Defeating Malvertising with Isla Web Malware Isolation Malvertising Threats Run Wild Malvertising is one of the biggest problems in security today. Malvertising lets an attacker target specific organizations or users by placing ads with malicious content onto legitimate, and popular web sites. Sites such as weather.com, nbcsports.com have been found to harbor malicious ads in the past, and researchers agree that the trend will continue for 2017 and beyond. Introduction: A Proliferation of Malicious Web Ads For years, businesses of virtually all types and sizes have leveraged the many benefits of online advertising to realize a range of marketing objectives. Unfortunately, it didn’t take long for cyber criminals to realize that the many attributes that make these channels effective for marketers—such as a global reach, massive exposure, capabilities to target specific audiences, and fast and efficient distribution—also make it a very effective mechanism for spreading malware without end users knowing they’ve been infected. Malicious advertising, or “malvertising,” refers to the insertion of malware into online advertising networks or web pages. While definitive statistics around these deceptive techniques can be difficult to come by, it is clear that the problem is huge, and growing. Consider just a few statistics: • By 2013, there were 12.4 billion malicious ad impressions—more than four for each person online.1 • That same year, online ads were the second most common source of Web malware.2 • During 2014, a 325% increase in malvertising was detected.3 • Compared to the first half of 2014, 2015 saw a 260% percent spike in malvertisements.4 • Malvertising is set to cost businesses a billion dollars in damages in 2015.5 Why Malvertising is Such a Big Problem 2 Unlike many other malware approaches, malvertising doesn’t rely on deceiving users. Users don’t have to click on a suspicious link or ad, open an unfamiliar file, or exhibit any other potentially risky behavior. People can have their systems infected simply by pointing their browser to a web site—and that’s true for virtually any site they may choose to visit. Popular, reputable sites people trust aren’t immune—CNN, eBay, Huffington Post, New York Times, YouTube, and many others have unknowingly delivered malicious ad content. While users that keep software and anti-virus programs current can guard against some well-known threats, they are still vulnerable to the growing number of zero-day, dynamic, and evasive attacks being waged. Further, once the attack has occurred, victims may not even see any behavior that would indicate that their systems have been compromised. Malvertising campaigns can have a fast and broad impact. Leveraging several top ad networks and many smaller ones, malvertisers have demonstrated the ability to execute a single malvertising campaign that exposed tens of millions of users to malware. In spite of the scope of the attack, it remained stealthy, going undiscovered for three weeks.6 At the same time, malvertising criminals can employ the capabilities of online advertising to employ highly targeted tactics as well. Leveraging the data available to online marketers, these criminals can target site visitors by such criteria as demographic data, platform and operating system details, geography, and browsing history. In this way they can refine their tactics, for example, to maximize exposure to users with vulnerable machines or to target those that are more likely to divulge valuable information. How Malvertising Attacks Work Following is a high-level overview of how malvertising works: • A user visits a site with malvertising code. Note, malicious code may be present on the site, or it may be exposed to the site visitor through a series of redirects that may be happening in the background. • Exploit kits target vulnerabilities in browsers, Adobe Flash®, JavaScript™, or other software to gain access to a user’s system. 3 • Exploits are used to install a payload with malicious code onto the endpoint. • Both initially, and over time, the installed code will then be executed and engage in communications with a command-and-control server to do data exfiltration, get code updates, receive commands, and so on. Once an endpoint is infected, criminals can pursue a range of nefarious tactics. These attacks can have devastating consequences for individuals, and for enterprises when employees’ systems are compromised. Criminals may steal banking credentials for fraud and theft or they may capture an employee’s account credentials in order to gain access to corporate systems. Cyber criminals have used malvertising campaigns to deliver Ransomware which encrypts the entire hard drive of victims’ PCs, and often any network shares the user has and then extracts a ransom pay before they can decrypt and access the organizations data. Why Combatting Malvertising is so Difficult Malvertising campaigns are proving very difficult to combat. First, like other malware approaches, malvertising authors are employing a range of sophisticated tactics that make their campaigns difficult to discover, classify, and counter. Advanced