By Grant Hamilton, Check Point Country Manager South Africa
Google has taken another positive step toward making the Internet a safer place with the launch of Chrome 71.
Building on the ad-blocking measures introduced in Chrome 64 and 68, which prevented sites from opening new tabs or windows if they were reported for serving abusive experiences, Google’s latest version of the popular browser escalates the fight against abusive online advertisements. The measures in Chrome 64/68 had some effect, but having analyzed its blocking statistics from early 2018, Google admitted that around half of the potentially abusive adverts pushed to Chrome users were still not being blocked.
The latest updates are expected to be more effective in stopping persistently abusive sites
When an advertisement gets caught showing poor or malicious behaviour - such as trying to redirect users to unwanted sites, or producing pop-ups or fake system errors – the website owners will have thirty days to address the problem before having their ads blocked completely.
All that being said, completely eliminating the problem of malicious advertisements (otherwise known as “malvertising”) remains highly unlikely any time in the foreseeable future.
Some malvertising scams are difficult to block because they get delivered to users via a complex web of third-party networks, exploiting the underlying digital infrastructure of the online advertising industry. The ads are positioned on otherwise legitimate websites, with those sites being unaware they are carrying ads that exist simply to distribute malware and other attacks to users that unwittingly click on them.
Exploiting ad networks
Our researchers exposed a large-scale malvertising campaign of this type in July 2018, which revealed a disturbing partnership between a threat actor disguised as a advert Publisher (dubbed ‘Master134’), and several legitimate advert resellers to distribute a variety of malware including Banking Trojans, ransomware and bots. Powering the whole process was the powerful ad-network, AdsTerra.
A full analysis of this well-planned malvertising operation can be explored here, but in brief, the campaign involved redirecting of stolen traffic from over 10,000 hacked WordPress sites, which was then sold onto the highest bidding ‘Advertiser’. However, instead of the advertiser being a legitimate company promoting real products, these ‘advertisers’ were threat actors looking to distribute malware to unsuspecting users.
In effect, cyber criminals were abusing the legitimate automated system integral to online advert networks and resellers’ bidding platforms, enabling them to bid alongside legitimate advertisers with popular brands to place their malicious adverts on thousands of publishers’ websites.
Because the advert ‘publishers’ connect with advertisers through a complex system of intermediaries and exchanges, there are simply too many variables involved for either Google or the ad-networks and their resellers to detect every single malicious advert. As such, it will be interesting to see if the latest updates to Chrome can help to nullify these highly complex malvertising schemes.
If the updates in Chrome 71 do prove effective, it will help to cut the payments that abusive publishers receive by exploiting the ad-networks. But every action has a reaction, so it’s likely that criminals will look for other ways to generate revenue and make up for their lost earnings.
As we have seen throughout 2018, crypto-mining malware has become the most popular malware type globally, simply because it is effective and earns revenue for criminals with almost zero risk. Earlier this year, our researchers exposed a case in which a criminal (suspected to be from China) has been running the ‘XMRig’ miner malware on multiple users’ PCs, and had generated over $3 million USD in Monero cryptocurrency.
So it’s likely that the bad actors behind abusive adverts will turn to wider use of crypto-mining malware, planted on both shady and legitimate websites, to quietly exploit innocent users‘ CPU power and generate cryptocurrency whenever they visit those websites.
As both of these types of attack are targeted towards end-users’ computers, organisations need a multi-layered approach to their cyber security to stay fully protected not only from known threats, but also against unknown malware and zero-day threats, like malvertising.
Check Point’s SandBlast Zero-Day Protection and Mobile Threat Prevention, protect against the widest range of continually evolving attack types, and also protect against zero-day malware variants. To understand more about how zero-day threats can be prevented, please download our white paper.