Perry Carpenter is Chief Human Risk Management Strategist for KnowBe4, developer of Security Awareness Training & Phishing Simulation tools.
If you thought online advertising was only about targeting consumers, think again. Threat actors and scammers are increasingly weaponizing these same channels to target, phish and manipulate users.
Malicious, infected or misleading ads (a.k.a. “malvertising”) are becoming harder and harder to spot, as they frequently feature authentic-looking branding, content and design elements. When users fail to detect these fraudulent ads and proceed to interact with them, they unknowingly open doors to phishing websites, social engineering attacks, ransomware and other online threats.
Techniques That Attackers Use For Malvertising
Threat actors use a number of different techniques for distributing malware via online ads. The most common ploys include:
• Sponsored Search Malvertising
Say someone wanted to download graphic design software. The first thing they’d probably do is open a search engine like Google or Bing and type in the software title. Next, they would likely click on the first authentic-looking link they see, without giving second thought as to whether it was a sponsored ad or a legitimate search result.
But what if this link is a phishing website or a landing page that is laced with malware? Fake sponsored ads are being masterfully designed to blend in seamlessly with organic search results. Researchers unmasked a campaign where threat actors were running online ads to fool employees into thinking they were visiting their employer’s HR portal.
• Social Media Malvertising
Social media is a hotbed for several malvertising campaigns. Attackers exploit social media platforms to target users based on specific interests, interactions and geographies. For example, threat actors have been observed spreading malware via Meta’s (Facebook) sponsored ads. The attacks begin with bad actors taking control of an existing Facebook account. Then, using AI-based image generators, they update the profile image, description and profile information of hijacked accounts to impersonate AI software providers such as Midjourney, Sora AI, DALL-E 3, Evoto and ChatGPT. Next, they run sponsored ads impersonating these organizations, and when users interact with these malicious ads, they unknowingly download infostealers onto their devices.
• Malvertising Via Adtech Exploitation
The digital advertising ecosystem is vast, with millions of websites generating billions of views every day. These websites rely heavily on global ad tech platforms to serve up advertisements and generate revenue. However, loopholes in these ad-serving networks create numerous opportunities for cybercriminals to execute malvertising campaigns.
For example, a major malvertising campaign was reported recently where threat actors exploited vulnerabilities in an ad-serving platform to display malicious ads and to propagate fake captcha pages. Victims that interacted with the ad were directed to legitimate-looking malicious websites where they were prompted to complete a fake captcha process to confirm their identity. When users initiated the captcha process, it executed a PowerShell command in the background, installing malware that stole credentials and sensitive information.
• Rogue In-App Ads
Consumers are spending more and more time on mobile apps, paving the way for threat actors to serve malvertising content. That’s because many of the free mobile apps (like utilities or games) that are found online usually operate on an ad-supported model. But many, if not most, mobile app developers do not have enough resources to properly vet ads for malvertising content. Threat actors then leverage this situation to serve harmful ads that lead to malicious downloads, backdoors or phishing. In 2023, researchers discovered a major malvertising attack that affected over 1,700 applications from 120 publishers, impacting an estimated 11 million devices.
How To Protect Against Malvertising Attacks
Valuable personal and financial data are stored on all kinds of devices. As a result, they’ve become a major target for malvertising attacks. Based on my experience working with companies on their security awareness training, here are some best practices that you can use to help mitigate such attacks:
• Employee Awareness And Training
It’s important to educate employees on the risks of malvertising and the need to stay cautious and vigilant around online ads. I recommend using a mix of classroom training and phishing simulation exercises that teach employees how to recognize suspicious-looking ads (unusual headlines, URLs, phone numbers, etc.) and report scam ads. For example, before ever interacting with a search ad, they should click on the three dots that appear next to ads to confirm if it is from a verified advertiser.
• Strong Security Controls
Implement security tools like firewalls, intrusion prevention systems (IPS) and endpoint detection and response (EDR) to detect malware and block malicious scripts. Security teams can deploy enterprise ad blockers to filter out malicious ads, pop-ups, banners and third-party tracking. It’s also advisable to use stronger authentication measures, such as phishing-resistant multi-factor authentication (MFA), to help prevent user accounts from being compromised.
• Monitoring Traffic And User Behavior
Your security team should have a clear understanding of typical web traffic and user behavior in order to recognize any irregularities. For example, if there is an abrupt increase in traffic, particularly directed toward a recognized malicious website or a domain with no previous activity, this should raise immediate concerns about potential malvertising. Likewise, an unexpected rise in clicks or engagements with ads that deviate from usual user behavior may suggest the existence of a click fraud scheme or a damaging redirect. Consider using AI tools to detect unusual traffic patterns and user behavior.
In my experience, protecting against malvertising requires a multi-layered security approach that includes educating and training users, implementing robust security controls, and continually monitoring user behaviors and web traffic. By staying proactive and vigilant, organizations can minimize the risk of falling victim to malvertising and safeguard their users, data and reputation.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
