If you were planning to create a perfect environment for scammers and cybercriminals to strike, you couldn’t do much better than generate the world in which we currently live. Thrown from pillar to post over the last 18 months of the pandemic, toiling in an unhappy halfway house between home working and office working, and worried about our economic and physical health, we’ve rarely felt or been more vulnerable.

It’s ripe pickings for cybercriminals, who are launching wave after wave of malvertising and investment scams designed to prey on our vulnerabilities. In 2020, more than 20,000 distinct types of malvertising attacks were identified by the Media Trust, who work with industry body the Interactive Advertising Bureau. Billions of bad ad impressions were blocked by the company – five times more than a year before. Our online security has rarely felt more precarious, and it’s being enabled by the ease with which people can place online adverts.

How the scams work

‘Malvertising’ can infect users in two key ways. In one, users have to actively click on a corrupted advert to get infected. They’re taken to a website where malware is loaded onto their device without them realising. But a more pernicious method – the drive-by download – is equally commonplace.

Both, however, rely on winning over a victim. With household incomes falling in real terms, and the average family likely to be £1,000 worse off next year due to a cost of living crunch according to the Resolution Foundation, money issues are at the forefront of many employee’s minds. Coupled with the fact that many are working at least part of the week at home, away from colleagues, they become easy victims to malvertising and get-rich-quick scams. The number of those scams is rising, too: in the third quarter of 2021, one in every 108 ad impressions was dangerous or highly disruptive, according to Confiant research.

What are businesses to do? Part of their job is to remind employees of the realities of such opportunities, and the vanishingly small likelihood of them being legitimate. “When it comes to responding to investment opportunities online, you have to remember the internet is the seediest place on the planet,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “Greed is one of the seven deadly sins that social engineers rely upon in all sorts of security scenarios, and if they can part you directly from your money with an investment scam it’s all the easier for the criminals.”

The task for CISOs and CTOs

Simply telling staff that the banner they click telling them they can make passive extra money without working is only half of the solution. You also need to take the lead in fighting back against cyberthreats in the hybrid working world – otherwise the consequences can be great. That task is made harder by the ever-changing sands on which the battle is fought against the scammers and cybercriminals.

“They are still using email, but they’re trying to use all sorts of other channels in combination,” says Steve Benton, deputy chief information security officer (CISO) at BT Security, who helps oversee a team of 3,000 at the telecoms company that partners with Interpol and the National Cyber Security Centre, and heads off 6,500 attempted cyberattacks a day. “They are using social media; they’re using SMS messaging as well.” The goal is to create confusion for the recipient.

"Greed is one of the seven deadly sins that social engineers rely upon in all sorts of security scenarios, and if they can part you directly from your money with an investment scam it’s all the easier for the criminals"

The range of different places from which attacks can be launched creates a headache for the likes of Benton. The solution for him and fellow CISOs is to try and set their defences higher up the chain so the attacks don’t reach users in the first place. As well as setting out physical hardware defences, Benton also has a behaviours team within BT that engages with workers and explains how individuals are the first and last defence against attacks. “We call it ‘switching on your human firewall,’” he says.

Keeping personal data safe to protect the organisation

It’s vital that those human firewalls are switched on – and the temptation to fall victim to investment scams and online threats is avoided – because individual weak links in the chain offer hackers the keys to the kingdom. Eight in 10 attacks against organisations involve some form of credentials harvesting, claims Benton. And with the rise of enormous financial windfalls thanks to bitcoin and cryptocurrency investments, hackers and cybercriminals are utilising the hubbub around those technologies to piggyback their attacks on them.

“CISOs need to put in place the controls that allow them to understand what’s happening at the end point, and give them the protection and visibility around that,” he says. “But they need to focus on the individuals. Fraudsters and criminals recognise these people might not have their colleagues around them.” At BT, they implement a three-word mantra for employees working remotely: stop, think, protect.

The message is a simple one. “There is literally no communication you can receive that means you have to reply or do something as immediately as it’s suggesting you have to,” says Benton. “You can always pause. It only takes a minute for your rational brain to start engaging.” That’s something Woodward also agrees with. “The bottom line is that if looks too good to be true, it is.” His guidance to those worried about falling foul of the scammers is simple. As well as BT’s stop, think, protect, add two other words to your computer screen: “Caveat emptor.”

Adverts that aren’t what they seem and tracking agreements that violate user privacy are major threats to the publishing industry. Malvertising, for example, undermines the entire online advertising ecosystem. Attackers use legitimate publishing platforms to plant ‘bad ads’ containing malicious code, which spreads malware or exposes end-users to phishing campaigns. Publishers are often unaware of what’s happening until someone complains – by which time the publisher may already have suffered serious reputational damage. 

