One percent does not sound like a lot, but multiple it by the right number, and it can be.
Such is the case when it comes to malicious advertising. In research recently presented at the 2014 Internet Measurement Conference in Vancouver, a team of security experts from Ruhr-University Bochum, University College London and the University of California, Santa Barbara (UCSB) examined more than 600,000 online advertisements on 40,000 websites over a three-month period and used multiple detection systems to assess whether they were good or bad. The end result: one percent of the ads were found to be involved in suspicious or malicious activity such as drive-by downloads and link hijacking.
“While this is bad news for the advertising networks, advertisers and Internet users who are all under attack from the malware producers, the good news is there are several things available today that can stop malvertising,” said Giovanni Vigna, co-founder and CTO of Lastline, one of the members of the team that worked on the research. “One of these is the use of the sandboxing attribute in iframes within HTML5. None of the 40,000 websites we observed leveraged this mechanism, even though it could stop the link-hijacking that is by far the most prevalent method by which miscreants are getting past other security measures in order to distribute malware through advertisements.”
“On the ad network side — whether those be ad brokers, ad distributors, ad resellers or traditional ad networks — a similar approach can be taken to that used in our study to monitor for malvertising,” he continued. “To detect malicious behavior in ads we used a composition of blacklists, reputation databases, and Wepawet, a honeyclient developed at UCSB that uses an emulated browser to capture the execution of JavaScript to identify signs of maliciousness, such as drive-by-download attacks. The research community and technology companies (including security providers as well as ad networks and ad brokers) can and should continue to study malvertising and develop new techniques and tools to detect and stop it.”
Apostolis Zarras of Ruhr-University Bochum said that the smaller ad networks appear to be more prone to serving malvertisements, which he speculated could be due to less efficient filtering mechanisms compared to the larger ones.
In the paper, the researchers also speculated that many publishers trust their advertisers to police malicious activity, and therefore do not use additional filters to protect their users. As for solutions, the researchers argued that collaboration among the ad networks can bring better results in defending against malvertisements compared to individual actions, and the existence of a common blacklist where all malicious advertisements will be submitted can prevent attackers from submitting their wares to a different network if they get rejected by another.
“Another, more drastic, solution will be penalizing of the ad networks which are inefficient to detect the malicious code embedded in advertisements,” according to the paper. “For instance, forbidding from participating in ad arbitrations for a certain amount of time, or the application of similar penalties, when an ad network is found delivering malvertisements, can boost the ad networks to invest in better detection algorithms.”
“Back in time, said Zarras, “we used to have websites that were controlled by cyber-criminals and the attackers had to lure the victims to visit these websites so they can effectively infect their machines with malware. But, with the ads this is not necessary any more. An ad can exploit vulnerabilities in your browser, or your browser extensions without the need from user’s side to visit a malicious website. For instance, the incident that took place on January 2014, in which Yahoo ads exploited vulnerabilities in Java and installed malware on victims’ computers, [shows] that these attacks are actually possible and not theoretical. So, the main reason that malvertisement is more effective that traditional attacks, is that the user’s can be infected with malware even if they visit only legitimate websites.”
