The first time I came across “malvertising”, I thought, “Who would want to advertise malware?” Bad guys, I guess. Then I found out that malvertising (courtesy of Online Trust Alliance):

“Is the practice of injecting malicious or malware-laden advertisements into legitimate online-advertising networks. It can occur through deceptive advertisers or agencies running ads or compromises to the ad supply chain including ad networks, ad exchanges, and ad servers.”

Interesting example

AdShuffle.com is a large marketing-technology company that serviced many of the big ad-providing platforms — MSN and DoubleClick for example — during last year’s Christmas rush. It seems AdShufffle.com was providing both MSN and DoubleClick malicious banner ads.

If victims visiting sites with malicious banner ads happened to have any Windows, Adobe, or JavaScript vulnerabilities, it was all over. No need to click on anything. You became the proud owner of drive-by malware delivered by the Eleonore Exploit Kit.

It seems the bad guys had found another “low-hanging fruit”: Vulnerable websites.

Oops

I wonder if you made the same mistake. Notice anything different in how AdShufffle is spelled? Where did that “third f” come from? Hmm. Well, attackers registered the domain AdShufffle.com and conned the advertising networks into using their malicious banner ads instead of the correct ones from AdShuffle.com. Nice.

And, that’s just one example. In their first quarter 2011 Threats Report (page 14), McAfee estimates over 8000 malicious websites are being created each day.

It can happen to the best of websites

I asked and most people responded, “We’re very careful; we never go to ‘those kind of websites.'”

The bad guys must have taken a similar survey. They now prefer taking over what’s considered “prime Web real-estate”. I don’t think I’d get much argument about the New York Times website being primo digital property:

The New York Times explained further on their website:

“Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software.

We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser.”

Who is responsible?

We as visitors to websites have little recourse, other than practicing safe Internet. The real onus is on everybody who has a part in what’s displayed on the website. The Online Trust Alliance (OTA) offers the following advice in their Anti-Malvertising Guidelines:

“Infrastructure must be hardened and business processes re-examined. Business, infrastructure providers, ISPs, web publishers and the interactive advertising supply chain need to work to help counter this abuse.”

That’s great if the organizations accept responsibility. To that end, the expression “money talks” might be helpful. Deloitte agrees:

“Bottom line. Anything that makes large numbers of Internet users decide that clicking online advertisements could be a bad or dangerous thing threatens the current business model of almost every company that does business online.”

OTA honor roll

Each year, the OTA recognizes public websites, private websites, and government agencies that adopt technologies designed to protect user privacy and identity:

OTA Honor Roll criteria include implementation of email authentication, Extended Validation SSL Certificates (EV SSL), and testing for malware and known site vulnerabilities. In addition, federal government sites were evaluated for their support of DNSSEC.”

Don’t get too excited:

“While the number honored in 2011 represents a promising 3-fold increase from this time last year, 74% of the top websites analyzed did not qualify and remain vulnerable to the increased levels of cybercrime and online fraud.”

More specifically:

“The Honor Roll achievement was as high as 26.7% of the FDIC 100 and 24.6% of the Fortune 500. Only 12% of top federal government sites qualified.”

That’s depressing.

User recourse

Malvertising is not new malware, just a different delivery vehicle. That means the mantra is the same. Keep all software up to date, so on, and so on. You know the drill.

Google has something that might help: Safe Browsing Diagnostic. If your web browser has the API, it will warn you when a website has been reported. I checked out AdShufffle and this is what I got:

The Safe Browsing Diagnostic tries to answer the following:

  • What is the current listing status for the website?
  • What happened when Google visited this site?
  • Has this site acted as an intermediary resulting in further distribution of malware?
  • Has this site hosted malware?

Final thoughts

This is a tough one. If all that’s required is to simply visit a website there is little defense. I wonder if it’s time for what Howard Beale said in the 1976 movie, Network (YouTube): “I’m mad as hell!”