Multiple screens showing network systems and malvertising attack and risks of ad fraud
New Malvertising Attacks Highlight Growing Risk of Ad Fraud

New Malvertising Attacks Highlight Growing Risk of Ad Fraud

The next time you’re tempted to click on an online ad, think again. That innocent-looking ad for a reduced price Spring Break vacation might actually be part of a sophisticated malvertising attack. This type of ad fraud is becoming more and more prevalent on the Internet, as cyber criminals come up with new and unique ways to deliver malicious payloads via online ads. The latest malvertising ad fraud technique, highlighted by researchers at Devcon, involves polyglot images used by advanced groups of cyber criminals. And these polyglot images are starting to show up all over the ad fraud space.

How the malvertising ad fraud scheme works

What makes these polyglot images such an effective form of malvertising ad fraud is that they do not require an external script to extract the malicious payload. Instead, a clever coding technique allows the JavaScript interpreter to ignore the actual image data (usually disguised as a run-of-the-mill BMP image) and instead, to execute the file as a valid JavaScript. The decoder script unlocks the hidden malvertising and redirects the unassuming victim to third-party phishing sites controlled by the cyber criminals. Typically, these third-party sites involve promotions like a “Spin the Wheel” game to win a gift card or other reward. In one example shared by Devcon, for example, the promotion was for a $1,000 Walmart gift card.

So how does this whole malvertising ad fraud scheme work? The key thing to keep in mind is that the malicious payload is completely hidden, thanks to the polyglot exploits. The way the hackers do this is by slightly altering the coding for the BMP image. The hackers change the size of the image bytes (using hexadecimal representation) so that they become the character codes for “/” and “*”. Within the coding world, a combination of “/*” and “*/” is the code for “ignore me” and creates a JavaScript comment. Thus, a user’s computer ignores everything that gets added between these two snippets of code. That’s what allows the BMP image to camouflage itself. The hackers also add the characters for “=” and “src.” This is what enables the computer to accept the image, but then converts the .bmp file into a JavaScript variable (i.e. the src = “script” instead of “img”).Thus, the highly obfuscated BMP file can be run on the computer one of two ways – as an image only (ignoring the JavaScript) or as a piece of JavaScript to execute (ignoring the image). This enables even a strong content security policy to execute the code.

The growing sophistication of malvertising ad fraud

As you can probably tell from the explanation of this malvertising ad fraud attack, it is incredibly sophisticated. White hat hackers can reverse engineer this attack, but it is still very difficult to spot in the wild unless you know how the attack occurs. In contrast to this polyglot attack, a far more common malvertising ad fraud attack involves steganography. In a steganogaphic attack, actual pixels within the image are replaced by code. Depending on how many pixels are replaced, this can seriously degrade the quality of the picture – and might be a tip-off for savvy web users. If you see a grainy or blurry ad, then that might be a subtle clue that it is being used as part of a malvertising ad fraud attack.

The polyglot attacks spotted in the wild are even worse than originally assumed, because once you extract the payload and execute the malvertising script, you’re  migrated to a new page, and your computer can be attacked again. Once a new page pop-up opens, it can launch a cryptomining attack or a remote access Trojan attack (in which your computer essentially hosts a malicious piece of code until exactly the right time for it to go into action and the hackers to access your computer). As Devcon noted, “This attack has many layers and new techniques to attempt to hide its true nature.”

What’s particularly alarming is just how widespread this type of polyglot attack has become within such a short period of time. That has led to speculation on the part of security researchers that new techniques are being devised to spread malware. For example, if the malvertising technique were available as an exploit kit for quick download, that would make it much easier for it to be deployed at massive scale by cyber criminals around the Internet. As Devcon told the media, it has already blocked these polyglot attacks “thousands of times” on clients’ sites, many of which belong to online publishers.

The impact of malvertising on traditional online advertising

In a worst-case scenario, of course, this malvertising ad fraud might extend all over the Internet, thereby degrading the experience for any online user who spends time on any website owned by an online publisher. Moreover, if users wake up to this malvertising scam and simply decide to stop clicking on any ad (fearful that any new ad might be a form of ad fraud), then it could have serious repercussions for the entire online advertising space.

Digital ad fraud, then, is a very real concern for all parties involved – web users, online publishers and online advertisers. The more prevalent that malvertising attacks become, the more likely that there will be negative repercussions for ad networks, ad tech companies, and national advertisers. Ad fraud malware could be lurking anytime a user decides to visit websites, thereby exposing millions to malicious redirects and massive ad fraud.

At one time, the “bad guys” only focused on ads and clicks for classic “click fraud.” But now the threat actors include “bad bots,” and that has raised the stakes considerably. It’s now possible to run a malvertising campaign the same way you might run a traditional online advertising campaign.

A new crackdown on digital ad fraud

What might be needed is a broader crackdown on malvertising attacks, including all forms of malvertising ad fraud. The ad fraud space is getting increasingly crowded, and the thinking now is that many mainstream hackers are getting involved, seeing how easy it is to generate quick profits from unassuming web users. At some point, it may no longer be enough to rely on white hat hackers – there may be a need for a more vigorous response from regulatory authorities to keep cyber criminals from using the ad fraud space to exploit users.