pricing-table-shape-1
Table-content-Image

Table of content

date
November 1, 2024

Real-World Examples of Malvertising

Malvertising attacks involve the hacker injecting code into an online advertisement page to alter the message and redirect users to a malicious site. Scammers and hackers find this hacking method highly profitable, mainly when they redirect users to a rogue site collecting money initially earmarked for political donations or purchasing merchandise. 

Content delivery networks (CDNs) make money by distributing content globally through their network of cache servers, relays, and content-refreshing systems. Content publishers, advertisement agencies, content creators, internet service providers, and software creation companies are among the elements that comprise CDN ecosystems. 

Hackers continue to compromise elements within the CDN network with malware capable of code injections and other adversarial capabilities. 

Preventing malvertising starts with the ability of these CDN ecosystem partners to deploy advanced network generation cybersecurity detection and prevention capabilities to help reduce the risk of malvertising. 

Managed detection and response (MDR) providers like ForeNova are critical in reducing malvertising attacks across CDNs, publishers, content creators, and the user community. 

Want to know more about NovaMDR by ForeNova? Click here to schedule an initial consultation today with the ForeNova team. 

What are Some Real-world Examples of Malvertising? 

A group of colorful rectangular signs

Description automatically generatedGoogle ads continue to be targeted because the creator, not Google itself, handles the actual content. Companies like Lowe's, Netflix, the New York Times, and Costco have fallen victim to malvertising attacks. Manipulating ad content within the Google search has become highly profitable for hackers because of its global reach and sheer volume of search results. 

Software company users also become victims of malvertising. Malicious ads inserted into known sites like CNN.com, Yahoo.com, and YouTube featuring a new software application or update from a well-known software creator often contain malicious malware files.  

Google, Lowes, and Salesforce 

In fall 2023, Malwarebytes reported a 42% rise in malvertising incidents in the U.S., affecting various brands for phishing and malware purposes. These ad attacks target Google search ad results for Lowes and YouTube. Malwarebytes also reported ad attacks impersonating companies like Salesforce.com. 

YouTube Ad Attack 

In 2024, malvertising attacks leveraging phishing content AI-powered messages became a popular attack method for hackers. For example, YouTube creators would receive email messages requesting collaboration from an unknown third party. The third-party would send malicious links disguised as software updates, resulting in compromised videos. 

SYS01 Infostealer 

Bitdefender reported in October 2024 that SYS01 leveraged the ElectronJs application as its attack tool. This tool lets hackers distribute the malicious payload in a MediaFire link to download harmful software. The malware files existed within a .zip file inside the ElectronJs app. If the initial attack failed, the hacker could easily alter the JavaScript code and impersonate video tools, including Office 365 and Netflix. 

Compromised Ads contained to a MediaFire link for downloading harmful software. The malware files existed within a .zip file inside the ElectronJs app. The file JavaScript code became easier altered by the hacker if the initial attack failed. 

SYS01InfoStealer aims to steal Facebook Business account credentials. Hackers then misuse these accounts to exploit personal data and run more harmful ads. 

Hackers use stolen Facebook accounts to make fake ads that look real, helping them reach more people without getting caught. 

What Are Examples of a Malvertising Campaigns? 

Malvertising campaigns lead to malware being downloaded on the user's device. This malware could become active immediately or sit dormant for several months. Once the malware becomes active, the user's computer could shut down or become a zombie for future attacks. The same malware programs could also inject code into the user's browser until the malicious program is detected and security patches are applied 

Here are examples of current and past campaigns. 

KS Clean 

KS Clean uses mobile apps to spread harmful adware. When a user clicks an ad, the malware downloads silently in the background. The user then sees a pop-up message about a security issue. It urges them to update the app. When the user clicks “OK,” the malware finishes downloading and gains administrative privileges. This attack method allows it to show multiple pop-up ads. The attackers can also use these privileges to install more malware. 

RoughTed 

RoughTed was a well-known malvertising campaign that started in 2017. It avoided detection by changing URLs frequently, often using URL shorteners. The campaign used Amazon's cloud infrastructure and created confusion through multiple redirections from ad networks. This hacking technique made it hard to track and block harmful sites. RoughTed bypassed ad blockers and used detailed user fingerprinting. Compromised sites redirected users to a tracking site when they clicked anywhere on the page. 

What are the Mechanics Behind a Malvertising Attack? 

