Connect with us

Hi, what are you looking for?



Combating New Threats as Internet Advertising Surges

Malvertising Threats Underscore the Need for an Approach to Security that Addresses the Full Attack Continuum.

Malvertising Threats Underscore the Need for an Approach to Security that Addresses the Full Attack Continuum.

Internet advertising spend outpaces all other forms of media according to the most recent reports from Nielsen. Together, global display advertising across the web, mobile Internet and apps grew by 32.4% in 2013 — by far the largest increase of any media. Annoying as it can be for users, Internet advertising is important because it allows people to freely consume the vast majority of the web. If that model were to change or if people were to stop trusting Internet advertising altogether, the repercussions for the Internet could be monumental. But just as advertisers see huge opportunities to reach their targets with Internet ads, hackers see similar opportunities.

“Malvertising,” online advertising used to spread malware, is becoming more prevalent. Supported by the cybercriminal economy that has formed around the attack chain, it has become increasingly easy for adversaries to gain access to the tools they need to launch these highly targeted campaigns. For example, a malvertiser who wants to target a specific population at a certain time—such as soccer fans watching a World Cup match—can turn to a legitimate ad exchange to meet their objective. Just like legitimate advertisers, they contact companies that are gatekeepers for the ad exchanges. They will pay up front for the advertising, perhaps US$2,000 or more per ad run, and instruct the companies to tell the ad exchanges to serve the ads as quickly as possible, leaving little or no time for the ad content to be inspected.

Malware Rising

Malvertising victims are infected with malware in the course of their normal Internet browsing, without even clicking on the advertisement, and therefore have no idea where or how they were infected. These drive-by attacks on visitors to high-profile, legitimate websites are virtually impossible for the user to detect. Website visitors are seamlessly redirected to websites that host exploit kits that the adversary has either rented or purchased. These kits push a ‘dropper’ onto users’ systems and infect vulnerable systems. Not only are their infiltration methods stealthy, but tracing the source is next to impossible because the ad that delivered the malware has long since disappeared.

So how can security professionals help to prevent these attacks from being successful? Secure web gateways are becoming an increasingly important component of any cybersecurity strategy. However, conventional secure web gateways operate at a point in time – one shot to detect and stop traffic.

Advanced attacks don’t occur at a single point in time, so while visibility and blocking at the point of entry is important, it isn’t enough. These attacks are ongoing and require continuous scrutiny. When evaluating secure web gateways, security professionals should identify solutions that include a series of checks across the full attack continuum – before, during, and after an attack – for more effective protection.

Before an attack – Defenders need comprehensive awareness and visibility to implement policies and controls to defend their environment. URL filtering and web reputation filtering are the first checks in the process. With URL filtering, system administrators can set policies to block known malicious sites but can also block categories of URLs based on content, for example allowing news but blocking all ads. For those concerned with the impact on user experience by blocking all ads other layers of security can be added. Similar to giving a web site a credit score, reputation filtering provides another layer of protection. It leverages a vast amount of data, including the length of time the domain has been malware-free, to assign a reputation to a URL. When a user requests a web page, the reputation is requested and based on pre-set policies a decision is made on how it should be handled. Working together, URL filtering and reputation filtering help block malvertising attacks at the point of entry. But attacks are incredibly stealthy and can still get through.

During an attack – Defenders must be able to continuously detect and block malware. If the web content the user requested has passed URL filtering and reputation filtering, real-time malware scanning now takes over. Before the content is delivered to the user the file is scanned against various parameters, including the latest threat intelligence, and blocked if found to be malware. If the disposition is still unknown or untrusted it is run in a sandbox, a tightly controlled environment, and watched for suspect or malicious behavior. If the sandbox verdict is malicious, the administrator is notified to take action and defenses are updated to protect against future similar ads. Sandbox technology can mitigate risk, but it doesn’t remove it entirely; attacks are being designed to evade sandbox detection.

Advertisement. Scroll to continue reading.

After an attack – Because some advanced threats still penetrate networks, defenders need protection that includes retrospective security. Retrospective security continues to track files and analyze their behavior against real-time, global threat intelligence. If a file is later identified as malicious, retrospective security can also determine the scope of the attack so that defenders can quickly contain the threat and remediate. The various layers of defenses are then updated with the latest intelligence so that a similar malvertising attack will be blocked in the future.

Malvertising affects all Internet users and is a disruptor for the Internet economy. It underscores the sophistication of the modern cybercriminal economy in terms of the division of labor, cooperation, and specialization across the attack chain. It also underscores the need for an approach to security that addresses the full attack continuum. With ongoing visibility and control, and intelligent and continuous updates, security professionals can take action to stop the inevitable outbreak.  

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.