Where would you expect ads to be positioned on a website? In the header at the top of the page? In a sidebar on the right side of the screen? There is no doubt that advertisements have entered our mental models and have become commonplace. The most popular websites and apps host some form of advertisement space. As the idea of the Internet of things progresses towards reality, advertisers are working diligently to capitalize on any platform to reach users. All of these efforts by advertisement companies to reach users is not going unnoticed. Websites usually host advertising networks that deliver ads to users. Attackers no longer need to compromise a website to push malware to users; they now simply just need to inject malware-laden ads into advertising networks.
This phenomenon shouldn’t seem ground breaking as most of us, I hope, know not to click on shady ads that promise instant cash or unbelievable deals. Modern “malvertising” has evolved to incorporate pre- and post-click functions. Pre-Click functions such as auto-download and auto-run can infect a user without any interaction with that user. Post-click functions such as auto-redirect cause clean-looking ads to direct the user to malicious websites.
Most internet users know of the dangers lurking behind questionable advertisements. The scary part, however, is how deep into trusted sites these malware-laden ads have gone. In 2009, the banner feed of the New York Times was hacked and urged users to install rouge security software. In 2011, ads on Spotify auto-downloaded malware onto user’s computers. Even Yahoo and Google ad networks have seen major infections. Cyphort labs, a leader in malware defense, sampled the top 100,000 most visited domains to see how many domains served an infected ad. The results showed a troubling upward trend.
I believe that advertisement companies must double down on security efforts before aggressively perusing ways to reach users. If users of popular websites must be constantly on guard about malicious ads, are the ads even working?