The challenge facing everyone in the online ad supply chain and ecosystem is that billions of people worldwide trust Google and Microsoft Bing. Search results generated by Google and Microsoft remain highly trusted by the user community, and hackers are fully aware of this. With the sheer volume of daily searches, it is nearly impossible for Google and Microsoft to check each search result. 

Hackers continue to become more creative in ad manipulation by leveraging adversarial artificial intelligence (AI) and machine learning (ML) tools to optimize their techniques, including leveraging steganography to expedite and optimize their malvertising attacks. 

Steganography 

Malvertising attacks often use steganography to hide harmful text in images or videos. While steganography keeps info visible, cryptography makes messages unreadable. Cryptographic texts seem random and need special decoded tools, making them great for these attacks. 

  • Steganography attacks can conceal malware in small pixel groups, making it hard for ad networks and users to spot harmful ads until it’s too late. 
  • Steganography has been used to target both Windows and macOS. Hackers hide ransomware code, deliver malicious scripts, and even use crypto miners. 

Forced Redirection 

Forced redirection is the byproduct of a successful malvertising breach. The attacker deploys malicious or entire malware packages on the end user's device. When a user watches a video, the browser suddenly redirects to another site, claiming they have won a million dollars.  

Phishing 

Ads offering credit card discounts, free airline mileage giveaways, or discounts to a famous club or sporting event are likely phishing attacks. These types of malvertising are complex and challenging to prevent. Banks offer credit card specials, various airlines offer promotional packages with free files, and ticketing agencies needing to fill seats at sporting events will offer aggressive discounts. 

The Negative Impact of Legitimate Ads to Malvertising 

A group of colorful screens with a hand

Description automatically generated"The GeoEdge team estimates that malicious activities cost industry stakeholders upwards of $1B million annually, including identification, documentation, and remediation." 

Organizations spend millions on ad content, distribution, and follow-up. Any manipulation of the ad or the website results in lost revenue opportunities, and there is no one to blame. Hackers secretly insert their code into vulnerabilities within browsers, web applications, and mobile devices. These vulnerabilities exist even with organizations applying the latest patches and security updates. 

Ultimately, publishers suffered more significant losses because of malvertising. Each compromised event negatively affects its reputation, with a drop in site traffic and ad revenues. Also, publishers will face countless lawsuits from their clients who trust their ability to deliver their ad content securely. 

While publishers acknowledge the issue, they attempt to block ads after they become compromised, especially if they release the content to the CDN provider. More to the point, ad networks that leverage real-time bidding have few options for preventing malvertising from occurring. 

How to Avoid Malvertising Security Attacks? 

As more malvertising attacks become public, this also has helped raise awareness. Users now become more aware and suspicious of phishing ads, like phishing emails. Users should review each ad by looking for the following attributes: 

  • Misspelled words within the ad 
  • Poor grammar 
  • The content of the ads seems too good to be true 
  • Flaws with the video or image 
  • Beware of phone numbers or WhatsApp numbers within the ads. 

Users should continue to be mindful of ads focusing on a get-rich-quick scam, surveys, tech support requests, and unsolicited software updates. 

What is the role of a Managed Detection and Response Service in protecting CDN and Ad Networks? 

Preventing malicious attacks starts with CDN providers, publishers, content creators, and users deploying known and proven cybersecurity tools on various endpoint devices, host-based platforms, and networking equipment. Malvertising attacks are at the beginning of a cyber kill chain. 

Users' malware downloads become part of the next phase in a kill chain. This next step could be a ransomware attack, data exfiltration, or a distributed denial-of-service attack against a CDN provider’s global access point. 

NovaMDR by ForeNova is specifically designed to help protect against multi-thread kill-chain attacks like Malvertising. Through its various integrations with next-generation firewalls, endpoint security solutions, intrusion protection solutions, and other cyber defense tools, NovaMDR provides the client with critical visibility of their attack surfaces through ecosystem integration. This is vital as malvertising attacks do not focus solely on the surface. 

polygon

Related Posts

feature image
11 Nov, 2024

What is Access Control List (ACL)?

An Access Control List (ACL) is a security mechanism which is designed to...
feature image
5 Nov, 2024

What is a POS Malware Attack?

POS attacks may cause major financial losses, reputational harm, and legal...
feature image
31 Oct, 2024

Understanding Adware: Impacts, Types, and Prevention

What is Adware? Adware, often known as ad-supported software, makes cash...