Malvertising: Are You Ready for the Newest Wave of Attacks?
Recent findings from Cisco have revealed that attackers have been using malicious advertisements to steer visitors to high profile website to pages hosting Fiesta, Angler and other exploit kits, and later it was found that the “Kyle and Stan” malvertisement network infrastructure had been found operating on some of the largest Web domains, including that of Amazon and YouTube. Malicious ads using iFrame attacks were also found on Yahoo earlier this year and mobile ad networks have come under fire for behaving in a manner some antimalware vendors consider malicious.
As an attack venue, industry experts are concerned about the use of malicious ads for this purpose. Google DoubleClick, for example, allows advertisers to target users based on several factors, including language, browser, operating system and device. But all an attacker has to do is buy advertising space, which allows those capabilities much as they already do with exploit kits. Then, they could commit highly targeted attacks against specific user bases. All the attackers have to do is show the malicious ads only to those running Windows XP, which is unsupported. Yes, there are still enterprises running this OS!
Using this OS, attackers can avoid defenses such as address space layout randomization that were only added in later versions of Windows and to know exactly which exploits will work on a chosen victim.
Unfortunately, many security “products” only detect an attack, with a struggle, after a system has already been infected.
How has this problem become so widespread? There are several reasons. First, attackers need to trick victims into installing their malware program or visiting a malicious site. The best way to do this is to earn the user’s trust. Fake ads are a great way to get around more traditional perimeter defenses. Once you get a legitimate ad approved and then replace it with a malicious one sets it up so that the attacker doesn’t need to penetrate firewalls or intrusion detection systems as the malware has been accepted in the ad stream. And what is even worse is that infiltrating a widely used syndicated online ad service means that thousands of sites can be infected AT ONCE.
If you are dealing with a website running third party ads, little can be done to protect visitors as the ads are not under their control.
How can this threat be handled? The only precaution sites can take is to use ad feeds from providers who take security seriously, at a minimum by demonstrating suitable security controls, and have processes in place that can immediately cut advertising feeds if a problem arises. Think again if you think only the uninitiated have fallen for this.. We are talking about major ad networks such as DoubleClick and MSN have been tricked into delivering malvertisements. Ad networks MUST do a better job betting the content and images they serve for malicious code, detecting any breaches in their terms and conditions and by identifying, blocking and removing malicious ads when they appear.
The top browser makers, though are stepping up now, and the latest versions have some form of reputation based checking of any URL a user might request, and warns them if content has been flagged as potentially dangerous.
Internet Explorer Version 9, recently released, boasts a new feature called SmartScreen Application Reputation that warns users when it suspects an executable file about to be downloaded is dangerous.
But it is really “catch up football” as there are more than 25 million variants of malware and attackers constantly move where they host their malware. Users need to be made AWARE of the threat of malvertisements and possibly introduce a no-ad-click rule, supplemented security awareness training and a regular set of security tests AND assessments, to be conducted by a neutral outside security vendor such as THE SATURN PARTNERS can be of great help.
Please contact us today at firstname.lastname@example.org, visit us www.saturnpatners.com to discuss further our state of the art cyber security testing, training or security program design services.
The Saturn Partners… Securing Your World since 2001..