Malvertising – a new corruption

As Dorothy Parker would say, what fresh hell is malvertising?
16 February 2023
Getting your Trinity Audio player ready...

Companies already have a lot to think about from a digital security standpoint. With malware ramping up, phishing and email scams somehow not having been nailed into coffins with stakes through their digital hearts even though it’s 2023, social engineering attacks, business email compromise and the increasing pressure on staff to facilitate insider attacks in a challenging economic environment, really, it’s a lot. And now, according to network security experts Lumu, there’s malvertising.

There’s what-now?

Malvertising. A combination of… malware and advertising?

Well, yes – but as we found out when we sat down with Lumu CEO Ricardo Villadiego, it’s a little more complicated, a lot more clever, and exponentially more dangerous than you might be thinking.

A history lesson.

THQ:

So – what’s the explanation? What actually is malvertising?

RV:

Well, as you say, partially it’s exactly what you think it is. Back as far as 2000, and even probably before that, the bad actors realized it was easier to trick people into clicking a malware link if there was something trustworthy in front of it – like an ad. To some extent, that’s as old as the hills, right?

THQ:

Fundamental principle of malware to some extent, yes. Click this because it’s real and genuine and something you need to do.

RV:

So they weaponized things like AdWords. The digital networks that existed at the time included things like AdWords from Google, Yahoo ads, and MSN ads. And they paid. That’s the important thing – they paid for the ads, perfectly legitimately – and then added some code that linked the end user to the download of a malware artifact. And that was extremely effective for them, because as a user, when you see an ad that is presented to you from Google, it increases your trust, because you assume it’s been vetted.

THQ:

The assumption from authority, right? We inherently assume if something’s got an authority’s name on it, or that it’s been allowed through by such an authority, it will have had to meet stringent criteria of safety.

RV:

Right – and we’re more inclined to click on ads that we assume have that in-built safety of authority. That’s how these guys weaponized their online digital advertising channels to deploy malware.

THQ:

We see the point where it’s vital that they bought the ads legitimately. It’s almost like buying an alibi.

Remedial action.

RV:

Yeah. Now, the vendors of the ads began to realize what was happening. So they increased their scrutiny of the campaigns that were paid for, to try and avoid allowing malware through their digital advertisement channel.

The thing about that is that every action creates an adversarial reaction. People love an arms race, and that’s especially true when it comes to cybercriminals and the people who try to stop them.

So what’s happened is that the cybercriminals have seen that the response to their action was tighter controls over the available advertising networks. What do you think they’ve done?

THQ:

Bought Google?

RV:

Not quite.

THQ:

Sorry – gut reaction.

The arms race just got real.

RV:

What they’ve done is create their own advertising networks.

THQ:

O…K. This feels like it’s on us, but we did not see that coming. Digital ad networks… for cybercriminals?

RV:

Yep. Criminal ad networks, hacking perfectly valid websites, and adding JavaScript elements to perfectly legitimate ads, to help them control the ads that that website is going to show to its end users.

THQ:

That’s an almost inspiring level of evil chutzpah.

RV:

And now it creates a serious issue for two main reasons. Number one is that you have tons of websites that are using WordPress, and now they have to take extra steps to secure those WordPress deployments.

And number two, the end user is visiting a valid website, a website that they trust. And that website that they trust is highlighting a piece of art, an image or an advertisement, that is triggering malware and infecting their devices – without the website owners knowing about it. That combination is very powerful because it accelerates the way the bad guys can distribute ransomware precursors that help them to get access to networks, and then execute a ransomware incident.

The end of trust.

THQ:

And that will destroy the trust that people have in the legitimate websites that they like to visit, because all of a sudden those websites are responsible for ransomware, even though the owners and writers and moderators of those sites had no bad intent. It’s anarchy on the internet.

RV:

Absolutely. That was the main reason why the large digital advertisement networks created additional security on campaigns in the first place – they didn’t want the end user to distrust the advertisement network. Now what’s happening is this reaction. The criminals have said “Okay, we’re not going to be able to weaponize a valid advertisement network? We’re going to create our own advertisement network.” If you look at it from a purely objective point of view, it’s really clever how they think.

THQ:

Oh, it’s some Lex Luthor level thinking, right enough.

RV:

They’ve built their own digital advertising network where they can control the ads that people are able to see? And they can resell those capabilities to the ransomware gangs to deploy the initial broker access of their preference over these networks.

THQ:

Malvertising-as-a-service?

RV:

Yep. It is affecting websites today, all across the Americas. And the point is, the potential may not seem like much –

THQ:

The potential seems huge – it can destabilize any trust people have in clicking any ads on any websites.

RV:

Well yes – and it could affect any vertical.

THQ:

Any vertical.

Great.

So, to summarize, cybercriminals developed an effective semi-legitimate way of getting malware onto unsuspecting websites. Authorities tightened up control to try and stop that happening. Annnd now they have their own digital advertising agencies, hiring out the capability to put malware into ads on, let’s say, any WordPress website anywhere, potentially affecting any vertical that exists? Which is more or less to say all verticals, everywhere.

RV:

Pretty much.

THQ:

And that’s malvertising.

 

In Part 2 of this article, we’ll cover what companies need to do in order to deal with the threat of malvertising.