Cyber-criminals are turning to malvertising in ever-greater numbers, as recent huge hits on porn sites and a range of media properties illustrates. There’s no end in sight though, and Malwarebytes said that it intends to use Flash to gain easy access to millions of consumers this year.
Cyber-criminals can pay less than 80 cents to expose 1,000 consumers to infected ads, the firm noted, which is one of the reasons that malvertising is one of the primary infection vectors used to reach billions of consumers so far this year.
An analysis from the firm looked at three large-scale zero-day attacks affecting Flash Player; one particular zero-day attack instigated using the HanJuan Exploit Kit showed that cyber-criminals paid an average of 75 cents for every 1,000 infected advertising impressions on major websites at highly trafficked times of day. This amount could even drop as low as 6 cents per infected ad impression on lesser-known websites and during quieter times of day.
“Malicious advertisements placed on popular websites including The Huffington Post, Answers.com and Daily Motion, which all boast monthly unique users in the millions, are responsible for exposing vast numbers of consumers to zero-day attacks,” the firm said. “Even consumers and businesses running the latest versions of Internet Explorer, Firefox and Flash Player are susceptible to becoming immediately infected when exposed to this type of threat, which makes it particularly lucrative for the criminal community. Further, with one zero-day remaining active for almost two months of the analysis period, there is scope for exploits to have especially wide-reaching effects.”
The way that the online ad industry works is only facilitating the bad guys. Real-time bidding engines allow advertisers to select specific demographic targets and weed out non-genuine users—hijacking these allows more specific targeting of exploits.
“Exploit kit authors leverage the most popular software vulnerabilities to build the most effective tools they can and in the past year, we have seen new vulnerabilities being found and weaponized at a much faster rate,” said Jerome Segura, senior security researcher at Malwarebytes. “This is a game-changer because there is a lack of awareness on zero-day threats and most businesses and consumers aren’t properly equipped to deal with them. While one could have foreseen Flash zero-days increasing in frequency in 2015, witnessing three major zero-days happening so close to one another is unique. To face this new reality, businesses and consumers must adapt by adopting new tools to safeguard their assets.”