Malvertising attacks involve the hacker injecting code into an online advertisement page to alter the message and redirect users to a malicious site. Scammers and hackers find this hacking method highly profitable, mainly when they redirect users to a rogue site collecting money initially earmarked for political donations or purchasing merchandise.
Hackers continue to compromise elements within the CDN network with malware capable of code injections and other adversarial capabilities.
Preventing malvertising starts with the ability of these CDN ecosystem partners to deploy advanced network generation cybersecurity detection and prevention capabilities to help reduce the risk of malvertising.
Managed detection and response (MDR) providers like ForeNova are critical in reducing malvertising attacks across CDNs, publishers, content creators, and the user community.
Want to know more about NovaMDR by ForeNova? Click here to schedule an initial consultation today with the ForeNova team.
Software company users also become victims of malvertising. Malicious ads inserted into known sites like CNN.com, Yahoo.com, and YouTube featuring a new software application or update from a well-known software creator often contain malicious malware files.
In fall 2023, Malwarebytes reported a 42% rise in malvertising incidents in the U.S., affecting various brands for phishing and malware purposes. These ad attacks target Google search ad results for Lowes and YouTube. Malwarebytes also reported ad attacks impersonating companies like Salesforce.com.
In 2024, malvertising attacks leveraging phishing content AI-powered messages became a popular attack method for hackers. For example, YouTube creators would receive email messages requesting collaboration from an unknown third party. The third-party would send malicious links disguised as software updates, resulting in compromised videos.
Bitdefender reported in October 2024 that SYS01 leveraged the ElectronJs application as its attack tool. This tool lets hackers distribute the malicious payload in a MediaFire link to download harmful software. The malware files existed within a .zip file inside the ElectronJs app. If the initial attack failed, the hacker could easily alter the JavaScript code and impersonate video tools, including Office 365 and Netflix.
Compromised Ads contained to a MediaFire link for downloading harmful software. The malware files existed within a .zip file inside the ElectronJs app. The file JavaScript code became easier altered by the hacker if the initial attack failed.
SYS01InfoStealer aims to steal Facebook Business account credentials. Hackers then misuse these accounts to exploit personal data and run more harmful ads.
Hackers use stolen Facebook accounts to make fake ads that look real, helping them reach more people without getting caught.
Malvertising campaigns lead to malware being downloaded on the user's device. This malware could become active immediately or sit dormant for several months. Once the malware becomes active, the user's computer could shut down or become a zombie for future attacks. The same malware programs could also inject code into the user's browser until the malicious program is detected and security patches are applied
Here are examples of current and past campaigns.
KS Clean uses mobile apps to spread harmful adware. When a user clicks an ad, the malware downloads silently in the background. The user then sees a pop-up message about a security issue. It urges them to update the app. When the user clicks “OK,” the malware finishes downloading and gains administrative privileges. This attack method allows it to show multiple pop-up ads. The attackers can also use these privileges to install more malware.
RoughTed was a well-known malvertising campaign that started in 2017. It avoided detection by changing URLs frequently, often using URL shorteners. The campaign used Amazon's cloud infrastructure and created confusion through multiple redirections from ad networks. This hacking technique made it hard to track and block harmful sites. RoughTed bypassed ad blockers and used detailed user fingerprinting. Compromised sites redirected users to a tracking site when they clicked anywhere on the page.
The challenge facing everyone in the online ad supply chain and ecosystem is that billions of people worldwide trust Google and Microsoft Bing. Search results generated by Google and Microsoft remain highly trusted by the user community, and hackers are fully aware of this. With the sheer volume of daily searches, it is nearly impossible for Google and Microsoft to check each search result.
Hackers continue to become more creative in ad manipulation by leveraging adversarial artificial intelligence (AI) and machine learning (ML) tools to optimize their techniques, including leveraging steganography to expedite and optimize their malvertising attacks.
Malvertising attacks often use steganography to hide harmful text in images or videos. While steganography keeps info visible, cryptography makes messages unreadable. Cryptographic texts seem random and need special decoded tools, making them great for these attacks.
Forced redirection is the byproduct of a successful malvertising breach. The attacker deploys malicious or entire malware packages on the end user's device. When a user watches a video, the browser suddenly redirects to another site, claiming they have won a million dollars.
Ads offering credit card discounts, free airline mileage giveaways, or discounts to a famous club or sporting event are likely phishing attacks. These types of malvertising are complex and challenging to prevent. Banks offer credit card specials, various airlines offer promotional packages with free files, and ticketing agencies needing to fill seats at sporting events will offer aggressive discounts.
Organizations spend millions on ad content, distribution, and follow-up. Any manipulation of the ad or the website results in lost revenue opportunities, and there is no one to blame. Hackers secretly insert their code into vulnerabilities within browsers, web applications, and mobile devices. These vulnerabilities exist even with organizations applying the latest patches and security updates.
Ultimately, publishers suffered more significant losses because of malvertising. Each compromised event negatively affects its reputation, with a drop in site traffic and ad revenues. Also, publishers will face countless lawsuits from their clients who trust their ability to deliver their ad content securely.
While publishers acknowledge the issue, they attempt to block ads after they become compromised, especially if they release the content to the CDN provider. More to the point, ad networks that leverage real-time bidding have few options for preventing malvertising from occurring.
As more malvertising attacks become public, this also has helped raise awareness. Users now become more aware and suspicious of phishing ads, like phishing emails. Users should review each ad by looking for the following attributes:
Users should continue to be mindful of ads focusing on a get-rich-quick scam, surveys, tech support requests, and unsolicited software updates.
Preventing malicious attacks starts with CDN providers, publishers, content creators, and users deploying known and proven cybersecurity tools on various endpoint devices, host-based platforms, and networking equipment. Malvertising attacks are at the beginning of a cyber kill chain.
Users' malware downloads become part of the next phase in a kill chain. This next step could be a ransomware attack, data exfiltration, or a distributed denial-of-service attack against a CDN provider’s global access point.
NovaMDR by ForeNova is specifically designed to help protect against multi-thread kill-chain attacks like Malvertising. Through its various integrations with next-generation firewalls, endpoint security solutions, intrusion protection solutions, and other cyber defense tools, NovaMDR provides the client with critical visibility of their attack surfaces through ecosystem integration. This is vital as malvertising attacks do not focus solely on the surface.