How malvertising can infect your PC without a single click: Internet Scambusters #728
Legitimate online advertising networks -- the setups that post display ads onto the web pages you visit -- are being hoodwinked into distributing malvertising, or malicious advertisements.
And the alarming news is that you don't even need to click on one of these ads to infect your machine. You just need to visit the web page.
In this week's issue we'll explain how this nasty trick works and what you can do to try to ensure you don't fall victim.
Let's get started...
How Malvertising Sneaks onto Your PC
One of the biggest dangers we frequently warn about here at Scambusters is the risk of downloading malware or malvertising (malicious advertising) onto your PC.
Installing these virulent products onto your computer is the gateway to so many other scams -- like spying on your activities, enrolling your machine into a zombie spamming network or simply locking up your device and holding it for ransom until you pay up.
Most people probably think they would never allow malvertising to be installed onto their PC. But they don't realize just how easy it is.
According to online security company Malwarebytes, crooks are exploiting and tricking legitimate advertising networks into delivering their deadly cargo.
"It hits you without your knowledge, often lives on reputable sites, and most of the time, delivers one of the most dangerous forms of malware today," the company says.
That "most dangerous" tag belongs to ransomware. It's estimated that some 70% of all malvertising installs it, netting a fortune for the scammers.
For more on ransomware, see this recent Scambusters issue: Ransomware Rockets – and So Does the Ransom Charge.
The trouble is we're always being warned not to click on links and attachments to avoid downloading a virus. But the truth is, as Malwarebytes points out, you don't even have to click a contagious ad to get infected.
For example: "You could be researching business trends on a site like NYTimes.com and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the 'right' malware for you."
In other words, you only have to visit a page with malvertising embedded on it to be at risk.
How did the bad ad get there in the first place?
It's not that difficult, it seems. Scammers, posing as legitimate companies, just sign up with established advertising networks, some of which don't have strict enough vetting controls in place.
Initially, the scammers produce harmless ads that lull the networks into the false belief that the "advertiser" is reliable and then they switch over to substituting malvertising in their place.
Infected ads use an invisible element that redirects a page visitor to another page where malicious code leaps onto victims' PCs. You might recognize this process from a name that often pops up in Internet security-speak -- a "drive-by download."
According to Malwarebytes, many well-known and respectable websites have been targeted by the crooks. This isn't the fault of the site operators themselves -- they simply take revenue for giving space to ad networks, some of which have been compromised by the crooks.
As a sign of the scale of the crime, Google is said to have identified and disabled more than 780 million malverts in 2015, an alarming figure that was itself a 50% rise from the prior year.
And another security firm, RiskIQ, estimates that in the first half of 2015, malvertising was up 260% on the whole of 2014.
Given how widespread these infected ads are, it's probably impossible to avoid visiting an infected page at some point in time. But you can still avoid most of the risks by following these Malwarebytes tips:
- Practice safe browsing. Although, as we said, malvertising has found its way onto respectable sites (like the New York Times and the BBC), you're far more likely to be at risk on less reputable sites or by clicking links to infected pages.
- Keep your PC operating systems and security software up to date. Remove apps known to have vulnerabilities -- like Flash or Java -- if you don't need to use them. Some browsers have add-ons that enable you to switch these programs on or off according to your needs. Otherwise, search online for information on how to remove them.
- Consider installing an anti-exploit program to supplement your security software. Of course, Malwarebytes would say this because they produce such a program -- but there is a free version.
However, be aware that many security programs already intervene to stop these so-called exploits -- so check with your security software provider first. Also, running two different Internet security programs simultaneously can create problems on your PC.
The security firm also suggests downloading and using an ad-blocker, a browser add-on that prevents many ads from loading onto a page in the first place.
However, this can cause other problems. Increasing numbers of sites won't allow you to view their pages if you have an ad-blocker in place -- after all, advertising pays for their activity. And without that income, they might not be able to operate at all.
Earlier this year, the FBI, the U.S. Department of Justice and the Department of Homeland Security met up with senior advertising industry executives to try to find ways of reducing or eliminating malvertising from infecting web pages in the first place.
The industry's Trustworthy Accountability Group (TAG) was due to launch an anti-malvertising initiative before the year-end -- but don't hold your breath. And never drop your guard!
Alert of the Week
If you're a Twitter user, and use the social network to contact companies with questions or complaints, beware of getting a bogus reply.
In a recent incident, scammers contacted users who had been tweeting to online payment processor PayPal (@PayPal).
Using similar names such as @AskPayPal, they posed as the real company and directed the tweeters to a fake PayPal page, which phished for their sign-on details.
If you contact any service provider via Twitter, always check that the response comes from the company you sent it to.
That's all for today -- we'll see you next week.