The alarming increase in legitimate websites infected by malicious advertisements, known as malvertisements, isn’t just another hyped security scare; more than one million websites were infected in the last quarter of 2010, according to data from Dasient Inc.
Although the jump in numbers reported by Palo Alto, Calif.-based Dasient was partly down to an expansion of the sites Dasient monitored, there’s no doubt malvertisements are becoming an increasingly serious problem. Sites belonging to the New York Times, Auto Trader, Vue Cinemas and the London Stock Exchange have all had malicious content injected into their legitimate ad streams, putting even wary users at risk of clicking on an ad that could infect their computer.
There are several reasons why this form of attack is becoming so widespread. First, most attackers need to trick victims into installing their malware program or visiting a malicious site. This is a lot easier to do if they can gain the user’s trust. Infiltrating a well-known and respected website with malicious ads leverages the existing trust between the victim site and its users. Fake ads are also a great way to circumvent more traditional perimeter defenses. Getting a legitimate ad approved and then replacing it with a malicious one means the attacker doesn’t need to penetrate firewalls or intrusion detection systems as the malware has been accepted into the ad stream. By infiltrating a widely used syndicated online ad service, thousands of sites can be infected at once.
Websites that run third-party ads can do little to protect their visitors as the ads are not under their control. Even the company from whom they receive the ads may use syndicated ads from other publishers, so control over the source of the ads can be several parties removed. The only precaution sites can take is to use ad feeds from providers who take security seriously, at a minimum by demonstrating suitable security controls, and have processes in place that can immediately cut advertising feeds if a problem arises. Even major ad networks such as DoubleClick and MSN have been tricked into delivering malvertisements. The ad networks must do a better job vetting the content and images they serve for malicious code, detecting any breaches in their terms and conditions, and identifying, blocking and removing malicious ads when they appear.
Thankfully, the top browser makers are starting to tackle the problem of advertisement malware; the latest versions all having some form of reputation-based checking of any URL a user requests and warning them if its content has been flagged as potentially dangerous. The recently released Internet Explorer version 9 boasts a new feature called SmartScreen Application Reputation that warns users when it suspects an executable file about to be downloaded is dangerous.
However, with more than 25 million variants of malware and attackers constantly relocating where they host their malware, it’s always going to be a game of catch-up. Therefore enterprises need to make their users aware of the threat of malvertisements and possibly introduce a no-ad-click rule, supplemented with security awareness training and enforced with strict disciplinary actions. After all, it’s unlikely employees would find the need to click on ads if they are using the Web for business purposes in the first place.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.