When surfing the Web, there are few instances more annoying than unprovoked ads. The sad reality of the Internet – and really the world at large – is that nothing's free and as such, advertising is what's keeping a vast majority of the online experience away from paywalls. That being said, ads posted on some popular websites are doing more than annoying people.
Many prominent sites are becoming unwilling distributors of malware through a system called malvertising. This is where a seemingly innocent website is used as a base for pop-up ads that install malware on the viewer's computer. This type of campaign is ruining the trust reputable websites have built up over the years, and needs more attention as many users don't even know malvertising exists.
Forbes article most recent example
Trend Micro has most recently seen a malvertising campaign in the "30 Under 30" article posted on Forbes's website. This case was extremely interesting, not just due to the malicious ads but because of how Forbes treats advertising on it's site.
Forbes makes its online revenue thanks to advertising. However, many people have turned to software that keeps them from seeing these ads. These ad blockers are great for having a streamlined online experience, but they cut into the profits of the companies creating the content users view. As such, Forbes decided that ad blockers would no longer be allowed while on its website. Users attempting to view an article must turn off their ad blocker before proceeding to the content.
This was a great idea in terms of making up for lost revenue, but it had unexpected consequences. Cyber criminals decided this was the perfect time to strike and procured ad space for their malware. Unbeknownst to the company, Forbes began to distribute malvertising through its article.
While it's important to note that Forbes had no knowledge that it was spreading malware to its readers, the point here is that malvertising is making the Internet a scary place. Once-reputable sites can now be unknown accomplices to cyber crime and as such, users need to take even more care when operating online.
Not the first time this kind of campaign has been seen
Although this particular case is interesting because Forbes specifically asked its readers to turn off ad blockers – thereby spreading the malware even further – this certainly isn't the first time this has happened, nor was it the first time Trend Micro ran into malvertising. Back in September 2015 Trend Micro became aware of a malvertising campaign that was affecting users in Japan.
Unlike the Forbes attack, however, this spreading of malware was conducted on multiple sites. The campaign was launched from popular Japanese sites, such as a news sites and blogs, therefore reinforcing the belief that this attack was targeted at the Japanese specifically. What's more, this campaign was bolstered by the Angler exploit kit, something that Trend Micro has run into multiple times before.
When it was all said and done, around 500,000 people had been exposed to this particular malvertising campaign. These numbers show that malvertising is a big concern, and yet many people don't know about it. The fact that this malware can be hidden on even the most reputable of sites is a frightening concept and calls into question the safety of the entire world's Internet population.
Malvertising is different than any other malware campaign
While the end goal is the same as other malware campaigns – steal as much money and information by infecting as many computers as possible – malvertising is an incredibly unique form of cyber crime. Aside from the fact that it uses reputable sites to distribute the infection, Wired contributor Rahul Kashyap points out that malvertising also requires hackers to put up some front money before any computer can be affected.
In order to stay undetected, cyber criminals have to make it look like these ads are legitimate. That means they need to pay the original site for ad space, just like any other advertiser. In fact, Trend Micro has found that hackers often steal legitimate ad banners to make their operation look less conspicuous.
This is incredibly different from other hacking campaigns, as it requires a good amount of money before the cyber crime even begins. While this is an interesting study into the mind of a hacker, the main point here is that cyber criminals know that malvertising campaigns work. The thought of getting caught is scary enough, but adding on the fact that they have to put up their own money before the stolen data rolls in shows that malvertising is incredibly profitable. What hacker would go through with such a campaign if there wasn't a big payday in it? This clearly shows that hackers are confident in malvertising's ability to infect machines and the average online user should be aware of this.
Users need protection
Although malware being distributed from just about anywhere on the Internet is a frightening concept, users need not live in constant fear of cyber attack. There are a few things the average person can do in order to protect themselves and their data.
First, users should make sure their Web browser and plugins are completely updated. System updates do more than annoy people, they actually fix security vulnerabilities that hackers have been exploiting. Not updating leaves the users flapping in the wind, unprepared for cyber criminals to infect their machine.
Second, people should try to avoid pop-up ads whenever and however they can. This should include installing an ad blocker to help keep malicious ads at bay. Advertising may be what is keeping many companies afloat, but the reality of the situation is that if these sites can't keep malvertising out, they simply cannot be trusted to receive ad revenue from viewers.
Finally, and most importantly, people should absolutely look to invest in cyber security software. Going online without cyber security software is like driving a car without a seatbelt, and users need to understand the risks of going online without protection.