Online ads can be an annoying interruption to our normal browsing habits. However, they are often necessary because they act as the primary source of funding for the otherwise free websites we use on a daily basis. Have you ever wondered how those ads end up on your screen? Well, there’s a fascinating supply chain behind the ads, and it’s interesting to dissect.
A site that serves ads typically does not handpick the specific ads that appear on its platform. Instead, it selects ad categories to block, allocates ad space, and then serves the ads offered by its advertising vendor. Ad vendors are responsible for procuring advertisers and websites to display their ads. But what if these advertisers aren’t legitimate? What if they are threat actors or scammers looking to lure potential victims with seemingly legitimate software or help repair your computer? This malicious use of ads is referred to as malvertizing.
Malvertizing uses many of the same tactics as social engineering, relying heavily on persuasive language and attention-grabbing images to create a sense of urgency or fear. This encourages victims to act quickly without inspecting the legitimacy of the website linked to in the ad. Malvertising attacks are becoming increasingly sophisticated, with cybercriminals leveraging trusted platforms such as Facebook and other social media to distribute malicious content. By leveraging the trust and reach of these platforms, attackers can reach a wider audience and potentially compromise more victims. This also makes it more challenging for users to distinguish between legitimate and malicious ads.
To add to the complexity, threat actors employ techniques to mask their identities and avoid detection. This can include social engineering tactics such as phishing, token theft or info stealers to gain access to legitimate ad accounts. By hijacking trusted accounts, attackers can bypass security measures designed to prevent malicious organizations from buying advertising space.
Leads threat operations and internal security at Huntress.
Three common types of malvertising attacks that users should be aware of are:
Scam Malvertising: Attackers will display ads with language similar to “Your computer is infected, call us immediately to remedy!”. When a victim calls, the scammers will typically convince their victim to install software to start a remote control session of the victim’s computer. They will then overwhelm the victim with misinformation, hoping to confuse them into thinking the situation is too complex to understand, and then ask them to pay money to fix the non-existent security issue.
Fake Install Malvertizsing: A common technique that delivers malware directly to the victim, posing a more significant threat. Attackers masquerade as legitimate software vendors to deliver a modified version of the software that typically includes an infostealer or initial access mechanism. These attacks aim to catch the victim while they are busy installing the software. Often we see QuickBooks used as a decoy, where attackers sponsor malicious ads designed to appear next to legitimate QuickBooks links. The malicious ads then lead to a cloned QuickBooks website that serves users as a compromised installer. Similarly, fake browser extensions mimic legitimate ones and trick users into installing them. Once installed, they can capture sensitive data, including browsing history, passwords and credit card information, putting both individuals and businesses at significant risk.
Drive-by-download Malvertizing: These malicious ads require no engagement from the viewer; simply loading them into your browser is enough to install a new web extension or download malware. This tactic relies heavily on the victim not keeping their browser up to date and using previously known and patched vulnerabilities. There is a reason why your browser keeps asking you to refresh it; these updates keep the browser safe from newly discovered vulnerabilities. Keep your browser up to date and don’t make attackers’ jobs easier.
Avoid attacks
To avoid falling victim to malicious attacks, such as phishing scams, it’s important to think critically before engaging with suspicious ads. If you receive an ad claiming you are a victim and need to call for support, stop and ask if the claim even makes sense at face value. How would this vendor know you had a virus on your computer? Does Microsoft really have a department of staff that proactively buys ad space to inform its customers that there may be a virus on their computer? While answering these questions generally requires at least some level of technical insight, there are other tell-tale signs that an ad may be a scam. Many of these scams claim to be Microsoft tech support or their security team. Check to see where the ad will take you. If the domain is not www.microsoft.com, then you can almost guarantee it will be a scam, especially when combined with a message claiming it is time sensitive or extremely critical.
Preventing yourself from becoming a victim of malvertising requires a careful eye, taking a moment to stop and think about the claims of an ad, making sure you are being redirected to a legitimate site and that you click the ‘update ‘ button each time it appears in your browser. To defend against malvertising, advertisers should implement stricter controls on advertisers and their content to ensure legitimacy. In addition, employees should be trained to identify suspicious emails, websites and online advertisements, allowing them to avoid becoming victims of these attacks. Threat actors are using more and more legitimate tools maliciously, including advertising. A healthy dose of skepticism never hurt anyone, so the next time you see a suspicious ad, be careful and make sure it’s legitimate before clicking on it.
We have presented the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in the tech industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here:
