Malvertising: What is it and How Can it Lead to a Ransomware Attack?

While there are a wide range of cyberthreats facing every business today, one of the most dangerous is malvertising. This technique seeks to use people’s everyday web browsing activities against them by injecting malware into seemingly innocent online ads. One click on an infected ad can expose businesses to a range of problems, such as ransomware or data theft.

Malvertising is difficult to spot and can be even harder to block, and the consequences of this type of attack can be severe. Therefore, understanding what malvertising is, how it works and how it can be stopped must play an important role in any malware protection strategy. So what do you need to know?

Malvertising is a combination of malware and advertising. As the name implies, it refers to malicious software that spreads via online advertising – most often through ads that are displayed when using web browsers.

Typically, malvertising works by hackers infiltrating legitimate ad networks to plant their malware within third-party ads. These are then displayed to users as normal harmless ads – until they click and malicious code is downloaded. 

Malvertising can appear almost anywhere. The vast majority of publishers use third-party ad networks on their websites that can be targeted by cybercriminal gangs. This means that almost any website that carries advertising can potentially be infected.

There are a range of ways in which malvertising targets businesses. For example, a user may see a banner ad that, when clicked, takes them to a fake site that injects malware. Other techniques include hiding malware within banner ad pixels or in videos, or even using ‘drive-by downloads’. This exploits browser vulnerabilities to infect systems even if a user does not directly interact with the ad. 

These techniques have been used in malvertising attacks that have appeared on some of the world’s biggest websites, including the New York Times, the BBC and the NFL, as a result of their partnerships with legitimate third-party advertisers that have become targets for malware groups.

One of the most dangerous aspects of a malvertising campaign is how it uses everyday publishers to deliver its packages. Many people may believe that, as long as they stay away from risky, obscure or untrusted web content, they can avoid falling victim to malware. But with malvertising, this is not the case.

A common attack vector for these threats is to target third-party advertisers, such as Google Ads, that are used by millions of web users. Hackers can easily reach huge audiences by exploiting vulnerabilities in these services, or even buy space on an ad network directly. They only need a tiny percentage of these viewers to engage with the ad to be successful.

These are not the only methods used. Some cybercriminals target sites that rent space directly to advertisers, which may often be smaller publishers with weaker protections, for the use of malicious ads.

While many malvertising attacks use vulnerabilities within desktop versions of popular web browsers, mobile malvertising is becoming increasingly common as people’s browsing habits change. This can be particularly dangerous for a number of reasons. 

Firstly, it’s often easier for users to click on mobile ads by accident. What’s more, ad blockers are less common on mobile devices, so more users are likely to see dangerous ads, increasing the chance of infection. 

Finally, antivirus protections are also less frequently used on mobiles – especially on personal devices that may also be used to connect to business networks. For example, Security.org notes that only 17 percent of smartphone users run antivirus solutions on their devices.

Malvertising can lead to a wide range of negative consequences, including financial, reputational and operational impacts. Among the most dangerous types of malvertising attacks are those that seek to gain control of a user’s system or steal valuable data – with ransomware a key threat.

Some types of ransomware may block access to critical files or systems, which can greatly harm productivity or even prevent a business from operating altogether until access has been restored.

However, increasingly, the real harm of ransomware lies in data exfiltration attempts. Our research indicates that over nine out of ten ransomware attacks (94 percent) exfiltrate data. This can then be used for a number of purposes, from being sold for profit on the dark web to extorting organizations directly.

Last year, some of the biggest ransomware incidents included an attack on Change Healthcare that cost over $800 million in direct expenses and one on Kawasaki Motors that leaked 487GB of data.

Given the damage that malicious advertising can do, it’s essential firms have a plan to prevent this type of malware infection. However, relying on tried-and-tested security methods alone may not be enough to tackle the most sophisticated threats.

One of the most common ways to prevent malvertising is to use an ad blocker. Usually, if the malicious code is prevented from accessing the user’s device, the threat is neutralized. However, there are limitations to this approach. There are privacy and security concerns over some free ad blockers, while some malvertising campaigns are tailored to bypass these add-ons entirely. 

Employee education is another important step in blocking malvertising. Encouraging careful clicking to avoid accidentally interacting with ads is highly important. This is especially the case on mobile, where it can be very easy to tap inadvertently in the wrong place.

The other common first line of defense against a malicious advertisement is antivirus software. But again, this has limitations. Increased use of fileless malware by cybercriminals has blunted the effectiveness of these solutions, while attacks that take advantage of zero-day vulnerabilities can often evade detection.

As such, you can’t rely solely on these security software solutions to prevent malware from entering your business. Sooner or later, it’s highly likely that an attack will be able to break through these perimeter defenses. However, this does not mean it’s too late to do anything – with the right tools you can still block the most harmful activities, such as data exfiltration, and protect your business from the most dangerous threats.

While malvertising techniques can be used to deliver any type of malicious software, one of the most common threats is ransomware. Recent figures, for example, estimate that this type of malware attack is used in 70 percent of malvertising campaigns.

Malvertising is one of the easiest ways for hackers to inject ransomware into a business, and all it can take is one misclick or drive-by download to bypass defenses. The cost of this can be high, so tackling this form of malicious code needs to be a key part of any firm’s data protection strategy.

While prevention is always better than cure, this isn’t always possible. When it comes to malvertising, the techniques used by cybercriminals often make it easy for an online ad to infect your network with malicious code, even if you are protected by antivirus software and have employees that are not behaving carelessly.

In such cases, it’s essential you are able to detect threats such as ransomware as quickly as possible, so you can take the right steps to remove it before it does damage. This means using advanced detection and response (XDR) technology and embracing tools such as artificial intelligence (AI) and anti data exfiltration (ADX) to spot suspicious activities within your network. 

These innovations use behavioral analysis rather than signature matching to spot signs of ransomware. They are more proactive than traditional methods as they look for unusual user activity such as large file transfers.

Once a data exfiltration attempt is detected, it’s important to shut it down as quickly as possible. Automated tools that can do this without human intervention are highly valuable here. Other critical steps include isolating infected systems from the network, enacting a data recovery program to repair any encrypted files, and reporting incidents to the relevant authorities.

BlackFog’s solutions work on every endpoint on a network, analyzing all outgoing data for unusual behavior that can indicate a data exfiltration is being attempted. Data theft is an essential part of double extortion ransomware, so being able to shut this down as early as possible is highly important. Our solutions also offer advanced threat hunting capabilities.

Because the software is lightweight enough to work on any device – including smartphones and tablets – and does not send data back to central servers for description and analysis, it also helps secure remote and mobile workers who may be connecting through insecure networks. The use of home networks and public Wi-Fi hotspots, for example, can leave these employees more vulnerable to threats such as malvertising, man-in-the-middle attacks and other forms of malware than can compromise data privacy.

Hackers are constantly evolving their attacks in order to bypass defenses, and malvertising is no different. While legitimate advertising platforms are always looking to improve their systems to reduce the risk of hackers infiltrating their networks, they can never offer 100 percent guarantees.

It’s important, therefore, for businesses to take a proactive approach to protecting against malvertising and the threat it poses. Tools such as AI, automation and behavioral analysis all have important roles to play in this. They can help to ensure that, even if malware is able to bypass defenses such as firewalls and antivirus software, cybercriminals will be unable to exfiltrate valuable data.