Malware masquerading as advertising is becoming increasingly common. Shockingly, malvertisements increased 80% during the first half of 2015 (450,000), compared to the entirety of 2014 (250,000), according to RiskIQ figures released at Black Hat USA 2015.
What makes malvertising dangerous to users and an attractive channel for fraudsters is that, unlike other types of exploits, it does not require any user action, such as a click, to compromise the system. It also does not exploit any vulnerabilities on the website or server it is being hosted from, often silently and stealthily operating on trusted websites like mainstream publications via third-party channels. Users can be infected via “drive-by download” simply by visiting a site.
In this way, malvertising can expose millions of users to malware and, because it is difficult to spot, even cautious users can fall victim to this type of scam.
Similar to the way that online marketers aim for a specific target market, malvertising presents a great opportunity for fraudsters to profile and select their targeted audience.
Although no clicks or action from the user are required to be exposed, malvertising attacks also need to exploit some other vulnerability to make the ‘leap’ onto a user’s computer, for instance it may exploit an existing vulnerability in the user’s software, such as Java or Adobe Flash.
Just last week, Yahoo became one of the latest victims of a malvertising attack, when a malware company bought ad space to deliver ads that installed malware on users’ computers. The campaign then took advantage of a vulnerability in Adobe Flash to install the malware.
The very fact that cyber criminals are willing to invest money into purchasing advertising spots means that the return on investment must be lucrative.
Cyber Essentials scheme
Having adequate malware protection is one of the five controls singled out by the Cyber Essentials scheme as ‘essential’ for basic cyber security hygiene. Patching outdated software is another one of the five controls.
Around 80% of cyber attacks could be prevented if businesses put simple cyber security controls in place, according to the UK Government. The Cyber Essentials scheme sets a minimum standard for these controls, aiming to effectively reduce an organisation’s risk of a cyber attack by 80%.
Find out whether you pass the cyber security test by downloading this free cyber security assessment questionnaire.