Virtually all of the free web services we use regularly — from searches to email, maps to social networking, and even gaming and video sites — are free only because they are funded by online advertising.

Online advertising is a huge multi-billion pound business, supported by large multi-layer ad network infrastructure. And it is effective not only for legitimate advertisers, but also for cybercriminals.

Indeed, malvertising (as in Malware Advertising) has come from nowhere to arrive at the number three position in the “top ten” methods for web attack in 2010. Let’s look at how this new phenomenon works, and draw some conclusions about how best to confront it.

Online advertising and malvertising

Ad networks operate on an Affiliate Marketing model, where advertisers place campaigns with a large number of publishers – large and small — that are paid media fees by referral on some measurable action that tracks traffic to the advertiser.

The complex affiliate network acts as an intermediary between publishers and affiliate programs – B2B arrangements that pay according to the number of people who visit the page containing the merchant’s online ads, see it or click-through to the call-to-action in the ad itself.

This infrastructure is large and complex, with huge numbers of tiny transactions, huge numbers of business relationships, and huge numbers of linked connections between ads and click-through destinations. Larger, well-known trusted ad network domains may outsource to smaller, newer and perhaps not-so-trusted ad domains.

With many degrees of separation and automation between the merchant placing the ad and the space where the ad ends up being placed, reputations and trust are often assumed or inherited through the layers of the affiliate network.

Cybercrime loves to leverage other people’s trust and reputation — as well as their infrastructure — to deliver malicious software to as many people as possible. Injecting a malicious ad into a legitimate ad network enables the cybercriminal to cast a very large net without necessarily making a splash that can be detected.
Cybercriminals will either:

  • Create a harmless new ad or ad domain that — once trusted, reputable and allowed by most defenses — transforms into something nasty, or
  • Infect someone else’s trusted web ad, using the same kind of injection or poisoning methods they use to infect trusted, reputable websites

A criminal malvertising campaign is run like any real ad campaign, but in both cases the point is to suddenly and silently rewire the ad itself or its click-through to deliver a malware payload. The payload then infects the user’s computer, steals logins and passwords, or steals money or data from their employer.

Let’s look first at how ads get from the affiliate network to the webpage, and how cybercriminals take advantage of the affiliate network infrastructure that characterizes the world of online advertising.

Typically, a web property owner offers ad space to a primary ad vendor – the one the owner has a relationship with. It’s all automated so when a page is populated by, say, a new news article, keywords in the article are made available to the primary ad vendor’s software. For example, with keywords “Golf” “Florida” and “Luxury”, we’d want to target people interested in upscale fly-drive golfing holidays to the Florida Keys.

The software figures out whether it has a highly relevant ad that it can use. If the primary ad vendor does not have an ad that targets those people, or hits a cost threshold about placing an ad there on behalf of its client, it’s programmed to fall back to placing a less targeted ad (at a lower rate) from one of its affiliates.

If the affiliate doesn’t have an appropriate ad or is unwilling to pay even the secondary rate to serve a generic ad, they may opt to serve a cheap/generic ad from one of their affiliates. And so on down the chain.

Clearly, this mesh of affiliate/partner/sub-affiliate agreements and fuzzy responsibility between ad networks provides a tremendous opportunity for a rogue ad – or a rogue ad domain – to slip through.

Now, like all web advertising, malvertising ads may be targeted (by keywords like “clearing house” or “data protection”) to maximize their effectiveness, and themselves create a kind of dynamic but targeted linkage between sites, all designed to attract and draw a particular type of viewer.

Transformation and timing tactics to circumvent security

A key feature of malvertising attacks is that the bad ad or the bad ad domain will start off innocent, allowing itself to be checked many times by security software to develop clean ratings and a good reputation.

Like a sleeper cell in a spy novel, patience pays. Taking time to develop clean reputations within ad networks, and passing multiple sweeps for malware, cybercrime develops valuable and trusted positions within Web advertising structures before launching attacks leads to a very successful campaign.

When the sleeper awakes, routing behind the ad is transformed to take the view or the click-through to a malware host, and the malware connections are able to do their worst in their targeted campaign. Then the next day, they’re gone.

Cybercrime’s malvertising tactics tend to launch attacks over the weekend when IT resources are low, defense updates are waiting to be applied and an attack is less likely to be noticed. Remember, classic web defenses are geared towards updates – a new database has to be applied before the security systems can act on the new threat.

Taking the sting out of malvertising

Cybercrime waits often months to establish legitimate ad infrastructures to bite users at a selected optimal time and penetrate past reputation-based defenses. So it is clear that, when faced with malvertising, your security systems can’t rely on reputation to decide which ads to block. Instead, we need to look to advanced security systems that rate web properties and the ads they depend on in real-time.

Similarly, we can’t rely on waiting for a “security update” to be applied to the user’s computer. It’s probably going to be too late. If your security system has any kind of regular “Click here to update definitions file” requirement, it will likely fail to protect your users, especially on the weekend.

Protecting users at home or on the road — or even at the office – has to be provided on-demand, and you should look to security systems that are based on some kind of cloud-based security model that offers on-demand protection.