{"id":1701,"date":"2016-11-14T00:16:53","date_gmt":"2016-11-13T23:16:53","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=1701"},"modified":"2023-08-06T21:54:34","modified_gmt":"2023-08-06T19:54:34","slug":"malvertising-part-2","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/11\/14\/malvertising-part-2\/","title":{"rendered":"Malvertising Part 2"},"content":{"rendered":"

\"bildschirmfoto-2016-10-03-um-20-53-58\"<\/a><\/p>\n

Welcome to the second part of my series about malvertising. In this second post, we\u2019ll get to the important stuff: What is malvertising and how often do these attacks happen?<\/p>\n

<\/p>\n

As previously mentioned, the word malvertising is composed of advertising and malware. It\u2019s an attack form in which a victim is infected by malware through advertisements on the web. This phenomenon has been around since ca. 2007 and more prominent attacks have taken place in the last few years.<\/p>\n

Malvertising can be divided into three different forms of attacks: Drive-by-Downloads, deceptive downloads and attacks via browserplugins. The most sneaky attack form of these is the drive-by-download. In this attack form, infected ads redirect users to a website with an exploit that uses weaknesses in browsers or browser plugins (Flash, PDF, etc.) to be able to run malicious code on the users system. For this to happen, the user often doesn\u2019t even need to click on the advertisement. The second attack form is deceptive downloads. In contrast to drive-by-downloads, no weaknesses in browser add-ons are used but \u201eweaknesses\u201c in the user. The user is deceived to click on the advertising and download the malware himself. For example, the ad could show a fake update message for the flash player. If the users clicks on it, a download is started with the malware. If the user then executes that program, the infection happens. The third form of malvertising is using browser plugins. Some browser plugins inject advertisements into web sites. This can happen when loading the site or on mouseover on some keywords. A study says, that 20% of advertisements delivered by browser plugins are malicious advertisements.<\/p>\n

So this, in short, is, how users can get infected with malware through malvertisements. A very important question is now: How do these advertisements get to the user? As was discussed in the first part of this article series, ads are delivered to the user by ad networks or ad exchanges. But don\u2019t these check the advertisements they deliver for malicious content? Turns out they don\u2019t. There is often some kind of \u201ecreative quality assurance\u201c between ad networks and advertisers, but this is more concerning the visual quality of the ads and less the security. Another fact playing into the hands of attackers is the so called ad arbitrage. Ad arbitrage or Ad syndication is a practice that is used in ad networks and ad exchanges wherein the ad spaces at the publishers are sold again after they were sold before. By offering the ad spaces they bought, some advertisers can make profit. This can happen on some different ad network or ad exchange. This makes it difficult for a publisher to make sure, that only clean ads are shown on his page. By using Real Time Bidding, controlling the security aspect of advertisements is hard on ad exchanges.  Other possibilities of malicious ads getting into ad network are hacking and social engineering. For social engineering, an attacker first offers legitimate ads to the ad network and later turns on some malicious code to turn the advertisments into malvertisements.<\/p>\n

Now the questions are: How often does it really happen? Is it just some marginal issue or a real threat to users? What ad networks deliver malvertisements? On what pages are the malicious ads shown?<\/p>\n

An answer to this is given in the paper \u201eThe Dark Alleys of Madison Avenue: Understanding Malicious Advertisements\u201c (pdf). In this paper the researchers made comprehensive measurements to learn about the share of malvertisements in all advertisements. In order to achieve this, they first collected a total of 673596 unique web advertisements. They achieved this by scanning websites in a datafeed from an antivirus company and the top  and bottom 10000 pages from the Alexa website ranking as well as 20000 randomly selected sites from the same list. The obtained advertisements were then examined whether they\u2019re malicious or not. For this, the researchers used different oracles including VirusTotal, which scans the advertisements and resulting downloads in over 50 different antivirus products.<\/p>\n

In total, the researches found 6601 malicious advertisements. This corresponds to about 1% of all advertisements collected, which is a rather high percentage. The researchers then continued to collect data about the found malvertisements. First of all they were interested in the ad networks by which the malicious advertisements were delivered. They found that one particular ad network had a share of one third of all their delivered ads that were malicious. The researchers also looked at the size of this ad network and found that this is a rather small ad network, as were almost all of the ad networks that delivered malvertisements. This backst he thesis, that malvertisements are mainly delivered  by small ad networks. One ad network stood out, as it had a percentage of about 3% of all delivered ads and had a high amount of malvertisements. The researchers also examined, on what types of sites malvertisements are shown. The results of these findings can be seen in the folllowing two graphs. It seems clear, that attackers mainly focus on the top sites on the web and that malvertisements are shown on every category of websites and not only on especially \u201edark\u201c parts of the web.<\/p>\n

\"bildschirmfoto-2016-11-14-um-00-07-48\"<\/a>
based on “Dark alleys of madison avenue”<\/a><\/figcaption><\/figure>\n

 <\/p>\n

\"based<\/a>
based on “Dark alleys of madison avenue”<\/a><\/figcaption><\/figure>\n

 <\/p>\n

Malvertising has been on a rise in recent years, as is shown by these<\/a> recent<\/a> attacks.<\/a> So the question remains, what can you as a user do against malvertising attacks? The answer is dillusioning: not much. Since most attacks use weaknesses in browser plugins, one way to stop infections by malvertisements would be to disable all of them. But this is not a realistic option, as this destroys much of the user experience and the fun in the web. Another way would be to use an adblocker, but this destroys the business model of many websites.<\/p>\n

