Most cyberattacks start with phishing so businesses need to ensure they have advanced spam filter service capable of accurately identifying and remediating phishing attempts, with robust anti-malware capabilities such as email sandboxing to combat the growing volume of zero-day malware threats. While security teams are all too aware of the threat of phishing, another attack vector is on the rise – malvertising.
Malvertising, or malicious advertising, is the use of deceptive adverts that direct users to malicious web pages. These malicious pages are used to steal sensitive information, infect visitors with malware, and direct users to a wide range of scams. Malvertising can appear on legitimate websites that have been compromised by threat actors and through third-party ad blocks that many legitimate website owners use to boost revenue. They are also commonly encountered on search engines and may appear in prominent positions, placed above the organic listings for key search terms.
Advertisers, including Google, have checks in place and vet advertisers to ensure malicious adverts do not make it onto their networks, but despite robust controls, many malicious adverts are displayed in the search engine results and are pushed out to hundreds of legitimate websites. These adverts may only be short-lived but they are active for long enough to get huge numbers of views and many clicks. Given the increase in malvertising, this method of contact with end users is proving profitable for cybercriminals.
Recent Examples of Malvertising Campaigns
At the start of the month, a new malvertising campaign was detected that used Meta business accounts and personal Facebook accounts to abuse the Meta advertising platform to display malicious ads. Many different ads were used for the campaign, with the common theme being adverts for well-known software tools including CapCut, Office 365, Canva, video streaming services such as Netflix, video games, and many more. The adverts appeared to primarily target middle-aged men.
The threat actor behind the campaign used almost 100 malicious domains according to the Bitdefender analysis, served several thousand ads, and undoubtedly reached tens of thousands of users. The aim of the campaign was to distribute an information stealer called SYS01stealer. SYS01stealer is used to steal login credentials and other sensitive data, including browser histories, cookies and Facebook ad and business account data. The Facebook data was used to compromise Facebook accounts which are used to create further malicious adverts to scale up the operation.
Another Facebook malvertising campaign targeted Facebook users in Europe, in this case, the threat actor used fraudulent ads for the Bitwarden password manager. The ads claimed to offer security updates and showed alerts about compromised passwords. Clicking the ad directs the user to a web page spoofing the Chrome web store, which delivers a browser extension. If granted permissions, the extension could alter network requests and access sites, cookies, and storage. The installation also launches JavaScript which exfiltrates task data, cookies, and Facebook details for personal and business accounts.
A campaign identified by Malwarebytes in November targeted eBay users. The malicious adverts were served via Google Ads and the campaign involved at least four different advertiser accounts. In this campaign, the aim was to trick people into calling an eBay support number which was a tech support scam.
Because the adverts often appear on trusted websites, including websites that are frequently visited, they fool a great many people who mistakenly trust that the adverts are genuine.
How Should Businesses Deal with the Malvertising Threat?
The primary defense for consumers is vigilance. Just because an advert appears on a trusted website or search engine, does not mean that the advert is genuine. As is the case with carefully checking links in emails and the domains to which those links direct, the domain and URL should be carefully checked to make sure it is a legitimate vendor.
Businesses can easily protect against malvertising by using a web filter such as WebTitan. WebTitan is a DNS filter that blocks access to all known malicious websites and receives consistent threat intelligence to protect against zero-minute threats. WebTitan can be configured to block downloads of certain file types from the Internet, such as executable files to block malware delivery and prevent the installation of unauthorized software products, which often sideload unwanted programs. WebTitan can also be used to prevent employees – on or off the network – from visiting any of 53 categories of websites, with a further 8 customizable categories giving granular control over the content that users can access.
Businesses should also raise awareness of the threat of malvertising through security awareness training. The SafeTitan security awareness training platform includes training modules on malvertising and hundreds of training modules covering other threats to improve human defenses against phishing, malware, and scams.
WebTitan is available on a free trial, with full support provided throughout the trial. For more information on WebTitan and to book a product demonstration, give the TitanHQ team a call today.