Malicious advertising, also known as malvertising, is a common and highly-profitable security threat involving the publication of malicious ads through legitimate online publishing platforms. These bad ads contain malicious code that spreads malware or phishing campaigns and often goes unnoticed by platforms and publishers unless the end-user complains.
Malvertising poses a significant threat to the entire online advertising ecosystem. As the problem becomes more prevalent, not only does it hurt the user experience and the reputation of major online publications, but it also encourages users to install ad-blocking software for protection. Ad blockers, for both desktop and mobile, threaten the ad revenue stream of all publishers by decreasing the number of ad impressions served. Between 2014 and 2019, ad blocker user penetration rates in the U.S. increased from 15.7% to 25.8%.1
Attackers have evolved malvertising techniques over the last ten years to avoid new security protocols and technologies within web browsers to protect the end-user. If publishers and platforms on the demand and supply side want to prepare for future threats, it’s critical that they first understand the history of malvertising and how it evolved over the years.
Malvertising Phase 1: Malware and Browser Exploit Kits
Malware is an umbrella term that describes any software that was intentionally designed to be harmful to a computer, server, or network. It’s commonly used as a way to steal, delete, or encrypt information belonging to individuals or governments, or commit ad fraud via botnets.
Cybercriminals delivered malware in advertising through a vehicle called browser exploit kits. First, the user clicked on a seemingly innocent digital ad that loads a malicious landing page. The landing page gathered data on the victim’s computer to determine if vulnerabilities exist that it can exploit to install malware.
An example of a once-notorious exploit kit is Angler. It was used in 2014 and 2015 to spread malware through popular media sites like The Daily Mail, Huffington Post, Yahoo! and Forbes.2 With large media sites like these, malvertising doesn’t last long on the page. However, because of the high volume of traffic, it was very lucrative for hackers in a short amount of time. Cisco estimated that hackers could have generated $60 million in revenue from Angler alone.3
Most of the exploit kit-based attacks targeted users of Internet Explorer, as other browsers like Google’s Chrome and Mozilla’s Firefox had raised the bar in terms of security. Fortunately, web browsers now have built-in security features to prevent most exploit kit-based malware, and Microsoft retired Internet Explorer in favor of its new browser Microsoft Edge. Because of these increased defenses in the browser environment, cybercriminals evolved their strategy in favor of a more appealing attack vector; forced redirects.
Malvertising Phase 2: Forced Redirects
A forced redirect occurs when someone is surfing the web on a computer or mobile device and gets redirected to a different website through no action of their own. Usually, the website they are redirected to is a vehicle for some form of affiliate fraud or malware. Attackers have found ways to exploit a weakness of a browser’s same-origin policy through iframe ads, allowing them control over a user’s top-level navigation.
Forced redirects are especially damaging to publishers because they take viewers away from the page they were on. This can impact ad revenue and severely damage the user experience and reputation of the publisher. And because forced redirects can also occur on mobile devices, a much greater percentage of the population is impacted.
Sandboxing is a set of attributes introduced in HTML5 that can fight against forced redirects by enabling an extra set of restrictions for the content in the iframe. However, not all ad-tech works well in sandbox ad frames, so the industry has been slow to adopt it. This allows attackers to continue to abuse lax security settings, but as sandbox adoption grows, forced redirects will gradually become less impactful. Unfortunately, malvertisers have found browser exploits to bypass sandboxing as well, but companies like Google are leading the charge to stop forced redirects by improving detection capabilities in Google Ad Exchange, Google Chrome, Mobile Ads SDK, and more.4
Recognizing that forced redirects could soon become a thing of the past, attackers have evolved their tactics once again by using social engineering to capture information through native and clickbait ads.
Malvertising Phase 3: Looking Ahead to Native/Clickbait Ads
Native advertising is defined as ads that appear in the same format as the rest of the content on the page. Because they don’t annoy or oversell a product in an obvious way, they make the reader feel like they aren’t being advertised to at all. Clickbait ads, on the other hand, receive high clickthrough rates because they play on emotions with a sensational or shocking image. Attackers have begun using these ad types to drive users to landing pages where they can capture personal data, usually through a cryptocurrency scam.
Because advertising platforms have restrictions on ad creatives to protect readers, attackers employ cloaking techniques to pass ad quality audits. For example, a platform may review an ad for a popular shoe brand. The attacker can then swap it out with an image of a beat-up celebrity that will likely earn a much higher clickthrough rate, sending more users to a malicious landing page.
Earlier this year, Confiant uncovered an attacker called Fizzcore that targeted aspiring cryptocurrency investors, earning an estimated $1 million net profit in one day in only one country. This feat was accomplished through cloaking, well-planned celebrity endorsement clickbait campaigns, and by building relationships with eight ad platforms, four of which are tier-one demand-side platforms. For a much more detailed report on Fizzcore, please read this blog post.
Native and clickbait ads utilizing cryptocurrency schemes are concentrated in Europe at the time of this writing, most likely due to a different set of regulations. In the United States, however, attackers can use these same cloaking techniques to get malicious ads approved by ad platforms and get access to information in other ways.
We can uncover, track, and block this new threat actor thanks to its real-time malvertising detection engine. Publishers that use our platform can find this type of threat in their dashboard and alert log categorized as “Deceptive/Cloaked.”
Preparing for the Future of Malvertising
Except for browser exploit kits, none of the categories of malvertising attacks have completely disappeared. Attackers may shift strategies at any time and find new ways to distribute malware, disrupt the user experience, or gain access to personal information via digital advertising. Because it’s increasingly challenging for malvertisers to fly under the radar, attackers have started relying on more subtle, psychological techniques that are harder for platforms and publishers to proactively guard against.
It’s critical for publishers to have an ad security and ad quality solution like Confiant in place as the first line of defense against evolving threats. We help publishers to safeguard their audience and reputation by automatically identifying and blocking all types of malicious creatives in real-time. This safeguard greatly improves the end-user experience and increases brand loyalty by taking back control with full visibility into every ad served. Now your internal teams can focus on growing incoming revenue streams instead of wasting time fighting revenue disruption.
To gain deeper insights about the current state of malvertising, download Confiant’s latest Demand Quality Report.