According to the Online Trust Alliance, almost 10 billion ad impressions were compromised by malvertising in 2012 and malvertising incidents increased by more than 250% from Q1 2010 to Q2 2010. In this article, Bianca Stanescu and colleagues look at the evolving phenomenon of malvertising and offer some guidelines to help users and legitimate advertisers avoid these threats.
Copyright © 2013 Virus Bulletin
Unfortunately, reputable companies are not the only entities that use advertising platforms. Scammers are doing their best to tap into more and more of the commercial market. Almost 10 billion ad impressions were compromised by malvertising in 2012, according to the Online Trust Alliance (OTA) .
Millions of users worldwide are exposed to malware, spam, phishing or fraud (scams), and even the most tech savvy users can become victims. Over 100 advertising networks are serving compromised display advertising, and malvertising incidents increased by more than 250% from Q1 2010 to Q2 2010, the OTA showed. At the same time, it is estimated that more than one million sites carry advertising from over 300 ad networks and exchanges, according to the IAB . This means that one in three ad networks may be serving malvertising.
A Bitdefender team decided to investigate the anatomy of malvertising and other e-threats (fraud, spam and phishing) injected into legitimate ad networks.
We first focused on the internal structure and web categories of the baits injected by scammers into legitimate advertisements. Our observations suggest that business and computer/software-related landing pages are more lucrative than pornographic ones.
We also recorded the countries in which the fraudulent domains were registered. Some registrants were native to the countries in which the domains were registered, while others were just displacements used by cybercriminals to avoid detection and law enforcement.
After looking at the evolving phenomenon of malvertising, we offer some guidelines to help users and legitimate advertisers avoid these threats. By knowing more about the anatomy of malvertising, companies, security experts and users will be better equipped to fight these emerging security threats.
Malicious advertising, or malvertising, allows cybercriminals to spread malicious files through legitimate web pages. In September 2009, New York Times readers were redirected to a site hosting malware because of an injected ad. One year later, TweetMeme (which closed its doors in 2012) suffered a scareware attack because of malvertising. These examples show that malvertising has become a dangerous threat, as it can easily spread across a large number of legitimate websites without compromising the sites directly. Moreover, silent malvertising allows scammers to infect users without the need for any clicking or direct interaction.
According to the OTA, cybercriminals have two main methods to exploit advertising :
‘An increasing trend has been to create a fictitious identity and “front” purporting to be a legitimate advertiser or advertising agency. They provide upfront payment and often approach unsuspecting partners with the urgency of a breaking ad campaign. They simply provide the ad creative which appear[s] legitimate on the surface.’
The second and more ‘traditional’ approach is to breach a vulnerable server to obtain login credentials and then compromise legitimate ads to stay undetected. According to our research, the following are the most common methods used by cybercriminals to spread malicious code through advertisements:
Pop-up ads for fictitious downloads (e.g. fake movie players, toolbars, plug ins and media converters)
Third-party advertisements through sub let ad networks and content delivery networks
Use of iframes to embed malware and to avoid detection.
Cybercriminals take advantage of two key features of Internet advertising:
Dynamism: online advertising is a versatile medium that allows scammers to stay undetected, as web page content changes regularly. This open system relies on multiple parties, including advertisers, ad networks, ad exchanges, ad services and site publishers, so cybercriminals can easily obscure their trail.
Externalization: companies pay third-party ad networks to distribute ads on their websites without knowing their content and purpose. This allows cybercriminals to pose as legitimate advertising clients. Some fraudulent commercials also appear because big ad networks sub-let some ‘advertorial’ space to third parties, usually smaller platforms. In this process, the smaller networks may end up placing malicious ads on reputable websites.
Our study of malvertising and other e-threats ran between 23 July and 24 August 2013, when the research team randomly selected over 70,000 ads served on nearly 150,000 websites on the greyer area of the Internet. To select the ads, we scanned search engines for over 50 relevant search terms such as ‘download cracks’, ‘lose weight now’, ‘earn money at home’, ‘free movies’, ‘free music’, ‘games’ and ‘torrents’. Because ads change regularly, we also re tested the web pages for new commercials to increase our database.
In total, 41,400 advertisements led to the same number of landing pages with non-identical URLs. Some were composed of the same domain and path, but with different parameters. These parameters help ad networks retrieve information about user behaviour, such as the website on which users initially clicked on the ad.
To analyse the malware, fraud, spam and phishing prevalence, we put the domains under the magnifying glass. We discovered that only 15,037 unique domains were hosting the 41,400 landing pages, which means that malvertisers and ‘friends’ place the same baits on different websites for increased efficiency.
