Today’s ad networksThere are a variety of delivery methods for online advertising, though ad exchanges are one of the most common today. This process includes publishers who post the ads to the site, exchanges that facilitate bidding for ad placement, and advertisers who bid to win placement on the site.At a basic level, you can look at this process as being similar to a car auction. The seller (web user) puts their car (ad space) up at an auction house (publisher). The auctioneer (ad exchange) opens bidding up to the potential buyers (advertisers). The highest bid ultimately wins the car, and the buyer pays the user with money (ad).To be more specific, this process for serving ads works like this:
- A user requests a particular page that includes an ad space.
- A publisher collects information about the user and passes it to an ad exchange.
- The ad exchange passes the information available to advertisers and creates an auction placing an ad on the page.
- The advertisers determine if they have suitable ads and make bids for the ad space accordingly.
- The winning bid is passed back to the publisher, who displays the ad to the user.
Where things go wrongFrom an advertiser’s perspective, ad exchanges can help facilitate cheaper ads that reach the customers that they want to reach. However, the bar is quite low in terms of who qualifies as an “advertiser.” In many ways this is necessary for smaller businesses and sellers to be able to get their ads easily distributed online. However, it also leaves the door open for bad actors.Without significant vetting taking place on many advertising networks, it’s fairly straightforward for cybercriminals to enter these networks and bid for ad placement alongside legitimate advertisers. By doing so, these bad actors have the opportunity to place malicious ads in front of users.Not only that, but a malicious advertiser can leverage the advantages gained by the information gathered about the user. For instance, if the malicious actor learns that the user is running an out-of-date version of the Google Chrome web browser they can place a bid and, if they win the auction, serve up a malicious ad that could exploit the vulnerable browser.It’s also important to note that websites rely on the legitimacy and security of ad networks when utilizing them to display ads on their sites. There is very little that they can do to screen for malvertising. If a malicious ad is identified, website owners can technically request that it be removed, but that does little to protect already affected users. Because of this, it’s important that users not conflate the trust instilled in a particular website with the ads displayed in the site.
Payload deliveryUsing this method, an attacker can attempt to distribute any sort of payload they wish. In many cases, the final content displaying on the user’s page is an ad that entices them to download adware or potentially unwanted applications (PUAs) that offer a service, but does so by displaying further ads.In other cases, the malicious ad opens a window or alert that attempts to trick the user into thinking their software is out-of-date. However, if they attempt to install the fake update, they find themselves infected with malware. However, what’s most concerning is the information that an attacker can glean from a user, through the ad exchange, can be used for active exploitation. For instance, an attacker can choose to only bid on ads that come from users running Internet Explorer. Obtaining the winning bid, the attacker can send an Adobe Flash Player exploit in their “ad.” If the version of Flash installed is out-of-date, the machine can be compromised without the user even clicking the ad. The attacker has exploited the browser right out of the gate, requiring zero interaction from the user apart from loading the page that contains the ad.
Protecting against malvertisingThe simplest way to shield yourself from malvertising is to block ads and connections to third-party sites (sites beyond the specific domain in the URL). Ad blocking add-ons are available for most major browsers, and sometimes protections come baked in to modern browsers.However, taking too aggressive a stance against ads can impact the performance of a web site. Sometimes it may break key features and components. Many sites now stop browsers with ad-blocking from viewing their site to begin with, requesting that the user disable it to view the site’s content. And in some cases, ad blocking software will allow certain ads through anyway, if the ad provider has paid the blocker to avoid them.Given the current advertising network climate, there really isn’t a simple solution to protect against all forms of attack. Ultimately, a layered approach is the best defense against malicious advertising.
- Domain-level protections, such as those offered by Cisco Umbrella, will help to block redirects to domains that are known to be malicious, often stopping a series of redirects halfway through the chain.
- An endpoint protection application, such as AMP for Endpoints, can prevent malicious payloads from being installed onto a computer that encounters a malicious advertisement.
- Network Security appliances that include IPS signatures, like Next-Generation Intrusion Prevention System, can detect malicious activity such as exploit attempts against vulnerable software.
- Cisco’s Secure Internet Gateway and Web Security Appliance contain web scanning features that can prevent access to malicious websites.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!