Because large websites rely on advertising networks consisting of ad resellers, it’s difficult – if not impossible – to thoroughly analyse each ad manually. But rather than blaming a compromised ad or hosting ad network for an infection or scam, victims often see it as the publisher’s fault. Some users also install ad-blocking software in an effort to protect themselves from malvertising, disrupting publishers’ online ad revenue streams. And like any major security threat, malvertising is constantly evolving.

Over the past ten years, attackers have developed new techniques to avoid the security protocols and web browser technologies that protect end-users. One such technique is a forced redirect, which redirects users to a different website through no action of their own. Usually, this website is a vehicle for some form of affiliate fraud or malware. 

Attackers are also turning to social engineering techniques to capture information through native ads – i.e. advertising that appears in the same format as the rest of the content on the page. Because they don’t oversell a product and are like the rest of the content, native ads make the reader feel safe. Clickbait ads, on the other hand, receive high clickthrough rates because they play on emotions with sensational or shocking images or exaggerated offers.

Because advertising platforms have restrictions on ad creatives to protect readers, attackers employ cloaking techniques to pass ad quality audits. For example, a platform may review and approve an ad for a popular shoe brand, using static page scanning. The attacker can then swap out their cloaked shoe ad with a celebrity-based image that will likely earn a much higher clickthrough rate, and lead to a malware site.

The scale of the malvertising problem cannot be underestimated. Confiant’s most recent ‘Malvertising & Ad Quality Index’ found that in Q3 2021, one in every 108 ad impressions was dangerous or disruptive to users. Furthermore, European markets remained a hotbed for security issues, with large increases above Q2 in Germany (168%), Spain (60%), France (478%), and Great Britain (236%).

Publishers must defend themselves from these evolving threats. Confiant’s ad controls are designed to help them with this challenge by automatically identifying and blocking all types of malicious digital advertisements in real-time, and automatically re-auctioning to monetise the ad space. This means that internal teams can focus on growing revenue streams instead of wasting time fighting revenue disruption.

Privacy compliance is another challenging issue for publishers. Under the GDPR, a vendor is required to have a legal basis to track users, typically either user consent or legitimate interest. But an investigation by Confiant found evidence of ‘dark patterns’ (deceptive or confusing UI designs that influence consumers to act against their own interest or intentions) in several publishers’ Consent Management Platform configurations. These could lead users to believe that they have rejected all data collection, despite having unintentionally failed to object to legitimate interest declarations. Regulators such as France’s CNIL have already begun sanctioning companies for using dark patterns in their consent banners. NOYB, a European organization protecting consumer digital rights, has also filed 422 GDPR complaints, with ten different data protection authorities, about cookie banners that utilise dark patterns to gain user consent. And the California Consumer Privacy Act (CCPA) has been amended to prohibit the use of dark patterns that prevent consumers from opting out of the sale of their personal information. 

In recent years, European regulatory and enforcement agencies have also made it clear that publishers can be held responsible for the actions of their vendors. In other words, publishers’ vendor contracts won’t protect them from being fined if a data processing vendor allows data leakage or the misuse of the user data.

To minimise these risks, publishers must monitor their CMP implementations to eliminate confusing dark patterns and ensure that clear notice and choice is given to their users. They should also tighten up their vendor contracts so that vendors have liability for actions that violate the GDPR, and consider doing a Data Protection Impact Assessment (DPIA) to ensure they are making measured choices about the data they collect, share and use. 

Privacy Compliance by Confiant can also help publishers to verify the compliance of their vendors. The solution examines a publisher’s site in real-time to identify whether ads respect the user’s preferences and the expectations of the law, and reports any consent mismatch to the publisher in their dashboard, allowing it to be addressed immediately. Together with Confiant’s ad control solution, this can help publishers stay one step ahead of regulatory penalties and malvertising challenges, and ensure that site visitors see them as a source of valued information rather than security and privacy threats.

For decades, great nation-states have focused on one-upping their rivals in the field of military might. Money was spent on tanks and guns, and training soldiers to fight in battlefields. Now, politicians are as likely to divert money to cybersecurity – and offensive and defensive capabilities – as they are a new warplane or vessel.

As scrutiny has risen, cybersecurity has become a political issue. It’s notable that cybersecurity sits alongside extreme weather events, climate action failure and infectious diseases in the list of the World Economic Forum’s world’s greatest threats. Online security and privacy are watchwords for elected officials, who are eager to make sure the once wild west of the world wide web is something more civilised. But they’re doing so at a point where governmental intervention in the world of cyberattacks is more prevalent than ever.

“We’re not talking all-out cyber war here,” says Alan Woodward, professor of cybersecurity at the University of Surrey. “It’s very much like the cold war, where people probe to see what information they can extract, or they disrupt to see how far they can push things with plausible deniability.”

The new cold war?

