lolloj - Fotolia
Recent reports have shown that attackers increasingly utilize malvertising to target online users; now, newly revealed research shows that the malvertising problem is only set to grow.
The report, revealed at last week's Virus Bulletin conference, from researchers at security vendor Bromium Inc.'s Bromium Labs team analyzed the growing role malicious online advertisements are playing in the distribution of traditional exploit kits. In particular, the researchers focused on an incident that occurred in February when Bromium discovered a YouTube webpage spreading malware.
Malicious Flash banners a growing threat
After investigating Google's Safe Browsing URL statistics and confirming that YouTube itself had not been compromised, researchers quickly determined that it was the advertisements on the page that were responsible for infecting visitors. They found redirection code had been inserted into a Flash banner on the YouTube page that appeared to be a legitimate advertisement, but actually led visitors to a malicious URL that served up the Styx exploit kit.
Rahul Kashyap, chief security architect and head of security research for Bromium Labs, said that Flash banners have become an easy target for attackers both because of the need for online advertisements to feature dynamic content, and because the ad networks largely operate under lax security guidelines. That DoubleClick, Google's own ad exchange network, could be compromised shows just how easy it is for attackers to utilize malvertising, Kashyap added.
"Google has more resources than anybody else in the advertising space, so if they cannot control this, everyone else is probably worse off," said Kashyap. "And that's what we found as we researched other ad networks."
Researchers renew focus on malvertising
The Bromium research comes as the security industry as a whole is paying more attention to the widespread malvertising problem.
Recent research from Cisco Systems Inc. showed that attackers have been using malicious advertisements to steer visitors to high-profile websites to pages hosting Fiesta, Angler and other exploit kits, and the company later found that the "Kyle and Stan" malvertisement network infrastructure had been found operating on some of the largest Web domains, including Amazon.com and YouTube.com. Malicious ads using iFrame attacks were also found on Yahoo earlier this year, and mobile ad networks have come under fire for behaving in a manner some antimalware vendors consider malicious.
Though the flurry of malvertising efforts indicates attackers are finding success with it, Kashyap said he was most worried about how malicious ads become more robust as an attack avenue. For instance, Google's DoubleClick allows advertisers to target users based on several factors, including language, browser, operating system and device.
If an attacker were to simply purchase advertising space, Kashyap said, they could utilize those capabilities much like they already do with exploit kits to commit highly targeted attacks against specific user bases. Attackers could choose to show malicious ads only to those running the unsupported Windows XP operating system, he noted, allowing them to both avoid defenses like address space layout randomization that were only added in later versions of Windows and to know exactly which exploits will work on a given victim.
Worse still, Kashyap said that current enterprise security products struggle to detect malvertising attacks until after a system has already been infected. The aforementioned YouTube episode, for example, was only brought to Bromium's attention after customers noticed malware infections that could not be explained.
"That gives attackers a free spot right now," said Kashyap. "I'm really worried that this will turn into a campaign where attackers buy ads targeting specific user groups. It's probably already happening."
Concerned your organization may be victimized by malvertising attacks? Expert Michael Cobb details some possible mitigations.