We designed a script to open the URLs with a browser emulator that simulated user behaviour by clicking on the ads and retrieving the landing pages automatically. We also retained the redirection chain, as most ads redirect users to two or three other websites, which register them as visitors to add extra revenue for the publishers. According to our data, the malicious ads usually have more redirects than legitimate or ‘neutral’ ads. (‘Neutral’ ads were classified as such because there wasn’t sufficient data to classify them otherwise, as the sites they led to only had a few visitors and no user ratings.)
We analysed the initial page (client page), the first URLs where the ads were redirecting to, and the final landing page. After we had concatenated the landing pages and applied an MD5 algorithm, we obtained a unique list of signatures. We scanned them with the Bitdefender engines to check if any were blacklisted. Almost 7% of the landing pages analysed were blacklisted. The ‘neutral’ ads represented 46%, one percentage point less than the legitimate ones.
After checking the reasons for blacklisting, we discovered that the majority of the dangerous landing pages were fraudulent URLs luring readers with fake software, business and financial offers (57.54%). After this came spam (14.89%) and malware (14.52%), followed by phishing. With only 4% prevalence, phishing is spread less through advertising networks because users are becoming increasingly aware of such attacks.
An analysis of malicious Facebook domains in 2012  also showed that phishing is less distributed on the social network. The research on over 20,000 domains revealed that cybercriminals prefer more effective weapons, such as malware (54%) and fraud (34%), followed by spam (11%) and phishing (1%).
Some of the landing pages we analysed belonged to several categories. The most common combination is phishing with a ‘sense’ of malware. In this way, if the attackers don’t get users’ money and personal data through the phishing attack, they install malicious files on the system for similar or worse repercussions. Bitdefender also classified close to 9% of the analysed web pages as ‘untrusted’.
To determine the internal structure of malvertising and other e-threats, and to distinguish the relationships between its components, we determined the web categories of the dangerous landing pages. Our research shows that malvertisers make more money from computer and software, business and health categories, than from pornography.
Similar research this year also showed that malware is more likely to be spread via online advertising than via porn. According to Cisco’s 2013 Annual Security Report , online advertisements are 182 times more likely to infect users with malware than searching the Internet for adult content. The report also revealed that the highest concentration of online security threats is found not among pornographic, pharmaceutical, or gambling sites, but on major search engines, retail pages and social networks .
The malvertising landing pages were assigned to one of 19 categories, based either on the category of the domain or on the content of that specific web page. For instance, a personal blog hosted on a blogging platform will be categorized as a blog, but it could also be categorized as a gambling page, based on its content.
In the following sections we describe the most lucrative web categories promoted through malware, spam, fraud and phishing placed on legitimate ad networks.
The dominant malvertising category covers websites that promote private businesses (corporate websites). Fraudsters create sites that pose as legitimate businesses and target users with fake offers, usually at very low prices.
Unlike phishing sites created by breaching vulnerable websites or domains, fraudulent sites are often well crafted and have web pages registered for longer periods of time. Because they can easily be mistaken for authentic companies, it takes longer before they are taken down, so their uptime is higher than that of phishing sites .
Examples of malvertising fraud include fake offers for online garage sales, web hosting or satellite services (Figure 4).
This category covers websites that provide computer related information, software or Internet-related services. Malvertising observed in this category included a fake Disney website that promoted sexually explicit cartoons. Other dangerous ads led users to fake downloads for SEO plug ins, video convertors and cursors.
This category covers online casino or lottery websites, which usually require a transfer of funds before the user can start to gamble. Dangerous landing pages found on ad networks trick users into sending their money and personal data with no chance of winning anything. ‘Gambling’ web pages also include ‘beating tips and cheats’ websites, which describe how to make money this way.
The fourth most popular malvertising category typically covers websites associated with medical institutions, disease prevention and treatment, and websites that promote weight loss and pharmaceutical products, diets, etc. Malicious ads in this category offer miraculous secrets for ‘a tiny belly’, fraudulent detox medication and weight loss advice presented in the form of news (Figure 6).
This category covers news websites that provide journalistic text, video content or newsletter services (Figure 7). It includes both global and local news websites. Our research showed that one in 10 dangerous landing pages were offering content presented as news. Typical fraudvertising cases include fake newsletter offers and weight-loss tips presented by a medical news ‘reporter’.
This category includes web pages that allow users to share or store files online. Some dubious websites promoted through advertising are used for fraud, identity theft or malware infections, after luring users with fictitious software downloads (Figure 8).
This category typically covers websites containing erotic and pornographic content (text, pictures or video). Accurate blacklisting may also detect erotic content on mixed websites classified in multiple categories.
This category covers websites with games presentations, reviews, and online games including Flash-based applications (Figure 9). It also includes websites that offer the possibility of buying or downloading non-browser-based games. Non-legitimate games websites promoted through malvertising lead users to fake downloads and fraudulent surveys.
