Hackers that employ malvertising techniques to target victims are getting cleverer and more sophisticated, and that means bad news for businesses hoping to guard against such threats.
Attackers are preying on users’ trust of certain sites to infect them via third-party ad content. For example, according to FireEye, from Sept. 8 to Sept. 15, 2015, the Forbes.com website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits. The Daily Mail and YouTube were hit around the same time period.
Cyphort, a California-based advanced-threat defense company, predicts that malvertising could soon become the No. 1 tactic of hackers, saying that attacks are rapidly increasing in both scale and sophistication. Some cybercriminals have gotten so sophisticated, they can infect viewers of these trusted sites even if they don’t click on the ad.
And of course security vendors can’t blacklist sites like Forbes or The Daily Mail, which millions of consumers use every day, making them all that more appealing to cyber criminals.
Apple no longer immune
Unlike before, Mac users aren’t immune to new and clever malvertising. Until recently, Mac users were less likely to be affected by these types of attacks, primarily because the numbers are normally not in favor for hackers (according to Net Applications, the number of Macs in use stands at about 7.7% compared to 90.5% of Windows PCs).
But a new approach allows a compromised website to determine which browser a viewer is using. Once it’s done so, the victim is pushed in different directions depending on the result. If the browser is one that runs on Windows, the criminals deliver a multi-exploit toolkit; if it's Safari, which runs only on OS X, they steer the victim to a fake user support URL almost identical to the one Apple offers for legitimate technical support. Once there, users are offered bogus software and services they are told will fix their computers.
How can CIOs protect users from malvertising?
Both methods of malvertising have seen rapid rise in sophistication in just the last few months. Therefore, its important CIOs are aware of them and that they make sure their personnel are diligent about what they click on and what sites they browse when using corporate computers. Employee training is key. A recent study compiled by Pittsburgh-based Wombat Security Technologies in collaboration with the Aberdeen Group found a lack of employee training can dilute even significant investments in IT security, calling end users “perhaps the greatest evolving security threat.”
To help protect employees, devices, and networks, CIOs should also ensure the security vendors they work with are up-to-date against the latest outside threats and able to respond to them in real time. The solution they employ should also provide continuous monitoring and utilize strong web security devices to prevent access to websites associated with malvertising campaigns.
Overall, CIOs should both support and push for continuous efforts that educate employees about cyber security best practices. And although the biggest risks may be attributed to a small number of users, education must be provided to all users, even C-suite executives.