At the end of this article, a few questions remain: How can you realise a security check of advertisements before they\u2019re delivered to the user? Is this even possible considering the real time bidding in ad exchanges? Could this check be realized inside the users browser? Would it be a solution to just sandbox all advertisements inside a website, so they can\u2019t execute malicious code? Are secure ads even possible with the current ad system or should there be a rethink? All these questions remain unanswered for now, but could be a subject of further research.<\/p>\n","protected":false},"excerpt":{"rendered":"

Welcome to the second part of my series about malvertising. In this second post, we\u2019ll get to the important stuff: What is malvertising and how often do these attacks happen?<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[26,651],"tags":[69,58,27],"ppma_author":[693],"class_list":["post-1701","post","type-post","status-publish","format-standard","hentry","category-secure-systems","category-system-designs","tag-malvertising","tag-secure-systems","tag-security"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":1636,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/10\/03\/malvertising-part-1-internet-advertising-basics\/","url_meta":{"origin":1701,"position":0},"title":"Malvertising – Part 1: Internet advertising basics","author":"Jonathan Peter","date":"3. October 2016","format":false,"excerpt":"Imagine surfing the web on a normal trustworthy website. On the top of the page you see an ad for something that interests you, e.g. the newest smartphone you like for an unbelievable cheap price. You click on the ad. Why wouldn\u2019t you? You\u2019re on a trustworthy site after all.\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"bildschirmfoto-2016-10-03-um-20-53-58","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/10\/Bildschirmfoto-2016-10-03-um-20.53.58.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/10\/Bildschirmfoto-2016-10-03-um-20.53.58.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/10\/Bildschirmfoto-2016-10-03-um-20.53.58.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/10\/Bildschirmfoto-2016-10-03-um-20.53.58.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":1017,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/07\/25\/machine-learning-in-secure-systems\/","url_meta":{"origin":1701,"position":1},"title":"Machine Learning in secure systems","author":"Claudius Messerschmidt","date":"25. July 2016","format":false,"excerpt":"Sadly today's security systems often be hacked and sensitive informations get stolen. To protect a company against cyber-attacks security experts define a \"rule set\" to detect and prevent any attack. This \u201canalyst-driven solutions\u201d are build up from human experts with their domain knowledge. This knowledge is based on experiences and\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/07\/Machine_learning_SeSy_robot_landscape.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":10415,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2020\/08\/19\/ai-cyberattacks-deepfakes\/","url_meta":{"origin":1701,"position":2},"title":"The Dark Side of AI – Part 1: Cyberattacks and Deepfakes","author":"Micha Christ","date":"19. August 2020","format":false,"excerpt":"Introduction Who hasn't seen a cinema production in which an AI-based robot threatens individual people or the entire human race? It is in the stars when or if such a technology can really be developed. With this series of blog entries we want to point out that AI does not\u2026","rel":"","context":"In "Allgemein"","block_context":{"text":"Allgemein","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/allgemein\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2020\/08\/screen-shot-2018-08-03-at-10-34-32-1.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":1393,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/09\/05\/botnets-structural-analysis-functional-principle-and-general-overview\/","url_meta":{"origin":1701,"position":3},"title":"Botnets – Structural analysis, functional principle and general overview","author":"Michael Kreuzer","date":"5. September 2016","format":false,"excerpt":"This paper provides an overview on the most important types of botnets in terms of network topology, functional principle as well as a short definition on the subject matter. By exploring the motivation of botnet operators, the reader will gain more insight into business models and course of actions of\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"wiat wektor","src":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/09\/Fotolia_67526425_M-300x169.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/09\/Fotolia_67526425_M-300x169.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.mi.hdm-stuttgart.de\/wp-content\/uploads\/2016\/09\/Fotolia_67526425_M-300x169.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":3867,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2018\/08\/07\/social-engineering-hacking-the-human-os\/","url_meta":{"origin":1701,"position":4},"title":"Social Engineering – Hacking the human OS","author":"Benjamin Kowatsch","date":"7. August 2018","format":false,"excerpt":"Abstract Nowadays, our secure systems are already sophisticated and perform well. In addition, research on subjects such as quantum computers ensures continuous improvement. However, even with a completely secure system, we humans pose the most significant threat. Social engineers prey on this to conduct illegal activities. For early detection and\u2026","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":902,"url":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2016\/07\/22\/defense-in-depth-a-present-time-example\/","url_meta":{"origin":1701,"position":5},"title":"Defense in Depth: a present time example","author":"Benjamin Binder","date":"22. July 2016","format":false,"excerpt":"In this post, we want to take a look on the concept of defense in depth. Therefore we are going to examine Chrome OS, the niche operation system for web users.","rel":"","context":"In "Secure Systems"","block_context":{"text":"Secure Systems","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/category\/system-designs\/secure-systems\/"},"img":{"alt_text":"Dark castle walls reaching in the sky","src":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg","width":350,"height":200,"srcset":"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg 1x, https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg 1.5x, https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg 2x, https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg 3x, https:\/\/upload.wikimedia.org\/wikipedia\/commons\/3\/32\/Caernarfon_Castle_Walls.jpg 4x"},"classes":[]}],"jetpack_sharing_enabled":true,"authors":[{"term_id":693,"user_id":6,"is_guest":0,"slug":"jp067","display_name":"Jonathan Peter","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/f102831b1dc3df8ea388e5d3cc39f26d24b79a54e1ee1cee521ff9fd513ee1ae?s=96&d=mm&r=g","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/1701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/comments?post=1701"}],"version-history":[{"count":3,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/1701\/revisions"}],"predecessor-version":[{"id":24708,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/posts\/1701\/revisions\/24708"}],"wp:attachment":[{"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/media?parent=1701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/categories?post=1701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/tags?post=1701"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/wp-json\/wp\/v2\/ppma_author?post=1701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}