Skip to main content

Unmasking Malvertising Attacks

Malvertising, a portmanteau of “malicious advertising,” refers to a technique employed by cybercriminals to spread malware through online advertisements. Unlike phishing, which often relies on user negligence, malvertising spreads silently, even when users adhere to cybersecurity best practices.

In a malvertising attack, cybercriminals inject malicious code or malware into seemingly harmless online ads which are then distributed through various online advertising networks and displayed on legitimate websites. Techniques include deceptive ads that lead to legitimate-looking (but bogus) websites, hiding malware within banner ad pixels, and “drive-by-downloads,” in which malware automatically downloads and installs itself.

Malvertising campaigns leverage everyday publishers like Google Ads, AdPlugg, or Propeller Ads to deliver their payloads, allows cybercriminals to target larger audiences. Even reputable publishers cannot guarantee immunity, as malvertisers exploit vulnerabilities in ad networks or legitimately purchase ad space. Almost any website that carries advertising, including trusted sites like the New York Times and NFL could be infected.

The Nexus of Malvertising and Ransomware

While malvertising can deliver various types of nastiness, ransomware is the most prevalent, constituting 70% of malvertising campaigns. These attacks increasingly bypass traditional defenses, utilizing techniques like fileless malware to target system vulnerabilities, and demand proactive measures in any organization’s data protection strategy.

Ransomware is often accompanied by data exfiltration attempts and inflicts significant damage, both financially and reputationally. It’s bad enough that the average ransom payment is around $258,000. Even worse is the total costof an attack: $4.54 million, including investigation, remediation and compensation. In extreme cases, organizations may face closure, exemplified by the 2022 ransomware-induced shuttering of Lincoln College in Illinois.

Prevention Strategies

The US Cybersecurity and Infrastructure Security Agency (CISA) and FBIboth recommend using an ad blocker to intercept malicious code. Do your research though. There are malicious ad blockers out there and some malvertising campaigns are tailored to bypass blockers altogether. Combine that with the fact that some massively popular sites like YouTube require ad blockers disablement and you’re going to take some additional precautions.

Antivirus tools play a crucial role in safeguarding against malware, including malvertising. However, because their detection is signature-based, newer threats, such as fileless malware, which leaves no digital footprint, can render them ineffective. EDR/XDRs have similar gaps, making emerging Defense in Depth strategies like Automated Moving Target Defense (AMTD) critical to a complete security posture.

As browsing habits shift towards mobile devices, malvertising adapts to exploit vulnerabilities within mobile web browsers. Smaller touchscreens increase the likelihood of accidental ad clicks (why do you think they make the Xs so small?). Also, ad blockers and antivirus are installed much less frequently on mobile devices. This is particularly concerning as more and more personal devices connect to business networks.

As always, education and awareness are critical. Be aware of common tactics, such as misleading banner ads or deceptive pop-ups. Avoid clicking on ads from unfamiliar or suspicious websites. Exercise caution when confronted with ads making unrealistic offers or promotions.

(You’re not still using Temu are you?)

How Arms Cyber Can Help

Ransomware attacks present a significant threat due to their ability to evade traditional defenses. At Arms Cyber, we offer an innovative Endpoint Protection Platform (EPP) designed to tackle this challenge head-on. Our solution employs proactive measures such as runtime Moving Target Defenses (MTD), deception techniques, command and behavior analysis, and anti-detonation defenses to reliably detect and prevent ransomware attacks while minimizing false positives. By preventing the disablement of NGAV and EDR solutions and thwarting in-memory manipulation of modern malware, organizations can trust in the effectiveness of their cybersecurity investments without worrying about attacker evasion.