Trends exist everywhere. Even cyber criminals and attackers have their own trends. The most recent and popular of all is ‘Malvertising’ among the hackers…!!
Malvertising means malicious advertising. The concept is very simple. It’s the use of online advertisements to spread malware. Malvertising involves injecting malicious or malware laden advertisements into legitimate online advertising networks and webpages. Although this form of spreading malware isn’t new, it’s extremely effective in this digital world of online marketing using Advertisements.
There are only few major players that are supplying ads to thousands of websites. Hence it narrow downs the target pool for attackers, as they have to target a set of pool and get any one of those major advertisement players to display the advertisements and pull the users to their fake websites where they would have planted the malicious scripts.
Having said that, let’s now understand how a user is victimised by such Malvertising scam.
How it works?
It begins with a user visiting a website which has a malicious advertisement. Based on the operating system on user machine it will redirect user to different malware websites. Such an approach is adopted to ensure that all types of OS are affected. For example, Windows and Mac will be redirected to different Malware websites ensuring infection of machines using both kinds of Operating Systems.
Once the user is redirected to the final URL, it will automatically start downloading the file which contains the legitimate software along with the malware. Users are misled to believe that they are downloading the legitimate software, whereas in the background the malware downloads itself.
I am sure, many of you’ll like me are used to visit photobucket.com website and its normal for us to click on the advertisement of our interest hosted on the website. Recently, it was found that this website and many others were subjected to Malvertising in the mid of August 2014. Other known websites which were also affected due to Malvertising include Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl. These websites redirected users to browser exploits that installed malware on user machines. Users get infected by the exploit kits that are hidden in online ads. Users don’t even know that a malware is installed on their computer until some breach becomes visible.
Types and modes of Malvertising
It’s important to know the types and modes of Malvertising. There are many different ways to inject malicious advertisements or programs into webpages. The most effective and the most used by attackers is Drive-By Download.
In this method, the user will authorize the download without the understanding of the consequences like installation of executables, java applets etc. It is very dangerous as it downloads malware without a user’s knowledge.
According to Fox-IT analysis on a recent attack, the rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit. This attack tool could exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users’ computers.
How to fight it?
First and foremost malware awareness is important among the users. Users should take care of few basic things. For example, run an ad-blocking plugin such as NoScript or AdBlock, which prevents ads from appearing in the first place. Use NoScript, available for Mozilla Firefox, also disables JavaScript by default, letting the user select which JavaScript routines to allow.
In addition to these the user’s machine should be protected with a suitable end point security and networks must have security devices at the perimeter to protect from Malware attacks.
Cyberoam solutions
Cyberoam offers comprehensive protection against advanced malware using Web Filtering, Gateway AV & IPS. In its feature offering content filter, it has separate category “PhishingandFraud”, which once chosen youcan block the access of this web category. Cyberoam will proactively block all web sites gathering personal information (such as name, address, credit card number, school, or personal schedules) that may be used for malicious intent. If the malware is hosted on trusted website and if user is trying to download the malware file then Cyberoam gateway anti-virus will block the download of malware on the user machine. In case, if user machine is already infected with Malware and is trying to make connections to the outside world then Cyberoam IPS will identify the same and block it. Cyberoam network security appliances, available as UTMs and Next Generation Firewalls, deliver enterprise-class network security with stateful inspection firewall, VPN and IPS, offering the Human Layer 8 identity-based controls and Layer 7 application visibility and controls. Read more about Cyberoam at www.cyberoam.com
For similar blogs and security articles, subscribe to Cyberoam Blogs.