The Internet advertising business is booming. Online advertising is now the second-largest ad medium, after passing newspapers in 2013, according to ZenithOptimedia research. Ad networks like DoubleClick play a big part in that growth, so it's not surprising they have attracted the attention of attackers interested in using them to serve malware.
Advertising networks could become "the next primary attack vector," contends new research from Bromium Networks. Worse, popular security technologies such as signature-based detection are essentially useless against such attacks, said Rahul Kashyap, Bromium's chief security architect and head of Research.
The research, which Bromium is releasing today, found attackers are using ad networks to place malicious ads on popular sites like YouTube and Yahoo. The ads redirect Internet users to pages serving malware via drive-by download attacks. Video sites like YouTube are especially attractive to attackers because viewers tend to linger, which gives the bad guys more opportunities to execute complex exploits.
Attackers also appreciate ad networks' ability to target certain audiences, such as users of a specific browser or operating system.
These so-called malvertising attacks offer "one of the best ways to compromise huge numbers of people and get away quickly," said Kashyap. "Attackers can potentially infect millions of people by randomly placing a few malicious ads."
Malvertising attacks are especially insidious, he said, because they leverage the comfort level many people feel using well-known sites like the online version of the New York Times. "Those kinds of sites are the last place anyone would expect to get infected."
Malvertising and Exploit Kits
The Bromium research details a malvertising attack on YouTube that occurred in February and involved the use of the Styx exploit kit. Several similar attacks later found by Bromium researchers all originated from exploit kits, Kashyap said. Such kits enable attackers to test their malware to see if it will be detected by antivirus products.
"It’s almost like attackers are using antivirus as QA for malware," he said. "They've really got it figured out."
In a blog post about the YouTube attack, Bromium's McEnroe Navaraj said Bromium was working with the Google security team to analyze the attack. "Google has taken this campaign off and is beefing up internal procedures to prevent such events from occurring again," he wrote. Also, he noted, "We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks. Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures."
Kashyap finds it concerning that even a company as security-savvy as Google is struggling to combat these kinds of attacks. "If it is getting to end-users like us, the checks that are in place are not enough," he said. "This problem is going to get worse if it is not addressed."
Companies that have the market sway to impact online ad networks should challenge those networks to improve their vetting processes, Kashyap said. "They need some kind of a minimum assurance that their users will not be affected."
While disabling ads with an ad blocker is a near-term option for enterprises worried about these kinds of malvertising attacks, Kashyap said it is not a practical long-term solution. He suggested employing practices such as whitelisting, which treat the entire Internet as untrusted.
"You want to leverage the kinds of technologies which do not depend on signatures or other known techniques to block threats on the network," he said.
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.