News

Fraud through 'malvertising'

15 October 2019

In malvertising, malware is spread through false advertisements shown on the websites that you visit. What actually happens and how can you protect yourself?

New form of fraud reported: malvertising or fake advertisements

Cyber criminals are getting smarter and smarter and are finding new ways to commit fraud. The latest attack method is 'malvertising': criminals use online advertisements with harmful content to spread malware and to infect systems.

A recent example: when you visit a popular website such as tweedehands.be or buienradar.be, an advertisement for a well-known telecom operator suddenly appears in a pop-up. If you click on the pop-up, you are diverted to a perfectly imitated website of that operator, where under the guise of a survey, you are asked to enter your user data.

The operator in question had nothing to do with these advertisements, which were in fact spread by cybercriminals through an advertising network. The advertisements contained the logo and corporate identity of the operator, perfectly imitated, in order to mislead you easier.

The websites where the advertisements appeared were not aware of the fact either. Just as so many other websites, they work with an advertising network. In so doing, they place certain spaces on their website at the disposal of that network. If you visit the website, the network will automatically show an advertisement from a series that it has in its portfolio and which is adapted to your profile.

How does malvertising work?

Malvertising is used to spread malware or to loot personal data. The recent malvertising wave, where the name and logo of Telenet were misused, was the latest case in point. Far more frequently, real malware is spread through malvertising, however.

This is how it works: the cybercriminals conceal a piece of code in an advertisement that looks innocent, often via an iFrame, an invisible frame that leads you surreptitiously to other pages. If you click on such an advert, you are led to a server which is in the hands of the criminals.

An  'exploit kit' is often implemented to that end. This is malware that will assess your computer and check whether there are weak spots in your operating system or programmes. And then such a weak spot is misused to install malware on your computer in order to steal financial or other sensitive information on your system, or to encrypt your computer (ransomware).

Or your computer is used as a  'zombie computer' in a ‘botnet’ – large numbers of compromised machines which are used by cybercriminals for large scale DDoS attacks.  They bombard well known websites with false requests to serve web pages – so many requests that the legitimate traffic drowns in them, so that the website becomes unreachable and the server itself can crash.

All this is carried out quietly in the background, without you noticing or without having to do something about it.

Why is malvertising so persistent?

As explained above, most (major) websites nowadays work with an advertising network which places advertisements.

Often, worldwide networks are involved that work with enormous numbers of websites and advertisements.

It is therefore very difficult for the advertising networks to analyse each advertisement thoroughly before it is included in the network. They usually react only when a complaint is lodged against an advertisement of a certain group or company.  Only then is the advertisement or the advertiser screened.

The extensive automation of the advertisements such as real time bidding has yet another effect: it is very difficult for cybersecurity experts to determine which advertisements contain malware, because the networks are continuously placing other advertisements that are personalised per visit. When two visitors visit the same website, one can be infected and the other not.

How to protect yourself from  malvertising

Follow these tips:

  • Check which plug-ins, add-ons and extensions are active in your browser . In Firefox: click on the hamburger menu on the top right, and select add-ons
    • Do you have the Flash plug-in? Then we advise you to switch it off. This technology was used often in the past for animations on websites, but it is an easy target for hackers to pack malware. Deactivate Flash in your browser – if you go to a website that does not work without flash, you can reactivate the plug-in temporarily for that site. You will moreover note that Flash is used less and less. 
    • Do you also see the Java plug-in there?  We advise you to remove it. This technology was used often in the past for corporate sites, e.g. for internet banking. But it also often shows breaches and is therefore very seldom used on websites. If a website that you need nonetheless requires Java, we recommend the 2-browser method: visit that site with a browser in which you activate Java, and visit all other websites with another browser.  
  • Remove extensions, add-ons and plug-ins which are present but you do not use. 
  • Keep your browser up to date. Install the update as soon as you are notified that a new version is available. This applies also for all software on your computer and for the operating system  itself  (Windows, Chrome, iOS, …). In this way, you avoid 'zero-day exploits' where the hacker pounces on a breach in a software immediately, before a patch is available.
  • When surfing: close tabs that you do not use. In this way, fewer advertisements will run in the background and you will thus reduce the risk.
  • Always check the underlying address of a web link before you click on it. Move the cursor over the link to see the web address.
  • Analyse the domain name thoroughly.  banking.kbc.be.xyz is not the web address of kbc.be, but of be.xyz!
  • If you are a registrant but have discontinued your business, retain the domain name to prevent third parties from using it in a malware campaign. The small annual registration fee can spare you all sorts of misery!

With this article, we support the United Nations Sustainable Development Goals.