Think Twice Before Clicking on an Ad. It Might be Malicious.

Jeff Hershberger
May 18, 2022

Thanks to the creative minds behind digital advertising, we can now easily discover new products and services through ads we see while surfing the web or browsing social media. But are you sure that captivating ad you’re about to click was placed there by the company of the product/service being featured and not by people with malicious intentions?

That possibility is not as far-fetched as you think. As early as 2012, approximately 10 billion ads were already hijacked by cybercriminals for malvertising purposes. In 2017, Google blocked 79 million ads in their network that were attempting to direct people to malicious sites while also removing 48 million ads that were duping people to download malware. The latest Google Ads info-stealing malware Rhadamanthys is being marketed to criminals as malware-as-a-service (MaaS).

Malicious ads aren’t just found on regular websites. They’re now on social media sites as well. In fact, about 40% of malware infections originating from social media sites come from malicious ads.

Yes, that ad you’re about to click might actually be malicious.

In this post, we’re going to peer into the shadows of adware and malvertising—two attack vectors that are taking advantage of ads in the initial stages of a cyber attack. We’ll also give you an overview of how these vectors work and, more importantly, offer some tips on how to defend your network and users from them.

Let’s start by talking about adware.

Unraveling the dark secrets of adware

Adware is software that, once installed on a system, automatically connects to a broad list of sources for ad content and displays them on your screen, usually as pop ups. If you recall in the 90’s (yeah, yeah, we’re that old), AOL and other ISP providers would give you a CD-ROM containing customized versions of internet browsers. There was always a chance those disks had adware in them. That’s why you’d see ads popping up on your screen.

These days, cybercriminals attach adware kits to browser extensions—you know, the ones you add to enhance your browsing experience. So, the moment you add a browser extension, you could also end up downloading an adware module. Of course, not all extensions are infected with those modules, but you need to be more careful now that you’re aware of this possibility.

Ads can certainly be a nuisance. But there’s another, more sinister, attribute of adware you should know. Cybercriminals use them to deliver fake ads that lead to malicious sites. Cybercriminals have learned how to create fake ads that look real and enticing enough, it’s easy to mistake them for legitimate ads. Alas, these clickable ads redirect to sites hosting malware, which can then infect the victim’s device. In essence, fake ads are usually used as vectors into an unwitting user’s system.

One of the main characteristics of adware is having the ability to monitor your surfing habits. That way, cybercriminals can feed you ads that fit your interest and increase the chances of those ads getting clicked. Unfortunately for cybercriminals, it was this monitoring aspect of adware, which behaved so much like spyware, that led to its ineffectiveness.

As soon as the spyware-like attributes of adware set off alarm bells in the cybersecurity community, anti-malware solution developers began creating adware blockers and pop-up blockers, treating it like a virus. The effectiveness of adware ran out pretty quickly after that.

Today, pop-up and ad blockers are just organic functions in most browsers that offer improved privacy while surfing. And because adware and their ads can be quite a nuisance, IT admins and even end users are quite active in installing anti-malware solutions to their endpoint devices to prevent those ads from popping up. While they still exist, adware are no longer as prevalent as they used to be.

That hasn’t stopped cybercriminals from abusing ads though. In fact, the ad-based attack vector most of them are using now has a far greater reach and is more stealthy than adware. Let’s talk about it.

Malvertising – adware with no installation required

Malvertising is similar to adware in that it also uses ads as an attack vector. However, the similarities end there. Unlike adware, malvertising doesn’t require any software to be installed on the victim’s system to display ads. Rather, cybercriminals rent legitimate advertising spaces on large content delivery networks (CDNs) and Supply Side Platforms (SSPs) and deliver ads through them. This ensures fake ads re delivered to as many people as possible.

When cybercriminals use malvertising, they don’t have to break into a site to post fake ads. Rather, they simply buy advertising space just like legitimate advertisers, steal ads from reputable brands, and run those ads with links to malicious sites. Because not many security solutions are built for this technique, these covert operations can remain undetected for a very long time.

Fake ads look nearly identical to the real, legitimate ads for any given business. Experts report that in 2021, 1 out of every 125 ad impressions were dangerous or disruptive to users. That same report said that the worst-performing SSP had a violation rate that was 132x compared to the best-performing one. Violation rate is calculated by dividing the number of normalized impressions (how often an ad is shown) manifesting a particular issue (e.g. bearing a security threat) by the total number of impressions monitored.

Those same experts exposed a malvertising campaign tracked as “Tag Barnacle”, which compromised 120 ad servers and injected code that redirects users to rogue websites, exposing victims to scam ware or malware. Indeed, although malvertising doesn’t require any software installation to display malicious ads, the malicious ads that are displayed can lead to the installation of malware.

If you think about how much of the internet is dedicated solely to advertising, 1 of every 125 can quickly turn into billions of dangerous interactions. This vector isn’t going away anytime soon. Why? One report estimates piracy sites alone are making about $1.3 billion in annual revenues through advertising, with a large portion of those ads involving malvertising.

We’ve already mentioned the term ‘attack vector’ or ‘vector’ multiple times in this post. We even said adware and malvertising are attack vectors. Before we proceed, I’d like to make sure you understand what it is, so you can follow along with our discussion.

What exactly is an ‘attack vector’?

In case you still don’t know what it is, an attack vector is a method or path used by hackers to gain initial access into a network or a device/system on the network. The keyword here is “initial”. So, it’s employed in the earliest stages of an attack.

