Protecting Against Malvertising
Malvertising (the delivery of malicious programs or deceptive adverts through ad networks) is one of the fastest growing security threats on the internet. As a site author, you need to be sure that any adverts you serve do not harm your users.
Risks
Since hackers have discovered ad-networks as an attack vector, the variety of attacks a user can expect to encounter has exploded. These include:
- Malicious downloads, including ransomware. “Drive-by” downloads don’t even require the user to click on an advert - simply viewing the page may be enough to deliver the payload. Malware is usually delivered through vulnerable versions of Flash or Adobe Acrobat.
- Redirects to phishing sites that attempt to steal a user’s credentials.
- Scareware - adverts designed to trick a user into downloading unnecessary and potentially dangerous software, such as fake antivirus protection.
- Browser lockers - malware that locks up the browser, often posing as a security alert.
Protection
When you host adverts, you are inviting a third-party to write content to your web-pages. Unfortunately, this means you are limited in how much control you have in protecting your users. You can mitigate the risks involved by:
- Working with reputable ad networks. Choose networks that are certified by e.g. Google. If you are evaluating a new ad network, see if they have any existing big-name clients. Avoid advertising networks that use deceptive practices pop-ups and pop-under windows.
- Performing due diligence on agencies and advertisers. Restrict your advertising to relevant market segments, and if your ad networks permits it, consider individually permitting advertisers.
-
Implementing a content security policy. Implementing a Content-Security Policy
will help control what domains can host content used in your web-pages.
Unfortunately, many advertising toolkits (e.g. Google Adsense)
cannot be restricted in this fashion - so you may have to create a “soft”
allowlist using the
Content-Security-Policy-Report-Only
header, and monitor unexpected domains. - Using client-side error reporting tools. Tools for recording errors in the browser - like Sentry, TrackJS, Rollbar and Airbrake - will help you detect unexpected and anomalous behavior that could indicate a malvertising infection.
- Logging out-going URLs. Capturing click-strings for adverts will help with forensic analysis in the case of a malvertising outbreak.