Malvertising campaigns increased 325 percent in the past year, according to a report from Cyphort Labs this week. A similar report from Risk IQ found malvertising grew 260 percent in the first half of 2015 compared to the same period in 2014. And earlier this month, Invincea found malvertising as one of the biggest threats to endpoint security, causing an estimated $525 million in damages in the first six months of 2015. The findings prompted Belcher to dub June "the worst month of malvertising basically ever."
Tricking the ad network
To start a campaign, the criminal first has to trick the ad network into accepting its advertisements. Many ad networks make it easy to get started as an advertiser, with an open enrollment form and a fairly low fee. If the attacker is using compromised credit card or money earned from other online scams, $400 or so is not a serious barrier to entry, Belcher said.
This easy access is why some of the smaller ad networks recently have banded together to establish best practices, such as banning open enrollment and imposing higher entry fees, he said. Requiring in-depth background checks and spending commitments as much as $5,000 a month generally stops the scammers.
"Malvertisers are notoriously cheap," Belcher said. They are trying to maximize their profits and don't want to pay higher fees monthly.
Another way malvertisers trick ad networks into treating them as legitimate advertisers is by initially showing clean, innocuous collateral. Once the ad network has approved the ads, the advertiser can swap in malicious ads pointing to an attack website without the network noticing. This is even easier if the advertiser is allowed to host ads on its own servers instead of on the ad networks' servers.
This lets malvertisers look at incoming IP addresses so that it knows to show the clean collateral to the ad networks' scanners and the malicious one to everyone else.
While some of the larger ad networks require all the ads to be hosted on their servers, that isn't always the case. The ad networks may not want to pay for the cost of serving up all the ads, or advertisers may want to keep the ads in order to collect better metrics. If the ads are all hosted by the network, it would be harder for the ads to be swapped, but the advertising industry as a whole hasn't moved toward that practice yet.
The industry recognizes malvertising problem and is working to establish best practices, Belcher said. It's not necessarily a technology problem, since the criminals are able to defeat the scanners and other mechanism in place. This is where best practices and new processes have to be in place to ensure only legitimate advertisers can get into the networks, he said.
Sign up for CIO Asia eNewsletters.