Move Over Ransomware, Malvertising Is Back


At the beginning of the year, EDGE360 editors interviewed me asking for my security predictions and trends to watch for in the coming year. My first prediction was that ransomware will continue to evolve in frequency and complexity and we have not been disappointed. You could not have avoided hearing about the WannaCry attacks and the more recent Petya and NotPetya campaigns. But, as predicted, other attack vectors have re-emerged and opened up, including Malvertising, for larger gains.

In fact, ransomware attacks haven’t been nearly as profitable for the attacker as one would think. Moving from encrypting drives to simply encrypting the master boot record is much more efficient but our intel shows that only $10,000 has been pushed to BitCoin laundering services from the authors. For the amount of work involved in these campaigns, the authors have to be disappointed in their gains. Maybe not. The patterns of the attackers indicate motivators beyond monetary gain. Attacking specific software deployments in specific regions could be the signs of a larger ideology. Some of the variants are not even unencryptable, they just want to be destructive. However, they have recently offered the decryption keys for $250,000, which may indicate their frustration and last desperate effort for a big payout. Currently there have been no takers reported… so, is it time to move on?  Maybe.

Other attack vectors have been developed as the next step in the evolution of the threat metrics. But what we did not see coming is that threat being a throwback to an existing method. Malvertising or Malicious Advertising is the practice of spreading malware through on-line advertising. The attack injects infected advertising into otherwise legitimate online advertising networks and websites. Unsuspecting users click the ads or other ‘click bait’ and as the page is built and is connecting dozens of other ‘trusted’ sites to assemble the content requested. Throughout all those communication channels and servers there is an entire world of targets to inject a man-in-the-middle attack. Most visitors would not knowingly visit all of these sites, but the connections and content are pulled together for them, without anyone suspecting.

Malvertising has been affecting some of the most trusted household name for several years so   there is nothing new about the concept. The Angler, ShadowGate and Adsense campaigns had their day as a few of the most popular campaigns. The former even led to several arrests and an interesting dark period immediately thereafter.

So why bring it up now?  Below are a few reasons to pay attention to these threats:

Increasingly Sophisticated Methods: The methods recently published by ProofPoint for the “AdGholas” campaign are highly sophisticated. This campaign has been the first to discover the use of Steganograpy in a drive by malware campaign. Code is being imbedded in the pictures of the sites allowing them to sneak in under the radar.

Sophisticated Filtering: Its sophisticated multi-step filtering includes target awareness such as the type of machine to go to work on where the payload will be the most successful, and geography-focused filtering. Banking trojans have been reported to explicitly target regions where they will be the most effective.

Human Detection is Difficult: The redirected sites are very closely mimicking their legitimate counterparts, making human detection very difficult.

Monetary Payoff for the Attackers: There is a massive scale. Reports of 1-5 million quality client hits per day from as many as 20 unique advertising agency or exchange platforms.

The scale of the operation clearly allows that the quantity of quality hits is highly valuable. The authors of these campaigns are putting up money to buy ad space on legitimate sites. They must be making good money to incur the expense up front.  Additionally, the sheer size of the compromises would suggest the services can be sold affordably, due to the economy of scale.

There are as many products that can be monetized from this level of infection as with any other malware campaign.  Services such as launching ransomware, stealing login details, pay per click fraud, and banking malware seem to be the most popular for Malvertising.

Bottom line: It is very easy to maintain and very lucrative.  As such, the variants aren’t expected to slow down anytime soon.

Getting your organization protected from malvertising distributed infections is a complicated, but very achievable task. Here are a few steps to consider:

  1. Accessing Threat Intel: The first step is making sure all of the security technologies are well integrated. For example, the endpoint protection should include antivirus, malware protection, traffic monitoring. etc., and should be in concert with the edge devices and working from the same set of intelligence. As such, these devices need to be receiving the highest level of threat intelligence possible. That intelligence must be actionable by your organization and relevant to environment.
  2. Understanding the Attack Surface: Technology is not the only attack surface. Nearly all of the breaches we deal with have a ground zero of the human factor.
  3. Executing on Policies and Training: Well-written and executed policies and resources to keep systems properly patched and systems up-to-date is critical. Awareness training for users are proven to compliment the technology, making it more effective.
  4. Browser Isolation: Also known as “remote browsing” technology, this technique is gaining traction. Several security firms are offering a proxy of sorts to execute all browsing activity in a remote virtual machine that tears down after each session. All browser activity including scripts etc., is containerized where it renders the content and gives the screen to the browser at the endpoint transparent to the user.



  • Bryant G. Tow

    Bryant G. Tow is a Managing Partner at CyberRisk Solutions, LLC. For over 25 years Bryant has held responsibilities as an entrepreneur and senior executive in all aspects of risk management including thought leadership in the area of cyber security, award winning development of security solutions, managing large global cyber and physical security teams. He has held several leadership positions in the security industry including the Department of Homeland Security Sector Coordinating Council, ISSA, ISACA and InfraGard National Members Alliance board member and vice president. He is recognized as a Distinguished Fellow by the Ponemon Institute, the industry’s leading research organization. Bryant has published several books and articles on cyber security topics and has received several awards including "Governor's Office of Homeland Security Award for Exceptional Contribution in Recognition of Outstanding Support of Tennessee's Counter Terrorism Program.

More Like This