A sometimes obscure web of online crime known as malvertising (‘malicious advertising’) is back. It has made millions for its criminal operators over more than a decade. At its worst, the attacks can infect your computer without so much as a mouse click. Simply view an ad and you’re hacked. Think the ads are on nefarious websites? Think again. The New York Times, Reuters, and even Telstra have housed malvertising ads.
Dick Smith – the famous Australian entrepeneur and commentator – was caught up in malvertising.
Scammers all over the world were luring victims with advertisements claiming the iconic aviation and Vegemite enthusiast was making millions from a secret Bitcoin investment.
In a bid to have the scam ads removed, Smith’s legal team called the police, the Australian Competition and Consumer Commission, and Facebook. He even threatened to sue The Guardian after the ads appeared on its website.
Smith was outgunned, however.
The Aussie icon was caught in a labyrinthine web of online crime known as malvertising (a portmanteau of ‘malicious advertising’) that for more than a decade has made millions by exploiting weaknesses in the online advertising machine.
His face appeared often alongside television icon Waleed Aly in a fake interview within ads that could appear in any website. Victims who clicked the ad were in many instances directed to a Bitcoin scam website that promised high returns for investments.
For the criminals, Smith was a means to an end. Countless other celebrities and everyday people have had their faces used to bolster the authenticity of scam advertisements.
Hundreds of millions targeted
Malvertising criminals do not exploit security flaws in the websites in which their ads appear per se, although those site operators should do more to vet the third-party content that appears on their pages.
Rather, they exploit advertising networks directly by slipping past insufficient security checks or by exploiting unpatched vulnerabilities.
Malvertising advertisements have appeared on the world’s largest and most popular news organisations including The New York Times, Reuters, Bloomberg, and Yahoo, on multiple occasions.
Celebrity chef Jamie Oliver has plated up malvertising on his popular website.
Telstra has housed malvertising ads that when clicked led victims to dangerous banking trojans.
Many other websites have fallen victim unbeknown to the cybersecurity community.
The scale of the problem seems dwarfed in the sea of ad spend. Some AUD$459 billion was poured into digital advertising last year alone, according to the latest figures from industry think tank the Interactive Advertising Bureau. Malvertising, by contrast, is said to inflict somewhere around US$1 billion in lost ad revenue.
But the small number of bad ads belies the casualty count.
A well-placed malvertising ad can easily reach 100,000 users in a day, of which a staggering 40 percent can be compromised if the attack behind the ad is very sophisticated (specifically, that the attack uses an exploit kit containing a rather rare browser zero-day vulnerability).
Now malvertising – after a series of quiet spells over the last five years – is on the rise.
One active malvertising group known as Tag Barnakle has pushed its malicious advertisements to potentially hundreds of millions of people, according to Eliya Stein, a security researcher with anti malvertising company Confidant.
That group launched its attacks through a combination of hacking some 120 vulnerable ad servers and by masquerading as legitimate advertising players and buying ad space through the industry’s so-called real-time bidding systems.
Victims of Tag Barnakle are sent to a variety of scam sites and malware download pages. The group will deliver different attacks – depending on a victim’s device – with a technique known as fingerprinting helping to distinguish users of Windows from those of Android (Pixel, Samsung etc) and iOS (iPhone and iPad).
The group is currently focused on mobile users.
Other attacks are more basic and utilise malicious web browser extensions and add-ons that inject malware-laden ads when installed.
Google has made huge inroads into bolstering the security of its Chrome browser. Yet a string of recent zero-day Chrome vulnerabilities point to worrying signs malvertising could become much more potent.
In the years leading up to 2016, the most significant threat to internet users – something called the Angler exploit kit – hacked untold millions of machines using zero-day vulnerabilities its super rich criminal operators bought from unscrupulous security researchers, as well as well-placed malvertising ads.
The new wave of Chrome flaws could herald a repeat of the now dead Angler exploit kit and its litany of victims.
Fighting back is difficult. The diverse online advertising machine involves multiple players from ad network giants Google, Yahoo, and Facebook, along with many smaller players with less time and resources to spend on security.
These reluctant networks have, experts say, shied from imposing effective security checks that would result in overheads to the ultra-fast paced advertising machine where targeted ad slots and traffic are bought and sold in a heartbeat.
Online advertisements are the capitalist heart of the modern web and fuel much of the internet’s free content, including news and the world’s top social media and web services.
Now the revitalised malvertising menace forces the most considerate internet user into an unfortunate choice: pay for the free content they love by viewing potentially malicious ads or stay secure and deny many free content creators their revenue by running an ad blocker.
There are many choices for those inclined to the latter. A reputable one at the time of writing is UBlock Origin by Raymond Hill.
Or, for the truly intrepid, an entirely new browser that utilises an advertising model it says is fairer and safer may prove more alluring. It is called “Brave”. But more on this another time!