When advertising becomes dangerous

May 2016 Editor's Choice, Information Security

Over the last several months, the BBC, the New York Times, and other major news and commercial websites became victims of malvertising attacks. What exactly is malvertising? To understand this type of attack, we must go back to the malware basics.

Doros Hadjizenonos, country manager of Check Point South Africa.
Doros Hadjizenonos, country manager of Check Point South Africa.

One of the most prominent ways malware spreads is by infecting websites and delivering drive-by attacks. When a user visits an infected site an exploit kit is activated. Once activated, the kit checks to see if the machine is vulnerable to one or more of the exploits it contains. If so, it leverages the vulnerability to install malicious software on the user’s device. Since this is a common threat, most websites harden their systems to protect themselves and their visitors from infection.

However, hackers can avoid the need to infect a well-guarded website by infecting the servers that supply advertisements to them instead. This form of attack is called malvertising and is extremely effective for attackers who wish to reach a broad audience with their malware. The more popular the website, the larger the impact will be.

A growing trend

Malvertising is not a new form of an attack, but it has become headline news after several recent occurrences. At the beginning of March, a large malvertising campaign targeting Baidu’s advertising platform was revealed. Despite having started in October 2015, this campaign’s evasive and elaborate nature enabled it to remain undercover and impact countless users in China for over four months. Two weeks later, several major news sites, including the BBC and New York Times, were hit with a malvertising campaign. Visitors to these sites were targeted by a ransomware variant, similar to the infamous Cryptolocker attack, served by the Angler exploit kit.

The attackers did not stop after the campaign was finally exposed. They simply changed tactics to target videos as their malvertising platform, instead of infecting users as they previously had through web banners. The campaign continued successfully targeting the Fox News website, among others.

Another recent malvertising campaign targeted Australian users with an even more complex attack flow. First, they infiltrated a law firm’s website. Then they created fake advertisements containing the firm’s logo and published them on the Gumtree website, a subsidiary of eBay, which receives 48 million visitors a month. The attackers were able to stay hidden by altering the supplied ads, switching between benign and malicious ones, making it harder for security vendors to identify them.

Why malvertising?

It is interesting to notice that hackers often attack suppliers who work with the main websites, rather than attacking the sites themselves. Oftentimes, leveraging an attack through a supplier proves an easier path to success than a direct attack on the intended victim. We have seen this pattern with several malvertising attacks. The same approach was used in the infamous Target hack, in which the attackers infiltrated Target’s network by compromising the network of Target’s sup-pliers first.

For this reason, we believe that the malvertising trend will continue to impact major sites and users worldwide. In order to mitigate it, Ad servers must enhance their security measures and ensure the content they supply is legitimate.

How can you protect your organisation?

What we have learned from recent malvertising attacks is that education and awareness about these threats are not enough to stay protected. Even the standard security measures that already exist in most organisations are only capable of preventing known threats and are not capable of countering the advanced, continuously evolving tactics of today’s cybercriminals.

Organisations that wish to stay fully protected must elevate their threat prevention strategies and protect themselves, not only from known threats, but also against unknown malware and zero-day threats, like malvertising. To address this challenge, Check Point offers SandBlast Zero-Day Protection; the most advanced solution to protect against these new and unknown malware and advanced threats.

For more information contact Check Point South Africa, +27 (0)11 319 7267, doros@checkpoint.com, www.checkpoint.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The human factor side of video management systems
Leaderware Editor's Choice Surveillance Risk Management & Resilience
A video management system (VMS) is central to, and the most vital element to any control room operation using CCTV as part of its service delivery, however, all too often, it is seen as a technical solution rather than an operational solution.

Read more...
Get the basics right to win more business
ServCraft Editor's Choice Risk Management & Resilience
The barriers to entry in security are not high. More people are adding CCTV and fencing to their repertoire every year. Cowboys will not last long in a space where customers trust you with their safety.

Read more...
All aspects of data protection
Technews Publishing Editor's Choice Information Security Infrastructure AI & Data Analytics
SMART Security Solutions spoke to Kate Mollett, Senior Director, Commvault Africa, about the company and its evolution from a backup specialist to a full data protection specialist, as well as the latest announcements from the company.

Read more...
Projections for 2024’s Advanced Threats Landscape
News & Events Information Security
Kaspersky Global Research and Analysis Team (GReAT) experts offer insights and projections for 2024 in the Kaspersky Security Bulletin, with a focus on the evolution of Advanced Persistent Threats (APT).

Read more...
Global strength, local craft
Impro Technologies Editor's Choice
Impro Technologies is a resounding success story. Started in South Africa, the company remains true to its roots and still designs and manufactures its access control systems and solutions in the country.

Read more...
Trellix detects collaboration by cybercriminals and nation states
News & Events Information Security
Trellix has released The CyberThreat Report: November 2023 from its Advanced Research Centre, highlighting new programming languages in malware development, adoption of malicious GenAI, and acceleration of geopolitical threat activity.

Read more...
SA enterprises can benefit from AI-driven cybersecurity
AI & Data Analytics Information Security
Cybercrime is big business, and threat actors deploy cutting-edge tools to carry out attacks. Fortunately, cybersecurity is constantly evolving to meet and counter the threats they face.

Read more...
South Africans play a role in becoming scam victims
Editor's Choice Risk Management & Resilience
The South African fraud landscape is becoming increasingly risky as fraudsters and scammers look to target individuals with highly sophisticated scams, in an environment where it is becoming increasingly difficult for lawmakers and authorities to bring these criminals to justice.

Read more...
Africa Online Safety Fund announces grant winners
News & Events Information Security
The Africa Online Safety Fund (AOSF) has announced the winners of this year’s grants; among them are five organisations operating in South Africa to educate people about online risks.

Read more...
Service orientation and attention to detail
Technews Publishing Editor's Choice Risk Management & Resilience
Lianne Mc Hendry evolved from working for an accounting firm to an accomplished all-rounder familiar with the manufacturing, distribution, and system integration aspects of the security industry value chain.

Read more...