Are You Protected from The Biggest Threat Hiding Right in Your Browser?
How a no-click required malware infection happens
The 80/20 rule applies in cyber security as well as it does anywhere else: although there are numerous attack vectors and types of cyber attacks, 20% of them will have massive impact on their victims and be used more frequently.
Believe it or not, even among cyber criminals there are trending tactics and attack vectors that gain their reputation by having the right attributes. And our research shows that one technique is particularly appealing to attackers.
Top 4 attack vectors preferred by cyber criminals
In the second quarter of 2015, Heimdal has blocked 16600 malicious websites for a number of 2.3 million times. The results below clearly show what the most widespread threat for Internet users is right now:
And the numbers are in! Here is a breakdown of the type of threats blocked by Heimdal:
- Malvertising threats were blocked 1.9 million times
- Malware infected websites were blocked 350.000 times
- Browser hijackers were blocked 50.000 times
- Phishing websites were blocked 1000 times.
All of these four categories of cyber threats that target users excel at remaining covert and evading detection. For the regular user, well executed phishing websites or malware infected websites are quite difficult to distinguish from the legitimate, safe websites. If you don’t know what signs to look for, you won’t see them at all.
Browser hijackers are also a dangerous category, because they will modify the user’s browser settings without permission and continue by injecting malicious ads into that browser. On top of the threat of malware, some browser hijackers can even damage the Windows registry, sometimes incurring permanent consequences.
What’s more, malvertising threats are even more deceiving: infected online ads can be present on legitimate websites that host them unknowingly and unwillingly. Users don’t even have to click on them to get infected and these type of malicious ads are much more serious than they appear. Since malvertising is the biggest threat for home users, let’s go a bit more in depth about how it works and what ca be done to fight it.
Malvertising – the quiet threat hidden in your browser
Malicious online advertising (malvertising) has become a key driver for malware infections, exposing billions (yes, with a “b”) of Internet users to all types of malware and associated security risks. The consequences of widespread malvertising may not be easy to spot at first, but give the numbers below a chance – knowing is having the power to do something about it.
How big is the impact of malvertising?
While no one has the absolute figures, we can still evaluate the potential impact of malvertising by looking at two simple indicators:
- The number of Internet users in the world: over 3 billion
- The number of websites in the world: almost 1 billion.
It’s most likely that every Internet user in the world will see an online ad at some point in his/her life, either in an email inbox, on social media, in Google search results, on websites, on a smartphone, in an app (either on the web or on a smartphone), etc.
Even if not all of these almost 1 billion websites will unknowingly and unwillingly host malicious ads, let’s take into account that the 80/20 rule applies here too: 20% of all the websites in the world attract 80% of the traffic. All cyber criminals have to do is compromise a percentage of those top visited websites to target millions of users.
How malicious ads expose you to malware
But let’s see why malvertising is so dangerous and how it can threaten your private data. By definition, malvertising is a tactic used by cyber criminals to inject malicious online ads into legitimate websites with the purpose to spread malware.
This is a type of advanced attack can have multiple forms, such as:
- Pop-up ads that redirect the user to malicious downloads
- In-text or in-content advertising that can redirect the user to an exploit kit server
- Drive-by downloads which can download a packet of data onto the user’s computer without his/her knowledge
- Web widgets that include malicious redirection
- Hidden iFrames that spread malware into a website
- Infected banners
- Compromised content delivery networks that come loaded with malware.
Cyber criminals can go even further and hijack entire domains or leverage online ads distribution networks to bypass code checking and other security measures. Some cyber criminals can even set up their own malicious ad networks which they subsequently use to infiltrate bigger ad networks and enhance their malware distribution to reach millions of users. This is just one of the many examples out there:
In some cases, this attack strategy is used for click fraud purposes, which targets pay-per-click (PPC) online advertising campaigns. In this situation, cyber criminals employ automated scripts or computer programs to imitate a legitimate Internet user clicking on an online ad in order to generate a charge per click without actually looking to purchase the advertised product/service. But in most cases, malvertising is used to deliver malware to unprotected Internet users.
Here’s a simple explanation that shows how the infection process unfolds:
1. The user goes to his favorite news website to catch up on the news.
2. On the legitimate website – which is not infected – there are a bunch of banner ads, but only one of them is malicious.
3. The user never had to click on the banner, or hover the mouse over it. The malicious banner will automatically drop an exploit kit onto the user’s PC.
Of course, there’s also the case where the user does click on the banner, gets redirected (as expected), but to a malicious destination (the exploit kit server), where the exploit kit is dropped from.
Quick definition, according to Lenny Zeltser from SANS Institute:
“An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player,”
4. The exploit kit will then scan for vulnerabilities on the user’s PC, such as outdated software or system vulnerabilities, and will execute whatever commands it was programmed with.
5. These commands can range from delivering a malware infection, ransomware, infecting the victim’s PC with financial Trojans, collecting confidential data, remotely controlling the target’s PC or more.