Cybercriminals have plenty of different vectors in their arsenal. This includes phishing emails, bribery, supply chain attacks, malicious scripts, cross-site scripting, impersonation, and several others—including adware and malvertising. Their main purpose is to allow hackers to gain a foothold into your system.

To have a deeper understanding of how adware and malvertising are used as attack vectors, let’s first discuss the early stages of an attack.

The early stages of a cyber attack

A cyber attack consists of multiple stages. Some people call this series of stages the cyber kill chain, others call it the cyber attack chain. Depending on who you ask, there can be some slight variations on what these stages consist of. However, the one thing we in the cybersecurity community agree on is that the first stage revolves around reconnaissance.

In the context of cybersecurity, reconnaissance is the stage wherein hackers gather as much information about potential targets and their systems. The purpose of conducting reconnaissance or recon is to discover:

  1. Potential victims
  2. Vulnerabilities to exploit
  3. Other pieces of intelligence that can help attackers formulate their attack strategy.

Cybercrime is a business. Cybercriminals want to make sure they don’t waste resources when carrying out an operation—in this case, a cyber attack. Everything has to be calculated to ensure success in the most cost-efficient way possible. Reconnaissance plays a big role in achieving that.

Before any recon can be carried out, cybercriminals will have to find a way to drop a tiny piece of malware or a malicious script or run a malicious process in a victim’s system. Once these rudimentary elements can successfully infiltrate a victim’s system, they will then call back to their server to retrieve instructions or to download additional malicious files that can perform other nefarious acts.

But what has that got to do with malvertising?

How malvertising boosts a cybercriminal’s reconnaissance capabilities

Before a cybercrime outfit can launch an attack, they need to find potential victims first. This is where malvertising and adware come in. Adware and malvertising can provide cybercriminals with an automated and efficient way to recon vast areas of the internet with little effort.

Once a malvertising campaign has been launched, cybercriminals just wait for hundreds or thousands of machines to get infected—e.g., when a user clicks on a malicious ad and is brought to a site that’s hosting malware or malicious scripts.

As explained earlier, the moment they’re downloaded on victim machines, those malware or scripts then start calling back for further instructions or to download additional malicious files. It’s these files—either the initial downloads or the subsequent downloads—that then conduct recon and send vital information to their servers a.k.a. command-and-control (C&C) servers.

Aside from getting internet-wide coverage, another major advantage cybercriminals gain from malvertising is the ability to conduct recon on a specific market segment. This has huge implications from a targeting standpoint.

Let’s say, for example, a malvertising campaign hijacks Nike or Nintendo ads. These are two of the most searched consumer brands on the internet. By targeting the ads of these brands, cybercriminals can ensure their malicious ads are shown to a vast, engaging audience. Even if only a fraction of that audience can be diverted to their rogue site, those cybercriminals can already get a free pass into perhaps thousands of unsuspecting users’ systems.

What’s more, if those users are at work—and many of them likely are—those crooks would hit the jackpot. That could mean, a single infected machine would be a corporate system in a corporate network.

You should also remember that, because the fake ads are hosted in legitimately rented ad space, they can stay undetected for quite some time. In traditional reconnaissance techniques, cybercriminals usually scan the internet for potential victims. These techniques have a greater risk of failure because large-scale internet-wide port scanning or protocol scanning are easily detected by security vendors.

Now that you’re aware of the dangers of malvertising, you’re probably wondering what you can do to prevent your users from getting victimized by these types of attacks. Here are some of the things you can do.

How to fight adware and malvertising at the device and network level

Countering this threat at the user and endpoint device level is relatively easy—well, theoretically at least. At the user and endpoint level, you need to ensure your users’ browsers and anti-malware solutions are current and up-to-date with the latest patches and security updates. Just remember that many organizations—and especially their end-users—take this step for granted. Thus, you should educate your users so they can understand why those patches are necessary.

It’s at the network level where things can be a bit more challenging. Remember, the initial vector is quite often beyond your control. If a user is browsing a site—presumably displaying a fake ad delivered via malvertising—through an HTTPS connection, most security solutions won’t see what’s happening inside that session. That’s because, being an HTTPS session, the connection will be encrypted.

While an endpoint solution might be able to detect and act on a malicious file or script as soon as it’s installed on the victim’s system, many modern threats are now fileless and run purely in memory. Most security solutions won’t be able to detect that. That’s why it’s important to monitor all the connections over all the ports going into and out of your network.

Although the malvertising ads themselves may be displayed by reputable ad networks on reputable sites, the images and click-through URLs of those ads are rarely hosted on reputable IPs or domains.

Usually, they’re on the dark web or other space among the 3.5 billion out of roughly 8.5 billion IP addresses that Intrusion ranks with a low or poor reputation based on a variety of factors. Intrusion Shield is powered by the Intrusion Global Threat Engine—which contains over 3 trillion IPs, domains, and hostnames along with their history, associations, reputation, and relevant threat intelligence.

If an adware or malvertising ad’s image and URL are associated with a malicious server or network, Shield will know and will automatically block packets coming from there. In effect, any content coming from a source identified to be malicious will be blocked. No malware or malicious script will ever get to your users’ endpoint devices.

Final words

Cybercriminals have been having a field day with the global reach and inconspicuous nature of malvertising. They’re victimizing a vast number of unsuspecting victims than you could ever imagine. And they’re doing it right underneath the noses of your security solutions. To catch these highly covert internet-based threats, you need a solution that identifies malicious packets from their source.

Intrusion Shield identifies internet-based threats such as malicious ads by inspecting the packets associated with them and checking if they’re originating from known malicious entities. If they are, they’ll be blocked. You’ll be amazed at how effective this approach can be.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.