Internet companies face up to 'malvertising' threat

The Guardian reported this week on the phenomenon called "malvertising". A type of attack we've talked about quite often on this blog, one where fake ads containing malware are placed on well-known websites as a way to reach millions of people through names they trust. Some of the sites hit by a series of recent attacks include the New York Times and Horoscope.com.

Unlike traditional spam or virus attacks, which rely on victims clicking on a link in an email or mistakenly downloading an infected program, malvertising attacks are often hidden on popular websites and can sometimes even inject malicious code directly to a computer as soon as the target sees the compromised commercial (also known as a drive-by download).

From the article:

"This is a growing problem," said Graham Cluley, a consultant with online security firm Sophos. "Hackers are making more and more use of ad networks to distribute their attacks to users visiting legitimate well-known sites."

"These are not random attacks. When they infect third party ad networks they may not know precisely which website will end up displaying their ads - but, frankly, they don't care about that. The important thing for them is that they get eyeballs."

Malvertising was first identified by security experts several years ago, but the growing breadth of online advertising has made it more attractive to criminals as a way to reach millions of web users quickly and easily.

A string of incidents in recent weeks have stepped up concerns, including attacks last weekend where popular sites including rightwing news service the Drudge Report were hijacked by criminals. The attackers succeeded in placing malicious ads through Google's DoubleClick service, which were then syndicated around a range of different sites.

The previous weekend, readers of the New York Times - the world's biggest newspaper website - were subjected to a malvertising attack after hackers posed as a legitimate company in order to buy advertising space.

While the incidents are embarrassing for those companies which get caught out, they pose a very serious threat to the readers of those sites - many of whom are not running up-to-date virus protection.

"Attackers use online ads for the same reasons a legitimate company would do so," said Mary Landesman of web security firm ScanSafe.

"When an attacker can infiltrate an advertising network, it enables them to reach a broad number of websites within a chosen category. This provides the attacker with the same return on investment that it would a legitimate advertiser – broad exposure to the audience of their choosing."

Malvertising is a good reason to put a proxy between your end-users and the Internet. A proxy with URL database filtering, anti-malware scanning and embedded URL blocking would prevent drive by downloads from infecting workstations in your organization's network.