Most people are irritated by advertising. It’s pervasive on terrestrial and satellite radio, streaming services, broadcast TV, print media, and the Internet. Apart from being annoying, though, ads can actually be used to deliver malware—giving us the portmanteau word “malvertising.” In my TEC 2023 talk “Not Today, Satan: Securing Your Network by Blocking Ad-Borne Malware,” which this article is based on, I talked about strategies you can apply to reduce the chances of malware getting into your networks and devices through this route.

Why do we Have This Problem?

We have malvertising because we have regular advertising, and we have regular advertising because it’s profitable. The Internet Advertising Bureau estimates that the worldwide digital advertising market in 2022 was worth more than US$600 billion per year, with just over $210 billion of that amount in direct advertising spending. That’s an astonishing amount of cash sloshing around, all dedicated to making sure you see ads whether you want to or not. It’s not too surprising that various bad actors have figured out ways to weaponize the advertising infrastructure, but luckily there are some effective protective measures available to you. To get there, we need a few fundamental concepts in place.

Tracking and Targeting

Advertisers ideally want to get ad content in front of the correct audience, where “correct” means “people who might buy what I’m advertising.” In the early 20th century, this targeting was primitive: ads for cigars ran in the sports section of the newspaper, for example, because that’s where cigar buyers were most likely to spend their reading time. However, modern ad delivery systems can do extremely fine-grained tracking; they help advertisers identify your interests and preferences based on the sites you visit and the things you search for, then track you as an individual across your multiple devices—all to make sure you get the correct ads. This tracking system is horribly invasive to privacy, of course, but people seem mostly resigned to its existence—although there are things you can do to reduce your trackable footprint.

However, it’s important to understand that targeted malvertising depends on these tracking mechanisms. Suppose an attacker wants to target credential-stealing malware to customers of Woodgrove Bank. The attacker can buy ads targeted to Woodgrove Bank customers with just a few clicks at any major ad system. Of course, some attacks aren’t targeted that specifically—they just attempt to drop malware on anyone who goes to a specific site (a technique known as a watering-hole attack).

Delivering the Badness

Web ads are typically embedded in the page as a block of executable JavaScript. That script tells your web browser to go ask an ad server for a block of content (which may itself be JavaScript) and render it. When it gets a request, the ad server will examine whatever cookies your browser has provided and try to find an ad that matches its targeting instructions. There may be multiple networks of ad servers involved in this process, such that a large media property like the New York Times sells a million ad impressions to Network A, which then syndicates half of them to Network B, which in turn syndicates to Network B and C. This syndication system means that neither the website owner nor an ad network may be able to see, check, or approve the specific ad that ends up delivered to a specific client. An attacker who can slip malware into an ad at any point in this chain can thus deliver ads without the NYT’s knowledge.

It’s just Malware

Time for some good news and some bad news. Malvertising is just a way to deliver malware, so if you can block the malware, you can block the threat. The bad news is the same: zero-day, zero-click malware exists. True hands-free malware is rare enough that you’re not likely to see it used in broad-scale attacks, but there are still many potential exploit paths for zero-day malware of various stripes, and of course, phishing attacks can just as effectively be delivered by ads too.  

Protecting your Network

Your guiding principle for protection is simple: If you block the ad, you block the malware. There are 5 specific protective measures you should be considering for implementation.

  1. Isolate critical systems. No one should be browsing the general Internet on your servers, nor from privileged workstations (or while using privileged accounts). Containerized browsing can help here, or you might investigate using virtual desktops for browse-only access.
  2. Block ads at the source. DNS sinkhole tools such as PiHole or the Cloudflare DNS service will prevent the browser from being able to resolve the DNS address of the ad server by returning an NXDOMAIN error. This doesn’t block 100% of ads (for example, YouTube inline-video ads) but it’s an excellent start. PiHole is particularly easy to set up and use and I recommend it highly for your home network.
  3. Block ads at the endpoint. There are several excellent ad-blocking extensions for Chrome, Firefox, Edge, and Safari (including their mobile variants) that work by recognizing ad content in web pages and just… not loading it.  Edge and Chrome both have centralized management services that allow you to force-deploy these extensions onto your computers. Note that some sites may look or behave incorrectly when blocking extensions are active.
  4. Limit the blast radius. Apple and Microsoft both provide OS-level “sandboxing” tools to contain browser- or message-carried malware. For extra protection, you can use Microsoft Defender Application Guard, which opens untrusted Office documents and websites in a separate, isolated Hyper-V container. If the document or site carries malware, it can’t escape the container.
  5. Backstop your anti-malvertising measures with a reliable anti-malware system. Of course, you should already be running device-level anti-malware on your Windows systems, but in case you aren’t, this should be a reminder.

Ads are like Mosquitos

Most of the time, we think of mosquitos as an annoyance. Apart from being annoying, though, they can carry life-threatening diseases, and having them around provides very limited benefits. Killing mosquitos en masse is the best way to prevent outbreaks of mosquito-borne diseases. I think of ads the same way: the more you can reduce the number of ads on your network, the better protected you will be against malvertising outbreaks, and even simple measures like deploying a PiHole device on your network can give you significant protection.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

About the Author

Paul Robichaux

Paul Robichaux, an Office Apps and Services MVP since 2002, works as the senior director of product management at Keepit, spending his time helping to make awesome data protection solutions for the multi-cloud world we’re all living in. Paul's unique background includes stints writing Space Shuttle payload software in FORTRAN, developing cryptographic software for the US National Security Agency, helping giant companies deploy Office 365 to their worldwide users, and writing about and presenting on Microsoft’s software and server products. Paul’s an avid (but slow) triathlete, an instrument-rated private pilot, and an occasional blogger (at http://www.paulrobichaux.com) and Tweeter (@paulrobichaux).

Leave a Reply