Malvertising, defined as the use of online advertising to spread malicious software (aka “malware”), is a damaging occurrence in online advertising. A malicious advertisement is one that is able to infect a user’s computer with malware. Malvertising tends to be rare in frequency, but its consequences can be destructive; publishers and infected users alike expend significant time, effort, and resources in removing malware.
Malvertising often takes the form of an ad that looks like a regular ad, but may contain code that infects the user’s computer directly, redirects the browser to a malicious website, or makes computers vulnerable to other malicious software. A user may either see advertising that is offensive in nature, of adult content, contains content atypical of the publisher, or the user may be duped into downloading malicious software. A common malvertising trick is an ad that launches a fake virus scan that indicates that your computer is infected and encourages the user to download and/or purchase a tool to remove the infection. That download is itself malicious, and further launches other infections and viruses. For instance, in 2009, a malicious banner ad on the New York Times attempted to social-engineer site visitors into installing a fake antivirus tool that then tried to get users to pay money to fix problems it claimed to have found.
Other malicious ads are more subtle; they look like regular ads, but they act stealthily in the background of a machine and can only be detected by running legitimate virus and/or malware scanners or other special software. The malicious advertisement may infiltrate a user’s computer and try to obtain private data from it, or it may use the compromised computer to send out spam messages or participate in other illicit online activities
A very common way for a site visitor to see malvertising occurs when a user with an already infected machine visits a website. The infected machine may then hijack legitimate ads on the website and cause the user to view ads that were not directly or indirectly sourced from the site/publisher. In those instances, the infection is a local one associated with the user’s local machine, and can primarily be removed by the user running an antivirus or antimalware scanner to remove the local infection.
Users can try to reduce the likelihood of their local machines being infected by doing one or more of the following: (a) always updating their installed software when prompted to do so (b) using reliable anti-virus software (c) installing a software firewall solution or making sure the default firewall is activated (d) using a safe browser such as Mozilla Firefox or Google Chrome and tightening browser security settings. (e) avoiding the installation of web browser “toolbars” (f) avoiding peer-to-peer file sharing programs and (g) practicing safe browsing techniques such as not clicking on suspicious links and/or attachments sent via email or spread via social networks, and avoiding illegal or unsafe websites (such as those with gambling or adult content) that are more likely to contain malware and lead to a computer being infected.
There are two other ways in which malware could be placed on a publisher’s site:
a) From ads that were directly sold by the publisher. A malicious organization or criminal syndicate may disguise itself as a reputable one and place a media buy directly with a publisher. Typically, these are first-time buys, and are presented as short term campaigns that run a few days at most, and are often placed at the last moment to go live with extremely short notice.
b) From third parties such as advertising networks and exchanges. Many sites use code received from advertising networks, exchanges, or other third parties. On occasion, these sources of third-party revenue may also be themselves compromised by malware or by not completely vetting the source of their ads. With the rise of real-time bidding, the automated buying and selling of online advertising also makes malware more likely to slip through.
Another trick is for malware authors to launch their attacks on Saturdays or Sundays (or holidays), assuming that, during those time periods, ad operations and/or technical teams are away from the office or will take longer to respond to malware attacks. This presumably gives the malware a longer window of time in which to infect more computers.
It is important that publishers take proactive steps to try to prevent their sites from serving as an unintended source of malware and malvertising.
Another preventive method is for the publisher to thoroughly vet all advertisers and agencies with whom they work to ensure that they are reputable and legitimate companies. Occasionally, malware authors pretend to be associated with legitimate and well-known ad agencies. In other instances, malvertisers create fake ad agencies that pretend to represent legitimate clients. As such, publishers must perform background credit and reference checks to not only ensure that a business partner is financially sound, but also to safeguard against malvertising. While relying on reputation-based systems is not solely adequate (due to the dynamic nature of the internet and the ability of criminal organizations to present convincing fake documentation), it is nevertheless a good basis for guarding against malware.
Publishers also need to ensure that any security holes discovered on their sites are quickly plugged, and that their advertising networks, exchanges, and any other third parties are performing their own due diligence with their business partners and also undertaking comprehensive creative QA. Due to the large number of transactions that occur with third parties, there is some loss of control, but all these third-parties should work internally and externally with publishers to prevent malvertising.
There are a few other ways to prevent malvertising. This series of articles from Google’s Anti-Malvertising site outlines detection methods for publishers, ad operations teams, everyone else, as well as common steps to take if malware is suspected on a local machine.
Google also offers a safe browsing diagnostic tool that can be used as a quick malware check on a website. It is not a comprehensive diagnostic, but the tool may be used as a way to quickly check a site for safety.
To use the tool, just append the site in question’s URL to the end of “http://www.google.com/safebrowsing/diagnostic?site=” (quotes not included).
For instance, to test the malware status on NPR, you would enter http://www.google.com/safebrowsing/diagnostic?site=http://www.npr.org . Google then returns four pieces of information about that site:
(a) The current listing status of a site, including whether the site is currently suspicious, and whether it was listed for suspicious activity in the last 90 days
(b) The last time Google analyzed the site, and what then happened. There will also be some details about any suspicious activity that was found, as well as the name of the host where the site is located.
(c) Has the site acted as an intermediary in enabling the distribution of malicious software in the past?
(d) Has the site hosted malicious software in the past?
The rise in the use of mobile devices such as smartphones and tablets also represents another growing source of malware infections. Social networking platforms represent another common mechanism by which malware infections can spread, particularly on popular platforms such as Facebook, Instagram, and Twitter. Malvertising is only one mechanism for inserting malware into local machines and network systems, but its frequency can be reduced. Publishers need to take this threat seriously, educate themselves, and develop policies and procedures to prevent, detect, and remove malvertising whenever possible.