advertising technology to distribute malware, trojans, and other malicious attacks to consumers and to defraud marketers and publishers.

During the 2019 holiday shopping season between Thanksgiving and Cyber Monday, the level of digital ads with lower-risk malvertising actually fell to .07% from 1.25% in 2018, DEVCON said. However, the number of highly sophisticated attacks using this method increased. More than 60% of malicious ad threat activity from this period came from highly sophisticated attacks like Led Zelpdesk, Lucky Star, Avid Diva, and Invisible Ink.

These more sophisticated attacks use both social engineering and exploited JavaScript in an attempt to steal consumers' credit card information or trick a user into downloading a trojan.

How cybercriminals attach their victims

In this regard, cybercriminals employ a few tactics to attack their victims:

  • Abuse of a service provider's code. Bad actors will create fake accounts with ad networks and use that company's advertising tags to deliver exploits onto websites without having to compromise the target company's servers.
  • Partner exploitation. One type of attack that has been popping up is Magecart, which skims email addresses, passwords, and other sensitive data from online payment forms in an attempt to steal that information. To carry out these attacks, cybercriminals will look at checkout and login pages to locate third-party partners that can easily be compromised. The attackers then implant malicious code into those pages to collect the sensitive data as it's being entered on the form.
  • Exploitation of code vulnerabilities. Targeting companies that use third-party JavaScript or libraries, cybercriminals will try to exploit vulnerabilities in the script itself.
  • Infecting JavaScript with malicious code. Cybercriminals can use JavaScript to hide infected items such as image files, fonts, and advertisements. For example, an image for an ad infected with malware can be hidden using JavaScript code.

"While these less advanced hackers are being shut out of the ad threat game, the more advanced bad actors are not only becoming more stealthy in obfuscating these attacks, they have escalated the types of exploits, broadened the attack surface, and they are not limiting these attacks to the ad tag scripts," DEVCON CEO Maggie Louie said in a press release. "The actual risk is data breach, which can lead to massive fines in the new regulatory environment. Ad threat is a security gap that should not be managed by marketing teams any more than phishing attacks should be managed by the email marketing teams. These security threats need to be managed and monitored by security teams."

SEE: How to build a successful CIO career (free PDF) (TechRepublic)

How to protect your organization 

To protect your organization against ad-based attacks that exploit JavaScript, DEVCON offers the following recommendations:

  • Focus on creating a security culture in your company. The CTO, CISO, and/or CIO should have the necessary resources to maintain site safety and security across all potential threat areas. Code should not be tested or installed without being checked by the security team. Your security teams should also monitor and mitigate all third-party JavaScript risks.
  • Run a security audit. Use an independent security company to fully audit all third-party and fourth-party JavaScript on your site and decide how to monitor that code on an ongoing basis.
  • Perform an annual penetration test. Use an independent security company to perform an annual penetration test to detect any gaps in your security model. If you're moving assets to the cloud, you should also determine if you're operating in a shared-security model with the cloud provider and be aware of your respective responsibilities.
  • Expand your board. Consider appointing a CISO or CIO to sit on the board.
  • Look for security risks. Regularly evaluate security risks and mitigators across all your departments and emerging technologies .
  • Look at your cybersecurity insurance. Review your cybersecurity insurance to make sure you have the right controls and mitigators in place to meet all your requirements.

Also see

malware.jpg