Malvertising on Legitimate Websites, Even The New York Times

Malvertising and phishing are not new. But using distributed ad networks to serve up malicious ads on legitimate websites is catching victims by surprise and enabling cybercriminals to lure more intended targets to their malware. These types of campaigns can compromise corporate and BYOD devices with malicious browser extensions that are hard to detect. Ad networks enable malvertising to be served up on numerous sites. When these ads appear on legitimate websites, they benefit from the implied trust visitors have of those sites, enabling them to hook more people into their nefarious schemes.

SlashNext recently discovered an example of malvertising being served up through Google ads on a legitimate website: The New York Times. The ad looks innocent enough in promoting a download of a simple PDF viewing and conversion app tool.

Clicking on the ad takes visitors to a nice-looking page with more information about the product and a prominent green button that encourages viewers to “Download to Continue”.

What victims may not notice before they click and continue is the subtle pop-up in the lower right-hand area. It says, “By clicking the button, you agree to install the Homepage & New Tab and agree to the EULA and Privacy Policy.” That should have been the first warning, but users are increasingly overlooking and simply clicking through these terms of service messages to access products and services they want.

Once the app has been downloaded, users are directed to a special phishing page that conducts user behavior monitoring by hijacking browser and search functionality. The app also has the ability to automatically run unsecured malicious third-party content within a browser. What is remarkable here is that this capability is outlined in the EULA and privacy policy, which states that they don’t take responsibility for the actions of any third-party affiliates that have access through their product. In this case, malvertising victims are actually agreeing to make themselves and their machines vulnerable to all kinds of malicious activity.

From an enterprise security standpoint, think of the problems and implications here. It is impractical for most organizations to block traffic to legitimate websites. Nor can they block ads being served up on legitimate sites. Users see ads on these trustworthy sites, take the bait, and are downloading browser extensions and agreeing to terms of service which opens them and their machines to threat actors for all kinds of purposes. To make matters worse, rogue browser extensions are extremely hard to detect. Most are simply JavaScript and HTML rather than a file-based executable, and they execute entirely within browser memory as part of a “trusted” application, the browser. So now users and machines are compromised, and most security tools can’t detect what is going on.

And it all started with a simple, hard-to-block ad on a trustworthy site rather than a phishing email. Malvertising is living up to its name.

What can an IT security team do about it? For these kinds of threats, there are three primary defenses.

  • User awareness and education about the dangers of downloads of any type not sanctioned by the organization
  • Real-time phishing threat intel feeds (aka block lists) to block access to sites serving up rogue browser extensions and other forms of malware
  • Network Traffic Analysis (NTA) systems to detect signs of unauthorized systems access, lateral movement, or data exfiltration

It’s often impossible to stop every malvertising attack. But smarter users and defenses can interrupt the kill chain sequence to prevent users from ever reaching the malicious website that these malvertising ads intend for their targets.

With our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense products powered by SEER™ threat detection technology, SlashNext can integrate with leading TIPs, SIEMs, SOARs, and NGFWs to automate detection and protection against zero-hour threats from malvertising ads and help prevent the real damage from happening.

SEER (Session Emulation and Environment Reconnaissance) runs virtual browsers in a purpose-built cloud to dynamically inspect sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives. SEER uses virtual browsers to dynamically inspect page contents and server behavior to detect tens of thousands of new phishing URLs per day.

By preventing the straight to browser attacks from their phishing goal of sending victims to an infected page, the malvertising attack fails to accomplish it’s intended purpose. The malvertising ads, while sophisticated enough to bypass traditional security methods, become just a nuisance without the landing page threat effectiveness.

SEER threat detection technology enables our products to prevent users from ever reaching the malicious websites. SlashNext detects all six major categories of phishing and social engineering threats, including:

Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization from straight to browser Malvertising attacks.

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.