You think you are just visiting the CNN website to read the latest news, but unbeknownst to you, a hacker has loaded a malicious frame or ad using Flash/JavaScript, “Buy discount shoes here!” and Voila! Your computer could be infected simply because that ad for shoes has secret; malicious software which installs in the background while the ad loads up as part of the webpage.
This type of malvertising attack is known as a “Drive-by Download”. The term “Drive-by” relates to the fact that users are not consciously installing or clicking anything; they are just browsing a website. This is quite a sinister method for distributing malicious software.
Tech Tip: A drive-by install (or installation) is a similar attack. It refers to installation rather than download (although the two terms are used interchangeably).
Wikepedia defines drive-by download as two things, each related to the unintended download of computer software from the Internet:
- Downloads which a person authorized, but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
- Any download that happens without a person’s knowledge, often a computer virus, spyware, malware, or crimeware.
Hackers use various techniques to conceal their malicious code, so that antivirus software is unable to identify it. The code is executed in hidden iframes, and can go undetected.
Hidden iFrames
iFrames and Script Tags are used by hackers to carry out silent and invisible drive-by internet attacks.
iFrames allow web developers to embed the content of one web page into another, seamlessly. There are legitimate reasons why some websites may want to use this feature – for example: Gmail, Facebook and eBay all use iframes to deliver content to their users – but cyber-criminals exploit the functionality by gaining ‘write access’ to the website for the purpose of delivering malware, such as fake anti-virus software, to infect your computer.
What is sneaky is that hackers can make the embedded content invisible to the naked eye by setting the size of the window to measure zero by zero pixels. You can’t physically see the frame, but your web browser knows it’s there and loads its content.
You are more at risk of a malvertising attack if you visit illegal sites, like Bit Torrent or pirate software websites, however, any website (particularly a site that incorporates advertising) could be used to spread malware.
Popular sites are regularly targeted
Back in 2009, some visitors to the New York Times website were presented with a pop-up posing as an anti-virus scanner. The Daily Mail attack was only one of many recent examples to hit mainstream sites.
More recently, popular porn sites YouPorn and Pornhub served up malicious ads in September 2015, and a month earlier, the Huffington Post, a site with 100 million unique monthly visitors, was distributing malware again (after a previous attack in December 2014). Yahoo! was also hit by malvertising campaigns last year, along with Forbes.
Researchers at malware-security company Cyphort reported a 325 percent increase in malvertising attacks between June 2014 and February 2015.
How malicious advertising works
While each malvertising attack is different, they all follow a standard online advertising process:
- A hacker signs up to an ad network, which is a company who act as a middleman between the website wanting to sell ad space, and the party with the advertisement.
- A legitimate advertiser would upload their content to the ad network’s central server, which then sends the ad’s code to the website when required. The hacker takes advantage of this exchange, impersonating a trustworthy business to upload their own ad – often a Flash-based piece of content, or one that contains malicious Javascript.
- When you visit the site, the type of advertisements you are shown is determined when you arrive. This is done using a process called Real Time Bidding (RTB), where advertisers pay for a certain number of ad impressions beforehand and choose a specific user demographic. Then, when users visit the site, whoever has the biggest bid for that particular demographic wins, and has their ad published on the site.
- If malvertising is involved, as the page loads, the ad appears and its code then redirects you to a webpage hosting an exploit kit (such as the popular Angler exploit kit), without you even clicking on the ad. This will probably happen in the background, through an iFrame without any interaction from you.
Tech Tip: The landing page’s role is to look for vulnerabilities within your computer by checking what browser you are using, and then looking for Flash or another piece of vulnerable software, like Java. Flash is a huge culprit when it comes to vulnerabilities – it has lots of security flaws, because it has so many features and can be used for so many things. Even if you update Flash regularly, unseen exploits can still be used.
- Finally, the page will push the exploit, and download whichever malware the attacker is using. Malvertising sometimes delivers ransomware, which cleverly locks a computer’s files until the victim pays a fine, or it may take the form of Banking Trojans, used to steal financial information.
Cyber-criminals trying to spread malware place “clean” advertisements on trustworthy sites first in order to gain a good reputation. After a while, they insert a virus or spyware in the code behind the ad. Once a mass infection has taken place, they remove the virus, therefore only infecting visitors to the site during the time period that the malicious code was active. The identities of those responsible are often hard to trace, making it difficult to avoid the attacks or bring them to a standstill, because the ad network infrastructure is very complex with many linked connections between ads and click-through destinations.
It is important to note that not everyone visiting an affected site will definitely get hacked. Some ads will only load for people in particular countries or demographics, because of targeted RTB. Plus, if you have taken sufficient security measures, your computer might not be vulnerable to that particular attack anyway.
In a few weeks, we will give you some tips as to how you can protect yourself from malvertising.