Malvertising: An attack that could be easily avoided

Share this article:

As if online advertisements were not enough of a nuisance, a sinister variant is gaining traction.

Fraudulent and malicious advertising – known as malvertising – is among the sneakier threats discussed in the latest set of guidelines released Tuesday by the Online Trust Alliance (OTA), a nonprofit community formed to promote safe internet practices.

Malvertising is a lesser known attack method that is quickly gaining momentum, and it is exactly what it sounds like: online advertising used to spread malware. Ne'er-do-wells are able to distribute the compromised ads to genuine websites by using fraud identities, web hosting accounts and email addresses to trick companies.

What happens next is pretty standard: An unsuspecting user clicks on the advertisement, unknowingly downloads a piece of malware, and consequently begins experiencing any number of problems that might be spurred by the malicious attachment.

“This is a real threat and a real challenge,” Craig Spiezle, OTA executive director and president, told SCMagazine.com on Wednesday. “If that ad gets served, even if it is taken down 24 to 48 hours later, hundreds of thousands have seen it.”

Since attackers use stolen or fraudulent credentials, “it's anonymous and scalable,” Spiezle said of the particularly effective form of attack.

With one piece of malvertising averaging out to a hundred thousand impressions, or views, Spiezle said it is safe to estimate that 10 billion malicious advertisements were seen in 2012, with 42 percent of them coming as drive-by executions without user interaction.

The OTA think-tank analyzed hundreds of malvertising cases and in the end determined that more than 60 percent of instances involving fraudulent ads would have been easily avoidable had the company exercised “operational discipline and a vetting process to make sure the advertiser was legitimate,” Spiezle said.

To mitigate risk, entities that allow advertising are encouraged by the OTA to take a little bit of time to question the situation – asking about ad-serving activities, timing and urgency, corporate and individual identity, and reputation – to get a feel for the promoter.

Other areas explored in the newly issued guidelines include addressing botnets – a typically large network of compromised computers used to carry out illicit tasks – through a coordinated effort involving prevention, detection, notification, remediation and recovery, as well as best practices for web hosting and cloud service providers.

What areas will OTA explore next?

“We need to think about how mobile devices are being compromised,” said Spiezle. “As a result of the surge in mobile usage as a platform, cyber criminals are following the people and the money.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.