Released Wednesday, DEVCON’s 2019 Holiday Threat Report illustrates how criminals are using ad-based attacks and offers advice on what organizations can do to better protect themselves against these types of campaigns.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
Ad threat is defined by DEVCON as the weaponization of advertising technology to distribute malware, trojans, and other malicious attacks to consumers and to defraud marketers and publishers.
During the 2019 holiday shopping season between Thanksgiving and Cyber Monday, the level of digital ads with lower-risk malvertising actually fell to .07% from 1.25% in 2018, DEVCON said. However, the number of highly sophisticated attacks using this method increased. More than 60% of malicious ad threat activity from this period came from highly sophisticated attacks like Led Zelpdesk, Lucky Star, Avid Diva, and Invisible Ink.
How cybercriminals attach their victims
In this regard, cybercriminals employ a few tactics to attack their victims:
- Abuse of a service provider’s code. Bad actors will create fake accounts with ad networks and use that company’s advertising tags to deliver exploits onto websites without having to compromise the target company’s servers.
- Partner exploitation. One type of attack that has been popping up is Magecart, which skims email addresses, passwords, and other sensitive data from online payment forms in an attempt to steal that information. To carry out these attacks, cybercriminals will look at checkout and login pages to locate third-party partners that can easily be compromised. The attackers then implant malicious code into those pages to collect the sensitive data as it’s being entered on the form.
“While these less advanced hackers are being shut out of the ad threat game, the more advanced bad actors are not only becoming more stealthy in obfuscating these attacks, they have escalated the types of exploits, broadened the attack surface, and they are not limiting these attacks to the ad tag scripts,” DEVCON CEO Maggie Louie said in a press release. “The actual risk is data breach, which can lead to massive fines in the new regulatory environment. Ad threat is a security gap that should not be managed by marketing teams any more than phishing attacks should be managed by the email marketing teams. These security threats need to be managed and monitored by security teams.”
SEE: How to build a successful CIO career (free PDF) (TechRepublic)
How to protect your organization
- Perform an annual penetration test. Use an independent security company to perform an annual penetration test to detect any gaps in your security model. If you’re moving assets to the cloud, you should also determine if you’re operating in a shared-security model with the cloud provider and be aware of your respective responsibilities.
- Expand your board. Consider appointing a CISO or CIO to sit on the board.
- Look for security risks. Regularly evaluate security risks and mitigators across all your departments and emerging technologies.
- Look at your cybersecurity insurance. Review your cybersecurity insurance to make sure you have the right controls and mitigators in place to meet all your requirements.