lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Malvertising problem to worsen as attacks become more sophisticated

Malvertising is already being used by attackers as a delivery mechanism for exploit kits, and new research reveals the problem is likely to get worse, specifically in the form of malicious Flash banners.

Recent reports have shown that attackers increasingly utilize malvertising to target online users; now, newly revealed research shows that the malvertising problem is only set to grow.

The report, revealed at last week's Virus Bulletin conference, from researchers at security vendor Bromium Inc.'s Bromium Labs team analyzed the growing role malicious online advertisements are playing in the distribution of traditional exploit kits. In particular, the researchers focused on an incident that occurred in February when Bromium discovered a YouTube webpage spreading malware.

Malicious Flash banners a growing threat

After investigating Google's Safe Browsing URL statistics and confirming that YouTube itself had not been compromised, researchers quickly determined that it was the advertisements on the page that were responsible for infecting visitors. They found redirection code had been inserted into a Flash banner on the YouTube page that appeared to be a legitimate advertisement, but actually led visitors to a malicious URL that served up the Styx exploit kit.

Rahul Kashyap, chief security architect and head of security research for Bromium Labs, said that Flash banners have become an easy target for attackers both because of the need for online advertisements to feature dynamic content, and because the ad networks largely operate under lax security guidelines. That DoubleClick, Google's own ad exchange network, could be compromised shows just how easy it is for attackers to utilize malvertising, Kashyap added.

"Google has more resources than anybody else in the advertising space, so if they cannot control this, everyone else is probably worse off," said Kashyap. "And that's what we found as we researched other ad networks."

Researchers renew focus on malvertising

The Bromium research comes as the security industry as a whole is paying more attention to the widespread malvertising problem.

Recent research from Cisco Systems Inc. showed that attackers have been using malicious advertisements to steer visitors to high-profile websites to pages hosting Fiesta, Angler and other exploit kits, and the company later found that the "Kyle and Stan" malvertisement network infrastructure had been found operating on some of the largest Web domains, including and Malicious ads using iFrame attacks were also found on Yahoo earlier this year, and mobile ad networks have come under fire for behaving in a manner some antimalware vendors consider malicious.

Though the flurry of malvertising efforts indicates attackers are finding success with it, Kashyap said he was most worried about how malicious ads become more robust as an attack avenue. For instance, Google's DoubleClick allows advertisers to target users based on several factors, including language, browser, operating system and device.

If an attacker were to simply purchase advertising space, Kashyap said, they could utilize those capabilities much like they already do with exploit kits to commit highly targeted attacks against specific user bases. Attackers could choose to show malicious ads only to those running the unsupported Windows XP operating system, he noted, allowing them to both avoid defenses like address space layout randomization that were only added in later versions of Windows and to know exactly which exploits will work on a given victim.

Worse still, Kashyap said that current enterprise security products struggle to detect malvertising attacks until after a system has already been infected. The aforementioned YouTube episode, for example, was only brought to Bromium's attention after customers noticed malware infections that could not be explained.

"That gives attackers a free spot right now," said Kashyap. "I'm really worried that this will turn into a campaign where attackers buy ads targeting specific user groups. It's probably already happening."

Next Steps

Concerned your organization may be victimized by malvertising attacks? Expert Michael Cobb details some possible mitigations.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is worrisome for two reasons. 1 - it seems users are still not educated in the ways of avoiding possible malware, scams and malicious code. 2 - those of us who are aware of how malvertising used to work, are more complacent in our online activities because we believe our systems are protected.

As mentioned here, we're not out of the water yet. The attacks continue and the software that enables these attacks is more sophisticated than ever. I think the real issue here is going to be educating users at all levels. From the IT dungeon to staff and clients. 

Perhaps the mantra should be "don't click...ever". Instead of verify before you click. Horrors!
I avoid all ads. I have been running a program to block ads with some luck. IT's still an issues as they are every where. Even site like CNN now have ads in between almost every video . This is making the internet a royal pain. It take forever to find what you want now. Either you have to sign up to their site even to browse their store or get spammed with ads from Amazon when you make a purchase. Is there any way to tell where the ad really came from?? That's why I do not click them. Better safe than sorry.
It can be a challenge for publishers, too - if you sign up for an ad network from Google or elsewhere, you don't always have ultimate control over what ads are served up on your site, and if 'malvertising' gets into the system, your users could see you as the source.