Exploit kits are like stealthy cruise missiles full of malware. A user who clicks on an infected page will have no idea that their browser is being stealthily redirected to a bulletproof hosting site that infects their endpoint. What’s worse, the rise of malvertizing—malware-infected banner ads—means that even legitimate websites and services are now a vector for malware.
Malvertizing Takes Advantage of an Unregulated Market
Like the recent wave of malware affecting the IoT, malvertizing takes advantage of loopholes in an industry that’s like the Wild West. Just as there’s no central regulator that forces IoT manufacturers into strong security standards, there’s also no industry watchdog that vets every ad that goes onto a particular site.
More to the point, most ad-supported services don’t actually choose who gets to put an ad on their platform. Instead, they contract with third-party services who handle ad placement. Therefore, when your browser points to a URL, that website will forward your browser to several additional URLs supplied by that third-party, which will provide your browser with banner ads, pop-ups, and the occasional virus.
The confusion of connections makes it difficult for even legitimate sites to track whether their ads—and the third party providers don’t even make an effort. In recent years, some of the internet’s largest sites have been caught serving malware to users. In 2014, YouTube ads were discovered serving up Caphaw, a banking Trojan. That same year, hackers from the Free Syrian Army hacked the ad company serving Reuters. Users were redirected from legitimate news stories to propaganda hosted by the FSA.
Notable Recent Incidents of Malware in Ad-Supported Services
Malvertising has become more prevalent, and more dangerous—just like a lot of malware in 2016. Here are a few incidents—just from within the last few weeks—that start to make us worry.
- Malware Shows Up in Spotify Ads
While it may be relatively common for malvertizing to show up on ad-supported websites, it’s less common to find it within applications. Spotify became an exception to this rule when a banner ad in its free version began to spawn popups in an external browser. These popups, when clicked, would have begun to install malware on users’ endpoints.
- Malvertising Sets Sights on the IoT
A new exploit kit now uses a WebRTC request to zero in on home users, identify the model of their router, and then infects it using a malicious image file. Unlike Mirai, hackers aren’t using infected routers to build a botnet. Rather, they’re using infected routers to serve their own advertisements to unsuspecting users.
- New Exploit Kit Employs Advanced Encryption Techniques
Sometimes you stumble across malware in the wild that uses frighteningly advanced techniques. The Stegano kit is one such malware. It’s concealed in the image files that make up banner ads, in the codes that determine how transparent individual pixels are. Experts agree that this is an unprecedented level of obfuscation. The code was both nearly undetectable, and sophisticated enough to check for the presence of VMs and other countermeasures. It delivered malware that was primarily targeted at financial companies.
The increasing prevalence and sophistication of malvertizing campaigns is extremely concerning. With no strong checks from ad-supported services or the third-party ad networks themselves, ordinary users can’t possibly avoid infection, even from websites they’re supposed to trust. In short, this is another example where an inattention to security is compromising large swathes of unprotected individuals. For more information on these kinds of malware and how you can defend yourself, check out our white paper on Forensics Analysys: How to Make Sense of the Data.