For years, cybercriminals have leveraged malvertising, or malicious advertising, to deliver malware.
Without a doubt, malvertising is the ultimate weapon for criminals to gain access to a wide audience visiting popular websites, and at the same time be able to precisely target potential victims. And they can do all of this without being seen.
Malvertising fits perfectly into the drive-by download landscape because it requires no user interaction. Simply visiting a webpage that displays an ad is enough to trigger the infection chain, which involves the delivery of one or more exploits before the final malware payload. It is completely invisible and automated, with end users being none-the-wiser that something bad is happening, at least until they notice the infection’s aftermath.
The online advertising industry is ripe for abuse from ill-intentioned actors because of its inherently complex nature and risky practices driven by profit. There are so many different loopholes an attacker can exploit via social engineering or by cloaking his malicious code that the fates are already sealed before real-time bidding for advertising space begun.
If recent malvertising incidents are any indication, criminals have been able to serve ads through top networks and agencies without being detected, not just for a few hours or days, but for months. It’s one thing for end users to be oblivious to attacks, but it’s another when ad networks are simply unable to anticipate incidents—let alone detect them.
Threat actors employ various tactics to avoid detection, ranging from the use of SSL, fingerprinting or even steganography. How can one possibly discover an attack when it’s meant to not be seen? This sort of predicament ultimately means that end users need to worry about securing their own devices from malvertising, rather than depend on ad networks for security. The choices they make won’t necessarily make publishers or ad networks happy, but in this current state, something’s got to give.