Yahoo continues trying to reinvent its business model and value to users, a little more than a month after it made headlines when its advertising servers were compromised to deliver malware to Yahoo site visitors. As reported by Fox IT, the security firm that initially discovered the incident, last month some 300,000 users were exposed to infected ads with some 9 percent estimated to have been affected.
This particular hack involved an infected ad which used a Java exploit to implant software on victims’ machines, allowing those machines to be controlled for remote purposes. Typically, the hackers would sell control of compromised machines to crime syndicates who use those machines to deliver more malware or spam worldwide.
Yahoo can take some consolation in that they have plenty of company. Estimates peg the number of infected ad impressions in 2012 alone at about 10 billion. This kind of attack has come to be inelegantly termed "malvertising," and awareness is finally emerging of just how big a security threat it can present.
Malware in Many Guises
One reason that malvertising attacks are insidious is because hackers can exploit a variety of techniques to push their malware onto end users’ machines.
In theory, it is possible that Yahoo’s ad servers were implanted with malware-laced ads through a direct hack – but this is also the most difficult route for attackers. Servers at a large enterprise like Yahoo are typically well-protected from intrusion -- although in the realm of network security, you never say never.
More likely, the attackers crafted the malvertisements to evade Yahoo’s malware scanners. When a third-party submits its ads to the Yahoo ad network – or any ad network – the network operator applies some kind of protocol to evaluate the ad for malware. But these scans can never be perfect, and knowledge of their weaknesses is a salable commodity on the black market.
Crafty hackers do not even need to implant any malicious code into the ad itself, ensuring that it clears any scanning by the advertising network. Instead, the ad can simply lure people to a website. The site may contain only clean content when the ad is submitted to the network, but once ad impressions begin the hackers plant malware on the site, which they already control.
An even more sophisticated regime employs geolocation to deliver malvertisements to targeted audiences. In fact, the hackers behind the Yahoo attack used this very technique, displaying infected ads only to European visitors.
Tips for Enterprises as End Users
The enterprise potentially faces the risk of being vulnerable to malvertising from two directions: as ad publishers and as end users.
For end users, defending against malvertisements is guided by the same principles as defending against all malware. First and foremost, this means using a network-wide, up-to-date anti-malware scanner.
These days, many exploits – including the Yahoo malvertisements – are attacking weaknesses in Java. All organizations are strongly advised to keep Java runtime clients on workstations up-to-date.
Better yet, do not even allow Java to run anywhere it isn’t absolutely necessary. This can mean disabling the Java plug-in for Web browsers (increasingly becoming a default setting in popular browsers) or not installing the Java runtime at all on workstations. Of course, some organizations require Java, in which case its use must be as restricted as possible.
Beyond technical solutions, avoiding malvertising requires an emphasis on the usual “safe computing” principles. Users need to be educated and suspicious about clicking on web ads. A favored technique among malvertisements is to display “scareware” – ads which claim that a user’s computer is infected, when it actually is not…yet. The ads exhort the user to click for further help, and then of course they are driven to a malware-laced web site. Too often, end users fall prey to these social engineering tricks.
Advice for Enterprises as Ad Publishers
For enterprises who publish ads on their own websites, the risks of malvertising can threaten both your users and your reputation. Becoming the source of an infection that can infect thousands, or even millions, is not an ideal customer relations strategy.
Businesses who accept direct advertising – that is, you accept ads directly from advertisers – need to have a well-crafted vetting strategy:
Run background checks on creative content and ad agencies using a tool like Google’s Anti-Malvertising Research Engine.
Follow more "Tips for Publishers" from Google, which will help you vet an organization submitting ads to your site.
Run a risk evaluation for new advertisers as laid out by the Online Trust Foundation.
Rather than accept ads directly from agencies or advertisers, many companies today run advertisements served by third-party networks. This is a popular solution for outsourcing ad management, but it also transfers the burden of vetting ads to the third-party platform. Consequently, you have less control over the risk of serving infected advertisements.
You can track malvertisement infections to see which ad networks are repeatedly vulnerable. But interpret this data with care. Many ad networks, such as Google’s own, deliver a large variety of advertisements targeted at different markets. Ads delivered to a "risky" market – like, say, gambling websites – may be more prone to be infected than ads delivered to a specialized niche like medical research. It’s not enough to simply identify that a particular ad network has been hit with malvertisements; you should determine whether those are in a niche likely to be served on your site.
While high-profile ad networks like Google Doubleclick and Yahoo Publisher Network are not immune from malvertising, they do have clear incentives to transparently find and stop infections as quickly as possible. Lesser-known ad networks may offer higher click rates but at the risk of potentially offering less well-vetted advertising content.
Aaron Weiss is a technology writer and frequent contributor to eSecurity Planet.