Big malvertising campaigns are hitting popular websites in waves. Why can’t this attack ad tsunami be stopped?

Maybe you just blinked—total time: less than half a second. 

Some things move faster than that. The flap of a honeybee’s wing. The click of a camera shutter. And the process some of the world’s most popular websites use to figure out which ad they will show you on their page.

Some say that speed—about 100 milliseconds, along with the complexity of the ad selection process, give bad guys the advantage, allowing them to show you ads that secretly send you off to a webpage that scours your computer for vulnerabilities and downloads ransomware or other vicious payloads.

Just last month, malvertisers blasted popular sites, like The New York Times, AOL, the BBC, NFL.com, the Weather Network, Xfinity, MSN and more, according to multiple security companies, including Malwarebytes.

Why can’t someone shut just shut the malvertisers down?

“No one entity is capable of stopping malvertising as a whole,” said John Shier with cybersecurity company Sophos. “There are many moving parts that make up the online advertising ecosystem, which means there are many ways crooks can exploit this ecosystem.”

Blink and you’ll miss it

You clink on a link, go to a site and see an ad. In that time, a complex series of transactions may have taken place.

In a process called ‘real-time bidding,’ the site may put you up for a bid. Advertisers automatically check out your digital dossier to see if they want to pay money to show you an ad, then bid to get the chance to do so.  There are a lot of different companies involved—someone along the way picks the best bid, and you get to see that ad—all this in about 100 milliseconds.

It is like high-frequency trading in the finance world, according to Kaspersky Lab’s Threatpost.

“Buyers essentially bid among themselves to land short-term ad placements on sites that are receiving high click through rates in real-time,” said the post on Threatpost. “The goal is to get an ad placed on a site that is under a heavy traffic load at the time.”

If the malvertiser wins the bid, you may get to see a poisoned ad. It may look like a real ad, but that doesn’t matter. Just by “seeing” it, you can be infected.

“The reality is that most of the time there will be no outward indication,” Shier told Archer News. “These malvertising campaigns are specifically designed to blend in with the legitimate ads.”

New socket wrench?

One of the ads in the March malvertising attacks on sites like Answers.com, which ranks in the top 200 websites in the U.S., was an unobtrusive banner ad for new tools, according to cybersecurity company Trustwave.

Though the ad image shows socket wrenches, the new tools that could end up on your computer were really ransomware and other malicious software, researchers said.

How did it get through checks and defenses from the various companies involved in the complex online ad process?

Trustwave said the malvertising was connected to Brentsmedia<dot>com, a site that, until January, appeared to be a legitimate advertising company. In March, right before the campaign began, someone took over the site as a new owner, possibly “trying to ride on the reputation the domain had and abuse it to trick ad companies into publishing their malicious ads,” researchers said.

“This time it seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes,” the researchers said in a post on the Trustwave site.

Not the only one 

Other malvertisers appear to be using sites with the word “media” in the name to trick ad companies, Trustwave said.

“If one was to take a wild guess, one might think that they actually are watching for any domains containing the word ‘media’ that have recently expired,” researchers said.

The malvertisers may also cover up their intentions by using real ads from real companies.

“In fact, they will simply steal a legitimate ad from somewhere else,” Shier said. “It’s not uncommon for the crooks to use legitimate brands and products as the visible portion of their campaign.”

There are other tricks they can use as well.

“Impersonating a legitimate advertiser will get you an account on a real-time bidding service, but so will phishing for credentials,” Shier said. “It may be possible to stop bogus accounts from getting created, but what do you do about valid accounts being misused?”

Make it stop

Trustwave said the big sites like Answers.com are victims, too, like you, the end user.

“The only ‘crime’ here is being popular and having high volumes of traffic going through their sites daily,” the post said.

Cybersecurity experts say all the many parts of the ecosystem need to work together.

The ad delivery networks may not have incentive to change because they profit from the flow of ads, according to a report by Invincea, as reported in Threatpost. “Without cooperation from the companies enabling this sort of fraud, Invincea complains, attacks will continue,” the post said.

“Stopping malvertising requires a coordinated effort and everyone needs to do their part,” said Shier.

Since malvertisers can hit a website at a number of points, not just through the real-time bidding process, he encouraged sites to take precautions.

“Keeping your webservers locked down and fully patched will prevent an ad being inserted directly onto your site,” he said.

Better security

Some of the big ad platforms like Facebook, Google and Yahoo are working together to try to deal with the problem, Shier said.

Their group, Trust In Ads, offers a way of people to report bad ads.

Google’s ad policy says it is trying to stop malicious advertisers. 

“All of our policies are crafted to protect a high-quality user experience, and we’ve built enforcement systems and processes to prevent ads that fall below these standards from serving,” the policy says. “We take any attempts to trick or circumvent our ad review processes very seriously, so play fair.”

Just saying “play fair” doesn’t work with malvertisers.

“Most ads that violate these policies get flagged long before a user would ever see it,” the Trust In Ads site says. “However, unfortunately, some do make it through.”

Like “whack-a-mole,” the site says.

“Despite the technologically advanced architecture of these automated, machine learning systems, sophisticated scammers constantly look for ways to infiltrate them – as one hole is filled, scammers immediately look to find workarounds,” Trust In Ads says.

The future of ads?

The future may hold extra layers between you and attack ads. For example, the Brave browser says it will check for malvertising and other bad ads and block them entirely, or replace them with “good” ads.

“Brave also confines ads it does show to computing compartments called sandboxes to make it harder for ads to carry out attacks, and it checks the ads themselves for software instructions associated with an attack,” reported CNET.

Advertisers would then pay to be on the “good ad” list, according to Naked Security by Sophos.

“Replacing ads means our users get a share of the gross ad revenue. Brave will pay users 15% of gross ad revenue. This is the same amount of money that we make from those ads (the rest goes to publishers and ad content partners.),” Brave’s site says.

Protecting yourself

Google, Facebook and Yahoo can’t stop all malvertisers from putting poisoned ads on your computer. So experts say you will want to make sure you are doing your best to fend off ad attackers.

“There is a lot of work being done to stop malvertising, but there are still too many opportunities for the crooks to get involved,” Shier said.

The key is staying on top of updates to your computers, your software, and your network.

“Users and organizations should ensure that browsers are fully up to date, along with any browser plugins like Flash and Java,” said cybersecurity company Proofpoint in a March post about malvertising. “Wherever possible, plugins should be disabled as these are common sources of vulnerabilities that exploit kits use to infect PCs.”