Malvertising – the hidden threat

Rob Collins, senior systems engineer, WatchGuard
By Rob Collins, senior systems engineer, WatchGuard | 9 February 2016
Rob Collins, senior systems engineer for APAC, WatchGuard Technologies.

Exploiting vulnerabilities in business and general consumer technologies is an increasingly lucrative business model for cyber criminals. In addition to this, the Snowden effect has forced large organisations and other technology leaders to prioritise the adoption of HTTPS encryption to allow for heightened security and privacy for internet users.

At this time, encrypted data is one of the most effective ways to secure information from prying eyes (malicious or otherwise) online. Global social networks and search engines such as Google, Facebook, YouTube, Twitter and Pinterest as well as financial institutions and other organisations are already using HTTPS in an effort to better enable data privacy and security. Services such as HTTPS Everywhere and Let’s Encrypt are also allowing for a wider availability of encryption online.

As the web increasingly turns to HTTPS communication, one flaw has become very apparent – it can be leveraged as an encrypted backdoor for malicious code and attack users through advertisements or other vulnerabilities. This has recently included popular websites that have an excellent reputation for security and has been done without breaching their actual site to begin with.

Understanding malvertising

Malvertising is the execution of malicious code through exposure to what is generally recognised as being a safe internet advertisement. These advertisements can be delivered through trusted advertising networks to websites that are running affiliate marketing or general advertising campaigns that display advertising or cycle through several ads on their website.

There are several ways in which malvertising can infect your system through pre-click and post-click. It may be that just by visiting a website that is displaying the malvertising, a drive-by download is activated or code is run automatically resulting in an infection. Additionally, it may automatically direct you to another site with malicious results.

Sometimes, the advertising itself can be infected during delivery to the user, rather than being compromised before appearing on the site. This can happen without the user being aware that anything is happening as the code is being encrypted through HTTPS, making it difficult to detect. There have even been cases where high-profile websites have been used to spear-phish (directly target) senior executives with specific malware through malvertising.

Different malicious adverts work in different ways; some looking for specific triggers before infecting a computer, which means not everyone who comes across a malicious advert will be infected, while others install malware indiscriminately.

Advertising space is generally bought through a legitimate network and often placed on high profile websites. As a user or website owner, there's no easy way of telling if an advert is dangerous.

This kind of advert can be hard to track for many reasons. Looking at the code and following a chain of commands can help detect malvertising but because an advert may only show up on rotation, it's hard to know when a site is infected and which adverts are causing the problem.

How malvertising is exploiting HTTPS

While HTTPS normally provides beneficial security for a website, malvertisers have found a way to exploit the system.

Just as HTTPS encrypts user data, it also encrypts advertising data. This means that most security and anti-virus software are not able to scan the encrypted code looking for tell-tale signs of danger.

For standard HTTP sites, data relevant to the advertising such as the campaign ID, its creator and where it sends infected users can be found and tracked. With HTTPS encryption this task requires additional security technology. Some malvertising campaigns on popular websites have gone unnoticed for several weeks, putting millions of people at risk.

Making the process even easier for hackers, is that free HTTPS certificates are now available through initiatives to make HTTPS standard for the whole internet.

How to protect yourself

One very basic form of protection comes from adblockers. These popular browser plugins can stop some advertisements loading, which means that they won't be able to redirect the advertisement and infect your computer. While an adblocker is better than nothing, it's not foolproof. Malvertising is getting more sophisticated and can find ways around adblockers and a number of popular plugins that block advertisements. Another tool that requires a higher level of technical ability would be a script blocker. These tools can pre-emptively block malicious scripts before they can infect a computer.

The biggest issue with malvertising is that it uses encryption to protect itself, which means that it is undetectable for most security software. While encrypted data is difficult to decrypt, it's not impossible.

Modern security appliances can decrypt HTTPS communications through what is known as deep packet inspection. By using the correct content inspection rules on your firewall you can check all data your computer sends and receives. When you use deep packet inspection, all data is temporarily decrypted, scanned for threats and then re-encrypted to keep it safe as originally intended.

HTTPS communications are resource intensive. It takes more power and time to encrypt and decrypt communications and uses more bandwidth on networks. Security costs will get higher as cyber-criminals realise the value.

As the internet moves to adopting HTTPS as the standard for web communication, it means that this kind of attack is likely to become more common in the future. Having effective security settings for personal computers and work networks is vital to protect information and financial details that in any businesses interest should best be kept secret.

By Rob Collins, senior systems engineer for APAC, WatchGuard Technologies.

comments powered by Disqus