A new Cyphort Inc. report, The Rise of Malvertising, claims that malvertising attacks rose 325% in 2014, and the...
attack campaigns have been found on highly visited sites.
Cyphort, based in Santa Clara, Calif., analyzed 100,000 popular websites and discovered as many as 400 malvertising incidents per month. The rise in malvertising is due to the popularity of the Angler exploit kit (EK) and its use of the many Flash zero-day vulnerabilities that have been disclosed over the past year.
Cyphort didn't estimate the cost of those incidents, but cited a study done by the Association of National Advertisers, which estimated $6.3 billion in losses for advertisers in 2015 due to digital advertising fraud. This estimate did not account for enterprise losses due to malvertising breaches.
Jerome Segura, senior security researcher at Malwarebytes Corp., in San Jose, Calif., said his team found a similar trend over the past year. But, he added, the fall of 2014 was when Flash zero-days really began to make an impact on malvertising campaigns.
"The criminals that are investing in malvertising need to rely on software vulnerabilities," Segura said. "In the fall of 2014, the Flash Player started having severe zero-day security vulnerabilities. The Flash Player is very unique in that it is the most deployed plug-in on consumer machines, but also, most of the ads responsible for malvertising are Flash."
Segura said the Angler EK rose to prominence in the criminal community because of how quickly it added zero-day vulnerability exploits. Now, Angler can add new zero-days in as little as two days, giving criminals a bigger window of opportunity, as enterprises patch systems. And Segura said Angler is using more advanced techniques to avoid detection.
"If you read between the lines in the Cyphort report, you'll see that a lot of their malvertising telemetry after April of 2015 went dark," Segura said. "This is when Angler started putting new measures in place to look for nongenuine users. If a machine had security products running, Angler wouldn't do anything."
Segura said Angler and other exploit kits now only infect a system once in order to make it more difficult for security researchers and malvertising trackers to replay attacks.
Cyphort said in its report that there needs to be a sustainable ecosystem of security to stop malvertising attacks. This would include regular scans of advertising networks, as well as individuals and enterprises keeping systems patched against new vulnerabilities.
Segura agreed with those suggestions, but noted that there are other measures that can be taken to mitigate the risk. He warned that using an ad blocker may not be the best option because of the negative side effects of hurting online publishers that rely on advertising revenue to provide content that users expect to be free.
He suggested disabling the Flash Player -- if possible -- or at least making the Flash Player enabled on-demand, so users can get to any enterprise tools that rely on Flash, but avoid malvertising. Segura also suggested using more proactive tools, because patching systems can be a nearly impossible task given the number of zero-days released.
"A lot of companies are not in a position to patch systems in a timely fashion," Segura said, suggesting remediation tools such as Microsoft EMET. "These are proactive in nature and don't require signatures. But [these] are based on software behavior and looking for anomalies in those behaviors, and can proactively block unknown, never-seen-before exploits. That is something that if you add it to your existing security defense of classic antivirus, malware, and add the anti-exploit portion, you should be protected against malvertising."