Malvertising Can Hit Everyone — How To Protect Yourself From the Newest Online Threat
Online ads aren’t always safe.
Heads up, there’s a new threat running around the internet.
And ALSO on phones, which is quite frankly rude.
It’s called ‘malvertising.’ It’s a serious problem.
What Is Malvertising
Malvertising is a new form of online attack that “distributes malware through online advertisements” (https://www.forcepoint.com/cyber-edu/malvertising).
What happens is that malicious parties (also known as ‘raging jerkbags who ruin everything’) insert lines of malicious code into seemingly innocent online ads, then pay to get the infected ads distributed by respectable online ad vendors, who have no idea that the ad was compromised.
Once the infected ad is approved, it gets distributed to all the websites that the vendor works with. Once it’s on the website, its goal is to infect users with malware. According to Forcepoint,
“malware delivered via malvertising attacks operates as any other form of malware. It can damage files, redirect internet traffic, monitor the user’s activity, steal sensitive data or set up backdoor access points to the system. Malware may also be used to delete, block, modify, leak or copy data, which can then be sold back to the user for ransom or on the dark web.”
One moment please, throwing up in my mouth.
*pause*
Okay, I’m back.
Why Malvertising Is A Huge Problem
The serious problem with malvertising, other than the potential results (see above), is that it works through duping legit ad vendors, and therefore can be on just about any website that had online ads.
Major players who have been hit with malvertising include Forbes, The New York Times, and the NFL website, and that’s the very, very tip of the iceberg.
One particularly concerning example of malvertising I found was the KS Clean campaign. According to crowdstrike.com,
“KS Clean is a malvertising campaign that targets malicious adverts within mobile apps. Once downloaded, the malware would trigger an in-app notification alerting the user to a security issue and promoting them to upgrade the app. However, if the user agreed to the upgrade, it actually completed the installation process and granted cybercriminals administrative privileges to their mobile device.”
Yikes.
One of the biggest issues with this kind of attack, other than the fact that the malware can be installed without the knowledge of the website running the ad, the ad vendor, or the individual interacting with the ad, is that it’s difficult for cybersecurity specialists to detect malvertising campaigns.
Why? As you may have noticed, online ads change all the time. So while one visitor to a page may be hit by the infected ad, the next ten visitors may not be, making it super hard to pin down (https://www.cisecurity.org/blog/malvertising/).
What You Can Do About It
So far, according to everything I’ve read, it’s impossible to completely protect against malvertising campaigns, particularly since some of them don’t require you to actually interact with the infected ad.
A ‘drive-by-download’, for example, is a type of malvertising attack “which exploits browser vulnerabilities to install infected files on the system while the user is passively viewing the ad” (https://www.crowdstrike.com/cybersecurity-101/malware/malvertising/).
I.e., you don’t have to click on it. You just need to be on the site.
However, there are some things you can do to minimize your chances of being hit by a malvertising attack. These include:
1. Keeping online ad-blockers up to date.
2. Updating all internet-connected devices regularly to make sure you have the latest patches and protections.
3. Install antivirus software (you should have done this already, but in case you didn’t, this is your wake-up call).
4. Avoid using Flash or Java and if possible, disable these when surfing the web.
5. Close browser tabs/windows when you’re not using them to avoid ads being run in the background on sites you’re not currently using.
My Favorite Cybersecurity Tip of All
My personal favorite cybersecurity tip is something I ran across recently. It had never occurred to me before but was very much a *facepalm OMG DUH* moment when I read it:
Turn off your devices when you’re not actively using them.
Because (follow me here), if you’re not online, online attackers can’t get you.
Now, I’m not saying to never go on the internet and live in the woods as a hermit. What I am saying is that when you’re sleeping, there is no need for your computer to be on. Infected ads can’t be running on your devices while you’re sleeping if your computer is also taking a power-nap.
(See what I did there? Pats self on back, 100 points to Gryffindor)
It feels like there are new online threats every day. But as long as you know what steps to take, you have a fighting chance of avoiding them. And that chance can be all you need.
Stay safe my friends.
