Earlier this month, a few Windows 10 users in Germany reported a malicious attack. And it wasn’t just a mob of Mac users stoking the coals of rivalry. This offense was a bit more subtle and much more sinister.
Users reported that as they were using their trusted Microsoft Apps, like Jigsaw or News, their browsers would “open suddenly to sites pushing tech support scams, sweepstakes, and prize wheels.” Fortunately, most internet users learn early on not to trust pop-ups. However, these days malicious advertising, or “malvertising,” is getting smarter and sneakier.
Malvertising combines the words “malicious advertising” to describe “the practice of using advertisements to distribute malware.” We’ve been subjected to the most obvious forms of malvertising for just almost as long as we’ve used the internet. We’re accustomed to recognizing it in pop-ups, or ads in the margins begging us to click, offering a surprise, and distracting us from an otherwise pleasant game of Tetris.
Similar Malware, Different Disguise
As technology has developed, so have cyber-attacking techniques. Now, malware is more likely to appear like a regular advertisement on a trusted website, rather than the pixelated eyesores we (hopefully) learned to ignore.
An Internet Security Report from Symantec shows that in 2017, malware variants on mobile devices increased by 54%, and new downloader variants overall increased by 90%. This means that not only do we have more malware out in the cybersphere, but cybercriminals are varying their malware, and “working harder to discover new avenues of attack.”
As a result, malvertising takes on a more trustworthy disguise, potentially cozied up in some of our most trusted webpages, using them as a lure. Digital Guardian warns that this use of popular pages as bait “takes advantage of consumer trust in brands and advertising networks.”
Malvertisers may even re-register expired domains that used to be legitimate. AVG explains that “the sites themselves aren’t affected, and the ad providers don’t know they are blasting potentially malicious ads until it’s too late.”
Indeed, immediately upon clicking a malicious ad, users will be redirected. While we expect to be redirected when clicking on an ad, malvertising redirects to a malicious site as the code runs in the background attempting to install malware. This may even involve invisible windows called “Iframes” that secretly navigate to different, malicious websites.
Yikes. So Now What?
Unfortunately, no website is completely immune to the possibility of malvertising. However, there are preventative measures to make sure that you aren’t the victim. These are especially important for companies storing large amounts of data or those whose employees may be working with new businesses.
In most cases, the impetus lies on the individual user. For example, many web-surfers are guilty of disabling their ad-blockers. Since even the most legitimate websites benefit from using ads, it’s becoming common for them to request disabling the ad-blocker just to access a site.
Sherban Naum, senior vice president of corporate technology and strategy at Bromium, laments this “practice of asking users to disable a security feature for their own benefit.” Ideally, we would all avoid malvertising by keeping our ad-blockers engaged.
Digital Guardian recommends that if an advertisement really intrigues you, look up the company without actually clicking the advertisement. Doing your research can keep you from taking the steps that activate malware installation.
Meanwhile, it’s also recommended businesses should scrutinize their advertising partners. CMO of Marfeel, Alexian Chiavegato, advises that “small inconsistencies in how businesses usually operate can be a clue that the company is not legit,” such as making contact at odd hours. While inconsistency isn’t always malvertising, it’s better to be safe than sorry by making research and investigation your first line of defense–after the ad blocker, that is.
Research and Resist
Ultimately, the best defense from today’s more advanced malvertising is just not to click on ads at all. If you simply can’t resist, keep your ad blocker engaged and research the company that so fascinates you that you just have to engage with their banner ad. Keep your ad-blocker engaged for maximum protection.
Professionally, be aware of the companies and advertisers you engage with. Take note of any suspicious behavior and try not to let suspicious content slip through the cracks, thus putting your consumers at risk.
Oh, and did I mention the ad-blocker? Stay safe out there.