Some people enjoy ads and commercials. Most of us, however, don’t. More to the point, many Internet users are angry at, and frustrated with, how intrusive ads have become. Back before the days of Canter and Siegel, there were no ads on the nascent Internet, and the general trend since then has been to shove more ads, with better targeting, into more places. Even Microsoft isn’t immune to the temptation to blast us with ads, since they spam users of the Microsoft 365 desktop apps with ads for things like the Office 365 home-use program.
It turns out, however, that there is a solid practical reason to consider blocking ads on your corporate network: they are increasingly being used to deliver malware.
SEO
You may have heard the term search engine optimization, or SEO. This refers to the black art of gaming the search relevance algorithms that Google, Bing, and so on use. By tweaking the content of a web page, SEO promises to give that page a higher search relevance ranking so that it appears higher in search results. One common technique to improve search results is “keyword stuffing,” or putting lots and lots of potentially relevant keywords into the page; another is creating page content that answers queries that are time sensitive in some way (such as “who is playing in the Super Bowl this year”). There are various measures and countermeasures that search engines and page creators use, with the creators trying to boost their pages artificially and the search engines trying to block their artificial techniques.
As you might expect, there’s a whole large industry dedicated to SEO, which has led directly to the existence of attacks where the attacker poisons the search results to distribute malware, a class of attacks known as SEO poisoning.
These attacks work roughly like this:
- An attacker creates fake copies of popular websites. Think of this step like website phishing—the goal is to create a site that looks good enough to fool a visitor.
- The attacker includes links on the fake sites that distribute malware.
- The attacker uses common SEO techniques to try to promote the fake pages.
- The user’s search shows fake pages high in the results, misleading him into clicking on one of the fake pages.
Security company SentinelOne has a good explanation of an SEO poisoning campaign where the evildoers created fake pages to advertise downloads of the popular Blender 3-D modeling software that were actually malware droppers. More skilled attackers can also compromise legitimate sites and put their malicious links there—since Google and Bing include a site’s popularity as a key element in ranking search results, compromising a popular site will allow its results to be more highly ranked.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Malware Delivered via Ads
As if SEO poisoning wasn’t bad enough, there’s a separate class of ad-related attack that’s also increasingly common: the watering-hole attack that delivers “malvertising.” Watering-hole attacks focus on delivering malware through commonly-visited websites, often by delivering malware in an advertisement (which is where the portmanteau “malvertising” comes from). This is possible because many popular websites use ad brokers—if you want to advertise, you upload your ad to the broker, then the websites that use that broker pull the content. If you’re clever enough, you can upload JavaScript “ads” that exploit known vulnerabilities in browsers or operating systems to drop malware on devices that visit the website—sometimes without even requiring the user to click in the first place.
The Growing Threat
Neither SEO poisoning nor malvertising is new. However, in November 2022, a new large-scale wave of SEO-based attacks cranked up— more than 15,000 fake or compromised sites, each containing 20,000+ files to bias search engine indexing, were used in a coordinated campaign. This isn’t the first large-scale campaign like this, and it probably won’t be the last.
What the Feds do
The US National Security Agency (NSA) has two jobs: intercept foreign communications, and protect US communications and systems. In this latter role, they often release “suggestions” (my word, not theirs) on how to protect networks and systems against attackers. As it turns out, in 2018, they recommended “blocking unnecessary advertising content.” In 2020, they followed that up with an advisory pointing out the threat posed by the collection and sale of location data. Then in 2021, the Cybersecurity and Infrastructure Security Agency (CISA) joined in with a set of recommendations for federal and non-federal entities. Currently, at least the NSA, the Central Intelligence Agency, and the Federal Bureau of Investigation all block ads on their internal networks. Other agencies probably do too.
What You Can Do
While I generally don’t believe in blindly copying what large organizations do just because they’re doing it, in this case, there are good reasons why these agencies block ads on their networks, and those reasons apply to you too. CISA recommends four specific measures you can take:
- “Standardize and secure web browsers”: this recommendation encourages you to pick the smallest possible set of browsers (and browser versions) that allow your users to get their work done, then standardize on that set and enforce its use. Since Internet Explorer 11 is dead, the first place I’d start is making sure that it’s not in use in your network. Microsoft Edge, Google Chrome, and Mozilla Firefox all have their adherents; it’s probably easiest to deploy and secure Edge on your Windows devices, but you may prefer some other browser. Regardless of which one you use, ensure that you have chosen and are enforcing (not just suggesting!) a strong set of security defaults.
- “Deploy ad blocking software”: there are lots of ways to keep ads off your network. You can block or filter ads at the network perimeter (via DNS-based solutions such as a Pi-hole device), or on individual devices using a browser extension or an app running on the device. There are lots of different solutions in this space; I personally lean towards blocking ads at the edge level whenever possible, but in many organizations, you may still need to allow some ad content in. Of course, not every blocking solution will block every ad in every circumstance—but even some degree of blocking will provide better security than none at all.
- “Implement Internet browsing isolation”: this is a complex topic that deserves its own Practical Protection column, but, in brief, browsing isolation provides a separate virtual partition for browsing—think of using RDP to access a VM that is only used for browsing and you’ve got the right idea. Windows 11 allows you to use Microsoft Defender Application Guard to implement isolation in Edge, and there are various other methods, including using dedicated VMs, that you might be able to take advantage of.
- “Apply DNS protection technologies”: the good news is that Microsoft’s SmartScreen and Google’s Safe Browsing already provide a degree of DNS protection by checking URLs and warning you if any are known to point to malicious content. There are other systems that use threat intelligence feeds from various sources to try to label and block known bad (and/or merely suspicious) URLs. Importantly, you can extend DNS protection technologies to Office 365 workloads using the Safe Links feature of Microsoft Defender for Office 365.
Of these four measures, #2 is probably the easiest to implement in many organizations: buy a Raspberry Pi, run Pi-hole on it, and you’re off to a great start. #3 is probably the most difficult recommendation to implement, which is why I’ll be covering it in a future column. There’s one very interesting omission in the CISA recommendations: they don’t call out user training as a helpful step, although their recommendations do list “poorly trained or unaware users with unsecure browsing habits” as a common vulnerability. Given the dismal success rate of much phishing awareness training, it probably does make sense to focus more on technical prevention rather than on the good behavior of individual users—a thought worth pondering across all of your security efforts.
The Microsoft 365 Kill Chain and Attack Path Management
An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!