Exploit kits used in used in malvertisement attacks to distribute malware are extremely capable to remain hidden, especially from antivirus solutions. Exploit kits such as Sweet Orange or Angler are infamous for the fact that they’re extremely difficult to track and analyze in the wild (you can read more about Angler here). So your system may be infected without you ever knowing (unless you actually know what signs to look for).
So the issue of an infected banner on a website can cause a string of events that can have damaging consequences for the victim. In cyber security, at any level, from personal to corporate, things are always more complicated than they seem, but a little knowledge really goes a long way for those seeking protection from cyber attacks.
Why attackers prefer malvertising campaigns
With over 82% “market share”, malvertising stands out as the preferred attack vector and there are 5 main reasons why cyber criminals use malicious ads to distribute their attacks:
1. Ad networks are easy targets for skilled cyber criminals.
2. By infiltrating into an ad network, they can exponentially increase the number of targets they can reach.
3. Also by compromising an advertising delivery network, attackers can infiltrate their malicious banner ads into legitimate websites, without those websites knowing.
4. Exploit kits used in malvertising are easy to get hold of, are also relatively cheap and require little technical knowledge to use.
5. Most Internet users lack in cyber security knowledge, leave their software un-updated and rarely use adequate protection from cyber attacks delivered via web browsers.
You’ll be surprised to know that websites as big as The New York Times, Spotify, The Onion, Horoscope.com or even Google’s own ad delivery network (the biggest in the world) also unknowingly hosted infected ads, exposing their millions of readers to malware infection threats.
The climbing numbers confirm the trend spotted earlier this year, where 90% of web exploits are delivered from advertising networks. Moreover, since last year, advertising rates have tripled – talk about a growing threat!
But now that you know what kind of threats you’re dealing with, let’s see what you can do to protect yourself.
7 Proven Ways to Increase Your Protection Against Web Threats
So if you’re looking for ways to guard yourself from web threats such as malware, phishing, browser hijackers and especially malvertising, here’s a list that will help. Trust me, choosing the right tools and adjusting the right settings can really make a difference when it comes to your personal cyber security.
1. Keep your software up to date. You’ll probably find this piece of advice in all our articles, and there’s a good reason for it too: it’s crucial that you install the latest updates in order to close security holes and prevent cyber criminals from exploiting the vulnerabilities in your system. You can do it automatically or manually, but, you know, as the saying goes: just do it!
2. Secure your browsers. There are actually quite a few settings you can adjust in your browsers to keep you safe online, no matter if you’re using Chrome, Firefox or even Internet Explorer (yes, I said it!). The go to resource is: The Ultimate Guide to Secure your Online Browsing: Chrome, Firefox and Internet Explorer.
3. Use a security solution that can protect you from advanced malware. Since antivirus can’t provide much protection against advanced exploit kits that deliver malware (though you should still use it), you need additional protection. Choose a solution that works proactively and is capable of identifying and blocking threats such as malicious banners or compromised websites before they infect your PC.
4. Be very careful which plugins you choose to install in your browsers. It’s wise to enable click-to-play plugins in every browser (here’s how to do it), and it’s also a great that Google has decided to block Flash ads since September 1 2015, thus reducing the number of cyber threats directed towards your PC.
5. Stop using the administrator account on your PC. This safeguard is important for any user who wants to enhance his/her defenses. Use a guest account instead to prevent escalation in case of a successful infection attempt. Planning for the worst outcome is a golden rule to follow in cyber security.
6. Get rid of old software you (almost) never use). Cleaning up your system will result in better performance, but also in improved security, because you’ll reduce vulnerabilities in your system by uninstalling software that can become a liability.
7. Use an ad blocker. The answer to “will ad blockers protect me from malware?” is YES. Ad blocker or other similar software can and will protect you from malvertising. But if you enjoy an ad every now and then, you can use all the advice above and still browse the web with peace of mind. And there are more browser extensions that can ensure your privacy is protected, as well as ensuring a few extra percentages protection-wise.
And don’t forget: you are one of your top assets! I know it sounds strange, but investing a bit of time in learning about cyber security basics will help you immensely. You’ll be able to identify threats, know what to do about them or find the resources that you need in order to solve the problem. As a plus, you’ll also be able to teach others how to protect themselves, and that’s – as they say – priceless!
Malvertising is not going to fade anytime soon as long as ad networks don’t improve their security settings and exploit kits are cheap, and users neglect to secure their systems and browsers. Since malvertizing accounts for over 82% of the channels that deliver online threats, another solution to mitigating this problem would be to drive ad delivery networks and online ad space sellers to verify the content before going live with a campaign.
Let’s face it, neither malvertising, malware-ladden websites, browser hijackers nor phishing attempts are going to be eradicated as cyber threats, but there is a lot we can do to diminish their reach, effectiveness and consequences. We’re all a part of this ecosystem and each step taken in the right direction benefits us all.