Judging a cyber threat by its name can be illusory. The concept of the term "malvertising" (a portmanteau of "malicious advertising") suggests an overlap with ads, albeit dodgy ones, and therefore fuels the fallacy that its impact hardly goes beyond frustration. As a result, those who are unfamiliar might get the impression that it's no big deal, but this is a far cry from being the case.
Malvertising acts as a vessel for malware propagation. To set such a stratagem in motion, cybercriminals poison legitimate websites with ads that lead to shady URLs or download malicious code camouflaged as something harmless. At its core, this tactic revolves around gaming the trust users put in reputable internet services, including search engines, and the familiarity they have with online advertising per se.
Just to illustrate the scope of the issue, the Malwarebytes Threat Intelligence team spotted more than 800 malvertising campaigns in only the first six months of 2023, noting that the number of attacks that flew under researchers' radar was likely much higher. Some of the unearthed hoaxes delivered infostealers such as Aurora Stealer, Batloader, and IceID, with the latter having gained notoriety for facilitating Quantum ransomware distribution.
One of the biggest pitfalls with malvertising is how difficult it can be to detect. Scammers and malware operators are increasingly adept at mimicking popular brands in their ad snippets, which makes it problematic for the average user to tell the wheat from the chaff. Understating the very anatomy of this foul play can offer actionable clues on the ways to be a moving target.
How does a malvertising attack unfold?
Threat actors tend to abuse legitimate advertising networks or websites to disseminate their malicious content that may appear as banners, pop-ups, or embedded scripts on trusted web pages. These ads often target specific demographics or interests to increase the likelihood of clicks.
If a user gets on the hook, they are redirected to a landing page or prompted to download an ostensibly innocuous file. This ends up executing sketchy code that installs viruses, ransomware, spyware, or adware behind the victim's back.
Cybercriminals can then exploit the compromised device for various purposes, such as stealing personal information, conducting financial fraud, recruiting it into a botnet, or encrypting data and holding it for ransom. The IP addresses of the malicious Command and Control (C2) infrastructure are changed according to the fast flux logic to prevent the attack from being traced back to its operators.
A stepping stone to impactful cybercrime
This tactic has tangible real-world implications. In one of the extortion campaigns seen in the mid-2023, the infamous BlackCat/ALPHV ransomware hinged on malvertising to gain a foothold in computer networks. Its authors created cloned web pages offering to download popular free software, such as the WinSCP file manager. These fake sites were promoted on Google and Bing search results.
The infection chain starts when the user downloads and runs an ISO file, only to execute a malware dropper that installs a trojanized DLL object containing an instance of Cobalt Strike. The attackers then mishandle this well-known adversary simulation tool to harvest information about the operating system, exfiltrate data, and locate directories and services with weak access control settings.
This interference is a major catalyst for double extortion that involves both a breach and data encryption. Again, a raid as harmful as that commences with what appears to be garden-variety deceptive advertising trickery.
Crooks riddle search engines with treacherous ads
Placing an advertisement in web search results is relatively straightforward; all it takes is paying a fee and passing a pre-screening procedure. These security checks often fail to identify black hat schemes, though. The world's most trusted search services are fertile ground for rogue ads that give momentum to massive malvertising attacks.
Here's some evidence for those who consider the risk far-fetched. In November 2022, cybercriminals somehow acquired the right to run ads on Google for the popular open-source graphics editor GIMP. The ad above the fold specified the correct URL (gimp.org), but with the caveat that it directed users to a carbon copy of the original page at "gilimp.org." The clever misspelling in the domain name was inconspicuous enough for many would-be victims to overlook.
The knock-off landing site was serving an executable that would download an infostealer trojan called Vidar onto visitors' devices. It remains unclear how the bad actors manipulated Google's ad platform into giving the green light to this malvertising campaign. A particularly unsettling thing is that the mismatch between the display URL and landing URL didn't raise any red flags. One way or another, the fact persists that search engine abuse can amplify the problem.
The prevention dilemma
In light of the escalating threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory encouraging all government agencies to leverage ad blocking solutions in their day-to-day work. However, the agency immediately noted that such tools require high levels of privilege to operate, which potentially allows them to amass sensitive data. Another pitfall is that some of these browser extensions may "accept payment from advertisers to ensure their ads are allowlisted from blocking."
Ad blockers are worthwhile as long as they are backed by proper ethics and DevOps security best practices. These apps do pull the plug on advertisements triggered by bad scripts and macros on websites, but they aren't a full solution. In addition to the risks outlined by CISA, these add-ons don't sift out dubious advertisements on search engines that are increasingly common.
One of the alternative mechanisms to stand resilient against malvertising is to create an "air gap" between web browsers and operating systems. This tactic reduces the attack surface by limiting harmful code execution to a specific environment.
Of course, good old vigilance won't go amiss. If an ad feels too good to be true, think twice before clicking it. It's also imperative to verify website authenticity before interacting with its content. Look for HTTPS encryption, check the site's domain name for misspellings and irregularities (as was the case with the "gilimp.org" versus "gimp.org" story above), and steer clear of unfamiliar web pages with questionable reputation.
A DNS firewall and a classic antivirus are somewhat underused yet effective security tools that will come in handy. The former helps block dangerous internet content, and the latter pinpoints malware payloads in real time to form a robust layer of protection in malvertising scenarios.
Closing thoughts
Malvertising tends to be eclipsed by scourges like ransomware and info-stealing campaigns that cause direct harm. However, that seems to be a misconception because these cyberattacks often overlap. Not only can ads be irritating, but they can also be launchpads for much more severe compromises. A mix of social engineering, hacking, and abuse of legitimate services makes this style of online crime incredibly effective.
The silver lining is that such scams are fairly easy to avoid. Be reasonably paranoid about ads that convey unrealistic promises, contain spelling mistakes, and don't align with your recent searches. Double-check the URLs of landing pages that load after you click advertisements. Turn off autoplay for video content in your browser. Consider using an ad blocking extension. And don't underestimate the effectiveness of reputable antivirus software, as it can stop most malvertising attacks in their tracks.
