Hackers are using the web’s advertising networks to trick people into downloading malware using fake security updates and Adobe Flash.
Many internet users will be familiar with tech support scams and fake software updates suggesting they download Adobe Flash.
Good anti-virus software from a reputable vendor will catch this malware as well, as one of the benefits of it being so widespread is that it is easy to detect.
The largest criminal operation trying to infect people using these advertising networks in 2017 – which bought over a billion ad impressions – has been detailed in a new report by Confiant.
According to the cybersecurity company, a criminal organisation called the Zirconium Group created and operated 28 fake advertising agencies for the purpose of spreading malware.
The group designed ads that automatically redirected users to websites where they could be tricked into downloading malware. Others ran advertisements using Adobe Flash, which is notorious for its security vulnerabilities.
The practice is known as “malvertising” (a portmanteau of “malware” and “advertising”) and often involves criminals setting up fake advertising agencies to register with web advertising platforms.
Malvertising often exploits the programmatic and automated auction process that sells advertisements in milliseconds while web pages are loading.
Just as advertisers can bid for their advertisements to target specific demographics, hackers can bid for their advertisements to target particular users – such as those potentially running software with vulnerabilities.
Jerome Dangu, Confiant’s chief technology officer, said the mechanism Zirconium Group was using to trick people was called “forced redirects”.
He explained: “A forced redirect is when a person is surfing the web on a computer or mobile device and through no action of their own gets redirected to a different website. Usually the website they are redirected to is a vehicle for some form of affiliate fraud or malware.
“Although forced redirects require social engineering (tricking users into falling for a scam or infecting their computer), they can durably stay under the radar by avoiding to trigger in situations that may correspond to security investigations.”
The team behind the Chrome browser has said that it will block forced redirects in the Chrome 64 release, which is scheduled for release on 23 January.
Mr Dangu believes the release will “fix the hole that largely allows for this illegal business to thrive”.