This category covers websites related to software piracy, including peer-to-peer and tracker websites known as distribution channels for copyrighted content, pirated commercial software websites and discussion boards, as well as websites providing cracks, key generators and serial numbers for illegal software use (Figure 10). Illegal websites promoted through advertisements may lead users to malicious downloads and fraudulent URLs.
This category covers websites presenting job boards, job related classified ads and career opportunities, as well as aggregators of such services. In the case of malvertising and other e-threats, the most common traps are job scams that ask users for money and personal details so they can follow their ‘American dream’ (Figure 11).
This category includes online stores and platforms that sell different goods or services. The typical threat infiltrating legitimate ad networks is once again fraud – scammers put up fake shops, register them on reputable TLDs such as ‘.com’, and even design them better than some authentic ones. Poorly crafted online shops may also be breached by phishers, who can then steal users’ money and sensitive data.
This category typically covers paid or free websites where users register to find a dating partner or a new relationship (Figure 13). An extension of the social networks category, online dating is typically misused to steal users’ personal details and to help social engineers craft human databases.
This category covers the websites of all banks and financial institutions, including loan companies, credit card agencies, and companies in charge of brokerage of securities or other financial contracts (Figure 14). One recent scam promoted through malvertising was a fake loan website that received almost 200,000 Facebook likes.
This category covers websites that offer travel facilities and equipment as well as destination reviews and ratings. Anti fraud technologies blacklist fake websites in this category if they discover they have been registered to trick users with fraudulent offers. Recently, a Dubai promotion website was being advertised through malicious techniques, as shown in Figure 15.
This category covers websites that aggregate information from various sources and domains. Portals may also offer features such as search engines, email, news and entertainment information. Figure 16 shows a recent malvertised portal.
This category covers websites where users can chat in real time or download IM software. Such websites may be included in several other categories, such as gambling (see Figure 17).
Our research revealed the top countries of origin for malvertising websites. Most malvertising and other e-threats originate from the US, the Netherlands and Canada. This doesn’t necessarily mean that the cybercriminals are residents of those countries, as they often register websites remotely in order to hide from law enforcement.
To lessen the chances of being tricked by malicious and fraudulent advertisements, users and ad networks can take several precautions:
Before activating commercials on their websites, companies and ad networks should carefully check their origin and legitimacy.
To verify if a website is authentic, users and companies can look for Whois information to see if the web page is hosted in the country in which the company is based (a domain being registered in a different country may be a sign of a non-legitimate site). Most fraudulent websites are registered for just a year, which can also be a sign of a scam. Also, if a website has been registered to a private email address such as email@example.com or a webmail address such as firstname.lastname@example.org, it’s almost certainly not legitimate.
To help mitigate the effects of malvertising, keep your anti virus protection updated, together with your operating system and other software. Malicious files have less chance of being downloaded successfully if security solutions are installed and up to date.
Our research showed that almost 7% of landing pages multiplying on advertising platforms pose serious dangers to computer users. The most dominant malicious category is fraud, which takes the form of fake software offers, business and financial scams. In addition, users are targeted by malware injected into legitimate ads. By using their baits on multiple advertising platforms, scammers increase their chances of making money with minimal effort.
We also found that the highest concentration of online security threats promoted through advertising are found not among pornography and online dating sites, but on business and computer websites.
In conclusion, users and other stakeholders should be careful when dealing with online advertisements. If the inner structure of the system continues to be this open, with so many parties involved and without firm security scanning, cybercriminals will take advantage of companies, advertising platforms and end-users increasingly often.
 Online Trust Alliance. Anti-Malvertising Resources. https://otalliance.org/resources/malvertising.html.
 Voluntary Anti-Malvertising Guidelines & Best Practices Helping to Combat Malvertising and Preserve Trust in Interactive Advertising. https://otalliance.org/docs/OTA_guidlines_final10_18.pdf.
 Damian, A. Understanding the domains involved in malicious activity on Facebook. Virus Bulletin, June 2012, p.19. http://www.virusbtn.com/virusbulletin/archive/2012/06/vb201206-Facebook.
 Cisco 2013 Annual Security Report (ASR). https://grs.cisco.com/grsx/cust/grsCustomerSurvey.html?SurveyCode=6653&KeyCode=000204094.
 Mlot, S. Online Advertising More Likely to Spread Malware Than Porn. http://www.pcmag.com/article2/0,2817,2415009,00.asp.
 Dima, B.; Damian, A. Phishing and fraud: the make-believe industry. Virus Bulletin, April 2013, p.33. http://www.virusbtn.com/virusbulletin/archive/2013/04/vb201304-phishing-fraud.