Cybercriminals are always trying to innovate – looking for new ways to compromise user devices and extract valuable business data in the hope of achieving a pay-out. One of their favourite methods for doing so is social engineering, where bad actors look to exploit and mislead legitimate users into providing them with access. This type of attack remains a popular avenue for exploit, mostly because the barrier for entry is typically very low – other methods for breaking into a secured system take a lot of time, money, and in the case of hacking, expertise, but composing and sending a phishing email is comparatively very easy. But while phishing remains a popular attack type, it isn’t the only method for social engineering. One of the latest forms of these attacks to gain popularity is “malvertising” – using legitimate ad services like Google Ads to spread malicious links and bait users into downloading malware.
Where did malvertising come from?
As we mentioned, the most common tactic bad actors use for social engineering is phishing – sending emails embedded with malicious links which, when clicked, give cybercriminals access to a device. That can take a few different forms: stealing credentials to pose as legitimate users in future attacks, setting up a backdoor into a wider business system, installing malware directly, or any combination of the three.
For phishing to be successful, cybercriminals need to bait their hooks, and this is usually achieved by spoofing legitimate communications – notices about deliveries, discounts for online shopping, or even notices from antivirus software asking users to download a patch. It’s a time-tested approach, so it was only a matter of time before cybercriminals looked to leverage other recognisable forms of communication– such as online and PPC advertising.
This led to the birth of malvertising, and a new dawn for social engineering attacks. To deliver these attacks, a bad actor first creates a spoofed version of a legitimate site where user credentials can be captured, such as an ecommerce retailer site, or a sign-in page for a financial organisation. Once in place, the bad actor then pays to promote themselves through ad services, using ads that appear to be genuine promotions from recognised brands.
Part of the reason this can be so effective is because search engine services give advertisers priority over search results, letting these spoofed links sit in the prime position to trick unsuspecting users. One of the most attention-grabbing examples of this occurred recently, when bad actors spreading the Rhadamanthys malware set up pages mimicking the appearance of Open Broadcaster Software (OBS) – a popular piece of free software often used by streamers. The page looked like the legitimate download page for the program but instead installed malware onto user devices.
We’ve seen malvertising emerge as a popular attack avenue in recent times, but it’s not completely new. Attacks have been spotted in the wild as early as 2007. A number of these earlier attacks harnessed on-site banner ads – a strategy that still in play today. So long as a cybercriminal is paying to advertise, some ad agencies will host them on a site, meaning they can appear directly on a legitimate site, rather than needing to spoof one. What makes this variant of malvertising so dangerous is the potential to compromise devices without user action. While most web browsers have been updated to block this activity, malicious ads have been known to use “drive-by downloads”, which exploit browser vulnerabilities to install malware directly onto a device.
How can you protect yourself?
Keep software up-to-date: Drive-by downloading presents a significant threat to businesses, but it only works if users’ web browsers are outdated and vulnerable. As such, the first and most important step for businesses to take to stay protected is to make sure everything stays up-to-date, rather than putting off patches and updates until it’s too late.
User awareness training: Malvertising is a form of social engineering at heart, and so the best remedy is the same as other forms of social engineering– increased user awareness. Users who are aware of the risk malvertising poses are less likely to click spoofed links and download files from untrustworthy websites, keeping business systems safe from bad actors. If you’d like to know more about how user awareness training can help you build a proactive security posture, take a look at our recent blog.
Security solutions: User awareness goes a long way, but as the saying goes, your users need to get lucky every time, while cybercriminals only need to get lucky once. As such, it’s important to ensure your business has the capability to isolate and destroy threats that manage to gain entry to your environment. Some security solutions can also flag suspicious websites and downloads for users, which supplements user awareness training and helps to ensure that your business isn’t put at risk in the first place.
Zero trust: Zero trust network architecture (ZTNA) offers a near-unbeatable level of security in this scenario. What makes any type of social engineering attack so valuable is once a cybercriminal compromises a device, they’re often free to move throughout a network, so a single compromised user can bring down an entire business network. With a zero trust architecture, criminals aren’t afforded the level of access, and must routinely prove that they are who they say they are, rather than being trusted by default. This means that if the unthinkable occurs and a cybercriminal is able to compromise a user device the impact of their initial breach is limited, while you also buy more time for threat detection, identification and remediation before further damage is inflicted.
What’s next?
If you’d like to know more about how to keep yourself safe from malvertising or want a helping hand implementing any of the security-bolstering measures we’ve highlighted, we’re here to help. Reach out and speak to a member of our team to learn more.