The discovery of malicious advertisements on the London Stock Exchange's website this week underlines a much greater problem, as criminals use malvertising, or a pop-up ads virus, to trap unwary users.
Malvertising came out of nowhere last year to become No. 3 in the hit parade of attacks, behind fake AV and fake codec mechanisms.
director of product marketingBlue Coat
The infected ads were discovered by security researcher Paul Mutton, who visited the Stock Exchange's site to check reports that certain users were having trouble accessing it. Pop-up ads on the site managed to plant a rogue antivirus program on Mutton's Windows PC, which tried to get him to pay money to fix problems it claimed to have found.
The problems were confirmed using Google's safe browsing diagnostic tool, which revealed that, "of the 1219 pages tested on the site over the past 90 days, 363 page(s) resulted in malicious software being downloaded and installed without user consent." The Exchange claims since to have fixed the problem.
However, according to new research from network security company Blue Coat Systems Inc., malicious advertising -- or malvertising, as it's been dubbed -- is fast becoming the technique of choice for many criminal gangs trying to plant malware on end-users' computers.
"Malvertising came out of nowhere last year to become No. 3 in the hit parade of attacks, behind fake AV and fake codec mechanisms," said Dave Ewart, director of product marketing for Blue Coat in Europe.
Ewart said criminals will frequently place a legitimate advertisement on websites, and leave it there, often for several months, in order to build a good reputation with any of the mechanisms used worldwide to spot malicious code.
Having established the ad's reputation, the criminals will then inject a malicious payload into the ad, infect as many machines as possible in a short time, and then disappear.
The Blue Coat Security Report describes one example thusly: "A relatively new ad domain that had existed for approximately six months had been checked several times for malware with clean ratings, when it picked a day in early November to selectively target and deliver its cloaked malware payload. The next day it was gone."
The advertising is also crafted to target infections at selected groups of users rather than taking a scattergun approach that is more likely to trigger an alert. According to the report, in one attack last September, attackers checked the user's language settings first to make sure he or she would understand. As the report commented: "Why serve up a fake AV offer in a language the user cannot comprehend, making it ineffective, polluting your backyard, and [making it more likely to be] caught by the local police?"
Another trick noted by the Blue Coat report is criminals launching their malvertising attacks on the weekend, when users might be browsing the Internet from home and are, therefore, outside the protection of their corporate networks. This means users can become infected and bring the infection into the organisation when they return to work.
Ewart concluded that reliance on reputation-based systems alone is no longer sufficient to protect users. "Relying on reputations is getting less effective. One lesson is to be aware of the dynamic nature of the Internet," he said.
Alan Bentley, senior vice president of international sales at security patch management company Lumension Security Inc., agreed that malvertising is a growing threat.
"Embedding malware in pop-up advertisements is becoming common practice. They are a hacker's best friend, because there is no need to entice computer users to click on anything, improving the chances of infecting users with malware," Bentley said. "The danger lurks beneath the ad. There are no telltale signs to warn people. The onus is therefore on the organisation hosting the website to keep it clean by ensuring the latest security holes are plugged."
He recommended adopting a whitelisting approach for user protection, so users can only run programs that have been positively approved, rather than trying to maintain up-to-date blacklists of known danger sources.