Protecting Against Malvertising

Malvertising (the delivery of malicious programs or deceptive adverts through ad networks) is one of the fastest growing security threats on the internet. As a site author, you need to be sure that any adverts you serve do not harm your users.

Risks

Prevalence Occasional
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Since hackers have discovered ad-networks as an attack vector, the variety of attacks a user can expect to encounter has exploded. These include:

  • Malicious downloads, including ransomware. “Drive-by” downloads don’t even require the user to click on an advert - simply viewing the page may be enough to deliver the payload. Malware is usually delivered through vulnerable versions of Flash or Adobe Acrobat.
  • Redirects to phishing sites that attempt to steal a user’s credentials.
  • Scareware - adverts designed to trick a user into downloading unnecessary and potentially dangerous software, such as fake antivirus protection.
  • Browser lockers - malware that locks up the browser, often posing as a security alert.

Protection

When you host adverts, you are inviting a third-party to write content to your web-pages. Unfortunately, this means you are limited in how much control you have in protecting your users. You can mitigate the risks involved by:

  • Working with reputable ad networks. Choose networks that are certified by e.g. Google. If you are evaluating a new ad network, see if they have any existing big-name clients. Avoid advertising networks that use deceptive practices pop-ups and pop-under windows.
  • Performing due diligence on agencies and advertisers. Restrict your advertising to relevant market segments, and if your ad networks permits it, consider individually whitelisting advertisers.
  • Implementing a content security policy. Implementing a Content-Security Policy will help control what domains can host content used in your web-pages. Unfortunately, many advertising toolkits (e.g. Google Adsense) cannot be restricted in this fashion - so you may have to create a “soft” whitelist using the Content-Security-Policy-Report-Only header, and monitor unexpected domains.
  • Using client-side error reporting tools. Tools for recording errors in the browser - like Sentry, TrackJS, Rollbar and Airbrake - will help you detect unexpected and anomalous behavior that could indicate a malvertising infection.
  • Logging out-going URLs. Capturing click-strings for adverts will help with forensic analysis in the case of a malvertising outbreak.

Further Reading

Is your site vulnerable?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for vulnerabilities with the