SAN FRANCISCO—“Malvertising” has become “arguably the fastest growing and least well understood online threat vector today,” according to a new report.
Malicious advertising, or malvertising for short, is a technique used to distribute malware on popular websites via online advertising networks, according to the new report from RiskIQ, which said it has observed an exponential increase in the number and ferocity of malvertising campaigns in 2014.
“Malvertisements can appear on any website at any given time, and there is little that the website owner can do to prevent them,” RiskIQ said. “That’s because third-party providers known as ad delivery networks plant malvertisements on web pages. These networks auction website placements to advertisers using a high-bid, free-market system. There is currently very little oversight in this industry.”
In its new report, RiskIQ said the top five malvertising risks are.
1. Brand Impersonating Fake Software. As the name implies, this form of attack exploits the online trust users have established with brand-name companies. The most common technique observed in the study was to present victims with a fake software update, usually from a well-known software vendor. Instead of downloading a software update, victims are tricked into installing malware.
2. Generic Trojan Software. In this form of attack, a pop-up appears on the victim’s machine, which prompts him or her to click on an executable files.
3. Fake Antivirus Software. Much like the fake software update technique, this attack attempts to trick victims into installing malware by prompting them to update their antivirus software program.
4. Angler Exploit Kit. Angler was one of the first exploit kits to integrate Silverlight into its arsenal. Reports suggest that Angler first looks for Silverlight vulnerabilities, then Flash and Java flaws in order to infect a victim’s device. This is possibly due to the fact that plugins for the two later platforms are often missing or out of date. Angler uses landing page scripts, which can check for the presence of specific kernel driver files on a system. If these are found, it aborts the exploit session and redirects the potential victim to a benign website.
5. RIG Exploit Kit. RIG is believed to be a rip or similar evolution of the Infinity/RedKitv2 exploit kit. It is currently offered as a hosted/rented crimeware as a service. RIG is known to support at least the following software: Java, Flash, MSIE and Silverlight. Also notable, the kit includes logic in the landing page script to check for the presence of at least the kernel driver kl1.sys, installed by Kaspersky antivirus, and abort the infection attempt if it is found. This behavior is observed with other exploit deliveries as well.
“What makes malvertising insidious is its ability to hide and deliver malware using an Internet-wide infrastructure that can target specific types of users,” the report concludes. “Since malicious ads do not persist once a user session is terminated, they’re extremely difficult to detect and track.”