Did you see a poisoned ad on TMZ or other big sites?
You can protect yourself from a rash of malvertising hitting websites and causing problems on people’s computers.
The ad looks harmless. It’s for a T-shirt company, showing a shirt with the slogan, “I used to care. But I take a pill for that now.” You’re safe, because you didn’t click on the ad, right?
Unfortunately, no. Cybersecurity experts say poisoned ads, or malvertising, can infect your computer without a click. All you have to do is “look” at it, in other words, visit the website, a site you thought was reputable.
Now, a wave of malvertising has hit the celebrity gossip site TMZ and other big names on the Internet, reported Jerome Segura with Malwarebytes. TMZ had more than 32 million visitors in January, according to SimilarWeb.
This malvertising campaign also hit the site Rotten Tomatoes, with 39 million visitors a month, and MakeUseOf, with 28 million, Segura said. Other campaigns have hit Yahoo, Forbes, MSN and more.
Segura said these “booby trapped” ads can do things like download malware or ransomware onto your computer, or send you to a scam site.
“Rogue advertisers are increasingly able to defeat various ad networks which is not good news for publishers and their visitors,” Segura wrote in a blog post. “It means more booby trapped ads will be delivering malware on people’s computers via drive-by download attacks.”
How they do it
The crooks start by setting up fake identities and fake websites, Segura said, before contacting ad companies.
The real ad companies might go to the fake site and see nothing out of the ordinary, no sign of the “complex infrastructure of conditional traffic redirection,” as Segura calls it.
“This is the legitimate façade that these criminal actors want ad networks to see,” Segura said. “In fact, they are so good at it that without actual proof of malicious activity, it’s difficult to find anything wrong with them.”
But when the ad is live on a website, the malvertising begins.
“When the right user lands on the ad page, the malicious code is triggered to perform a series of checks on this new potential victim,” Segura said. “If the conditions are met, a redirection to the Angler exploit kit [a malvertising tool] is performed, ultimately loading a series of exploits and malware.”
All this, he said, costs the crooks just 19 cents per 1,000 user “impressions,” illustrating why malvertising is so cheap for criminals to carry out.
Why they love it
It’s not just inexpensive. Attackers have other reasons for enjoying malvertising raids on your computer.
“Firstly, it’s almost as good as hacking the site on which the malicious ads appear, without actually having to break into that brand’s web servers at all,” explained Paul Ducklin in Naked Security.
Also, he said, ad servers send out ads to many different sites, “so it’s like hacking lots of websites at once.”
Since ads may display at random, the poisoned ads don’t always show up when investigators are looking for them, adding a layer of trickiness, he said.
And, he said, “Someone else pays for the bandwidth.”
How you can protect yourself
Malvertising attacks can happen on any type of website, even well-known publishers, said Segura.
What can you do?
“For starters, the old piece of advice to keep your computer up-to-date with the latest security patches still holds true,” Segura told Archer News. “The vast majority of infections happen because people are surfing the web with outdated versions of Internet Explorer, the Flash Player and so on.”
Using old versions of software can leave you vulnerable.
However, he said, there is more you need to do, because even up-to-date software can have security gaps—called “zero-days”—that the bad guys discover before the software developers do.
Reduce your “attack surface” by uninstalling software you don’t need any more, Segura advised.
“A concrete example is the Flash Player which has suffered several zero-day exploits in the past year and is not required for the majority of websites anymore,” he said.
He also recommended people use anti-malware and anti-exploit technologies, as well as antivirus, saying several layers of defense is more effective for the new kinds of threats appearing on the Internet.
Pop-ups & alerts
Poisoned ads can deliver you something else, too.
“Many people encounter pop ups and various alerts while browsing the web because of malicious ads redirecting to rogue advertisers,” said Segura.
“These fake warnings tell them they need to download the latest video plugin or, even worse, that their computers are infected,” he explained.
The best defense against these scams, he said, is to be aware and stay calm, instead of calling the number you see on your screen.
Ad blocking as a solution?
Many people are turning to ad blocking technology, according to a report by Trend Micro.
“Users are no longer just ‘annoyed’ by unwanted ads, they are fully aware of the kind of risks these pose,” the report said.
In the U.S., the use of ad blocking jumped 48% in 2015, according to the PageFair and Adobe 2015 Ad Blocking report. It also cost advertisers money—$22 billion in 2015, the report said.
“This figure seeks to shake the very foundation by which advertising business models operate, which will, in turn, propel advertisers to seek new ways to advertise online,” TrendMicro predicted. “Likewise, cybercriminals will find other ways to get closer to victims, effectively delivering a blow to malvertisements.”
And indeed, it is already changing the landscape.
In December, GQ told its readers to disable their ad blockers or pay 50 cents for each story.
Forbes sent its readers a message in December saying, “Thanks for coming to Forbes. Please turn off your ad blocker in order to continue. To thank you for doing so, we’re happy to present you with an ad-light experience.”
WIRED told its readers Monday that if they used ad blocking technology, they would have to pay $1 a week to read articles, or agree to see the ads, since 20% of its readers use ad blocking.
“We know that you come to our site primarily to read our content, but it’s important to be clear that advertising is how we keep WIRED going: paying the writers, editors, designers, engineers, and all the other staff that works so hard to create the stories you read and watch here,” WIRED said.