forms of malvertising evade detection by employing a range of tactics, including encrypting code and communications, using randomly generated file names and URLs, and injecting and running code in different programs and at different times. Many attacks begin with a complex series of redirects. And, by using SSL encryption, these redirects make it difficult for security analysts to locate the origin of malware. Further, these cyber criminals are continuously updating and mutating their exploit kits and malware code to avoid whatever new security measures may be put in place. Ad Ubiquity For anyone who’s browsed the web recently, it is abundantly clear that online advertising is ubiquitous— and pretty much anywhere online ads are found, there’s the potential for malvertising to be present. Further, most if not all of the major ad delivery networks have been exploited to distribute malware, including AdSpirit.de, AOL, DoubleClick by Google, Yahoo, Zedo, and more. Given the ubiquity of these networks, it becomes abundantly clear that there’s no safe place, no region browsers can confine themselves to in order to guard against the threat of malvertising. These realities also pose challenges for enterprise security teams. No amount of end user training will help a user gain protection. Given major sites and networks are being compromised, once malvertising is detected, security teams can’t simply blacklist the offending domain. And that’s even assuming security teams can actually pinpoint the offending domain, which, as outlined, is not so simple with today’s malvertising campaigns. Ecosystem Complexity Compounding matters is the very reach and complexity of the online advertising ecosystem. Between the advertiser submitting an ad and the ad appearing on a site, there’s a complex ecosystem that features ad delivery networks, third-party agencies, URL shortening services, exchanges, and more. Each of these entities’ credentials, services, and infrastructures may represent a point of compromise for malvertisers to exploit. Ultimately, the many players involved means no single organization can “fix” the malvertising problem, and, even if one entity detects and blocks a specific attack, the malvertiser can easily move on to the next site or network and continue their campaigns. Massive Ad Volumes and Porous Controls Ad networks routinely get millions of ads submitted to them, and any one of them could be malvertising. Sifting through these massive volumes of ads to detect and block malvertising is inherently challenging. Further, malvertisers employ a range of tactics to evade whatever controls are in place. Criminals may start by posting legitimate ads that pass any initial screening or network security mechanisms in place, and wait weeks to establish a reputation with the network. Then they may start to rotate malicious ads into the network on varying intervals. In other cases, cyber criminals may deliver a malware-based ad, but 4 only enable the activation of the malicious payload several days after an ad is approved. To further delay detection, criminals may hold on initiating attacks until they are more likely to go unnoticed, for example during holidays or weekends, or when traffic volume is higher. Malvertising: One of Many Browser-based Threats As problematic as malvertising is in it’s own right, the troubling reality is that it’s only one of many approaches at cyber criminals’ disposal. While ad-blocking solutions may provide some safeguards against malvertising campaigns, these represent tactical alternatives that don’t address the fundamental vulnerability: the web browser. For years, browsers have represented the most commonly exploited vector for cyber attacks, and that doesn’t appear to be changing any time soon. Meanwhile, the breaches—and costs—continue to mount. A recent Ponemon report revealed the following statistics: • Organizations experience an average of 51 browser-born security breaches a year. • To respond to and remediate each breach, these organizations spend $62,000. • All told, browser-based breaches are costing businesses $3.1M a year. The Solution: Isolate Rather than Relying on Detection As the stats above clearly articulate, browser-based attacks continue to result in breaches, and those breaches are costing businesses dearly. Malvertising generally, and sophisticated campaigns like Fobber in particular, provide a vivid illustration of why gaining complete protection against browser-based malware simply isn’t possible with traditional security technologies and approaches. Quite simply, detection-based approaches aren’t working. These tools aren’t equipped to contend with the complex, dynamic, and evasive tactics being employed in today’s malware campaigns. It is therefore vital for enterprise security teams to find new approaches that offer effective protections against browser-based threats. The Isla Web Malware Isolation System To effectively guard against the browser-based threats plaguing their businesses, security teams need to implement a solution that offers an isolation-based approach.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-