Understanding and avoiding malvertizing attacks

Online advertisements can be an annoying interruption to our normal browsing habits. However, they are often necessary because they serve as the primary funding source for the otherwise free websites we use daily. Ever wonder how those ads end up on your screen? Well, there’s a fascinating supply chain behind the ads, and it’s interesting to pick apart.

Typically, a website that serves ads does not hand-pick the specific advertisements displayed on its platform. Instead, it chooses ad categories to block, allocates ad space, and then displays whichever ads its advertising vendor provides. Advertisement vendors are responsible for sourcing advertisers and websites to display their advertisements. But what if those advertisers aren't legitimate? What if they're threat actors or scammers looking to lure potential victims with seemingly legitimate software or help fixing your computer? This malicious use of ads is referred to as malvertizing.

Malvertizing uses many of the same tactics as social engineering, relying heavily on persuasive language and attention-grabbing images to drive a sense of urgency or fear. This encourages victims to act quickly without inspecting the legitimacy of the website linked in the ad. Malvertizing attacks are becoming increasingly sophisticated, with cybercriminals leveraging trusted platforms like Facebook and other social media networks to distribute malicious content. By exploiting the trust and reach of these platforms, attackers can reach a wider audience and potentially compromise more victims. This also makes it more challenging for users to distinguish between legitimate and malicious ads.

Adding to the complexity, threat actors employ techniques to mask their identities and evade detection. This can include social engineering tactics such as phishing, token theft, or infostealers to gain access to legitimate ad accounts. By hijacking trusted accounts, attackers can bypass security measures designed to prevent malicious organizations from buying ad space.

Three common types of malvertizing attacks that users should be aware of are:

Scam Malvertizing: Attackers will display ads with language similar to “Your computer is infected, call us immediately to remediate!”. Once a victim calls, the scammers will typically convince their victim to install software to initiate a remote control session of the victim’s computer. They’ll then overwhelm the victim with misinformation, hoping to confuse them into believing that the situation is too complex to understand, and then ask them to pay money to remediate the non-existent security concern.

Fake Installer Malvertizsing: A common technique that delivers malware directly to the victim, posing a more significant threat. Attackers disguise themselves as legitimate software vendors to deliver a modified version of the software that typically includes an infostealer or initial access mechanism. These attacks aim to catch the victim while they are in a hurry to install the software. Often, we see QuickBooks used as a lure, with attackers sponsoring malicious ads designed to be displayed next to legitimate QuickBooks links. The malicious ads then lead to a cloned QuickBooks website that serves users as a compromised installer. Similarly, fake browser extensions imitate legitimate ones, tricking users into installing them. Once installed, they can capture sensitive data, including browsing history, passwords, and credit card information, putting both individuals and businesses at significant risk.

Drive-by-download Malvertizing: These malicious ads require no engagement from the viewer; simply loading them in your browser is enough to install a new web extension or download malware. This tactic heavily relies on the victim not keeping their browser up to date and utilizes previously known and patched vulnerabilities. There is a reason your browser is constantly asking you to update it; these updates keep the browser secure against newly discovered weaknesses. Keep your browser updated, and don’t make attackers’ jobs easier.

Avoiding attacks

To avoid falling prey to malvertizing attacks such as scam malvertizing, it's essential to think critically before engaging with any suspicious ads. If you receive an ad claiming you are a victim and need to call for support, stop and ask if the claim even makes sense at face value. How would this vendor be aware you had a virus on your computer? Does Microsoft really have a division of staff proactively buying ad space to inform its customers there may be a virus on their computer? While answering these questions generally requires at least some level of technical acumen, there are other tale-tale signs that an ad may be a scam. Many of these scams claim to be Microsoft technician support or their security team. Check to see where the ad is going to take you. If the domain is not www.microsoft.com, then you can almost guarantee it is going to be a scam, especially when coupled with a message claiming it is time-sensitive or extremely critical.

Preventing yourself from falling victim to malvertizing requires a careful eye, taking a moment to stop and think about the claims of an ad, ensuring you are being redirected to a legitimate site, and clicking that ‘update’ button every time it shows up in your browser. To defend against malvertizing, advertisers should implement more rigorous checks on the advertisers and their content to ensure legitimacy. Additionally, employees should be trained to identify suspicious emails, websites, and online ads, empowering them to avoid falling victim to these attacks. Threat actors are using more and more legitimate tools maliciously, advertisements included. A healthy dose of skepticism never hurt anyone, so the next time you see a suspicious ad, be cautious and ensure it’s legitimate before clicking on it.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro