It used to be that the only dangerous ads were the ones delivered to your email inbox. But now attackers are finding ways to sneak malicious ads – or ‘malvertisements’ – onto even legitimate websites.
Malvertisements are difficult to stop. Part of the reason is that a paid advertisement isn’t going to attract the same level of security scrutiny as an unrequested email or attacks against computer systems. In the latter case, you know the attacks were malicious in nature, but with a banner ad, you assume someone vetted it for security somewhere along the line.
That’s not always the case, though.
Malicious ads wait for opportunities
The latest high-profile attack featured malicious ads sold through an ad network that were posted to several high-profile sites, including The Jerusalem Post, The Times of Israel, The Hindustan Times and Last.fm.
According to MalwareBytes, one way these malware-laced ads get through is by providing several legitimate ads for each one that contains malicious code. That makes them easier to slip by security.
And that’s not the only tactic being used to hide the threat.
Another strain found on Amazon, YouTube and other popular sites earlier this summer gave each ad a unique signature in order to prevent being detected by virus scans.
Defending against malvertisements
Protecting your systems requires more than just advising users not to click on ads. Although really, that advice will still be the most effective defense.
You’ll also want to:
- Keep antivirus up-to-date. As always, this is a good way to prevent malware from slipping though.
- Use ad-blockers. These tools have become remarkably effective at blocking most any advertisements from your systems, harmful, just-plain-annoying or otherwise, and
- Scanning regularly. Finding out quickly if you’ve been infected is almost as good as avoiding malware in the first place.