And just like in the cold war, proxies are being used to operate in this sphere. It’s used by rogue states not only to wreak havoc, but to generate money. “Malvertising is, from a criminal standpoint, very efficient,” says Jérôme Segura, senior director for threat intelligence at Malwarebytes. “You’re going to pay a few cents to advertise something and yet that’s going to yield you multiple times that amount. It’s a very economically profitable way to have a successful scam business.”

That’s something Jim Gee, visiting professor and chair of the Centre for Counter Fraud Studies at the University of Portsmouth agrees with. “Cybercrime businesses are consolidating, just like other business sectors have over time. Many SMEs, are emerging into highly profitable national and global illegitimate businesses with the capacity to invest in malvertising, the development of artificial intelligence to target victims and uncover vulnerabilities, and to corruptly involve insiders. This trend will continue. Until they understand this, policymakers will not respond effectively.”

Policymakers’ understanding of the risks of cyberattacks will be vital for future security, says Simon Walsh, senior engineer at TrendMicro. “Individual threat actors – malvertising-related or otherwise – can be unmasked and brought to justice,” he says. But doing so is difficult and time-consuming and typically involves cross-border international cooperation which needs to be fast but is often held back by slow-moving, outdated legal frameworks.”

Changing policy goals

“Our national policy always was ‘defend, develop, deter’, but now ‘deter’ has assumed a greater emphasis with the new cyber force developing offensive capability as a means of deterring others from attacking us,” says Woodward. “These attacks are no longer on individuals like you and me, but organisations that represent critical national assets.”

“It’s very much like the cold war, where people probe to see what information they can extract, or they disrupt to see how far they can push things with plausible deniability"

Nor are they simply launched by fly-by-night individuals or organised gangs. Rather, they’re often state-sponsored or affiliated organised crime groups. North Korea and Russia are well-known to be harnessing some of the methods of delivering malware, including malvertising, bringing with them expertise. “It’s a very specialised field in a sense because you need to be quite proficient in understanding the online ad business,” says Segura. “It’s not something that just about any criminal can learn on the fly.”

Because of their expertise, highly skilled criminals are able to harness advertising networks to their advantage, with potential impacts on publishers, who have fallen foul of security breaches due to the way that cybercriminals manage to subvert their systems to deliver their malvertising payloads.

Taking the fight to the cybercriminals

“Increasingly law enforcement agencies are able to identify people or systems that are pivotal in certain attack campaigns or even more general criminal activities,” says Woodward. “If you can render those useless it has a force multiplying effect as many of the attacks are actually part of the crime as a service network which relies upon these relatively few individuals and systems.

Law enforcement can track back such malvertising and malware campaigns back to a single host, following the breadcrumbs, that then allows them to take down where the attacks are launched from. “Imagine you could trace several ransomware attack campaigns back to a single bullet proof host,” says Woodward. “You can take them off the air, and it puts a big dent in the criminal capability.”

Doing so, however, requires a lot of cooperation and collaboration across international borders, and as more countries and politicians get involved into the cyberattack world, things become more complicated. “Not all governments are as cooperative, so one can imagine a point in the not too distant future where if a government doesn’t respond to international requests to neuter a cybercriminal capability physically based in their territory, then another government’s offensive capability might be brought into action.” What that means for the future is yet to be seen.

Malvertising is major problem for publishers. It redirects users to malicious websites that host exploit kits: automated toolkits or frameworks that scan a victim’s device, find software vulnerabilities and exploit them in order to deliver a malicious payload, such as ransomware.

“It's particularly insidious because it often doesn't require any user interaction – such as choosing to run downloaded files – to cause problems,” an NCSC spokesperson told Raconteur. “You can become a victim of malvertising simply by visiting a popular website.”

As with any form of cyberattack, malvertising has evolved over time. The latest incarnation exploits native ads – e.g. paid ads that match the look and feel of the media format in which they appear. 

These can be found in social media users feeds or mixed in among Google search results or the editorial content on a publisher’s website. In other words, native ads don’t really look like ads, which is what makes them such an ideal tool for carrying out a malvertising attack.

Bad actors often deploy ‘malicious clickbait’ to entice users to a dodgy landing page. The clickbait portion of the attack generally takes the form of highly clickable native advertising, such as fake celebrity news or a ‘miracle’ product. Once the user clicks on it, they are directed to the landing page, which could trigger a phishing attack, a bitcoin scam or prompt to download malware. 

Publishers that unwittingly host this malicious clickbait on their sites risk revenue loss through lost users, reputational damage and even potential legal challenges. What can they do to address the risks posed by native advertising, and indeed malvertising in general?

“Malvertising is a serious issue when it occurs, but there are tools that can and are helping to control the threat,” says Tina Lakhani, head of ad tech at IAB UK. “We recommend that publishers take a number of steps, including: ensuring their websites have migrated from regular HTTP to HTTPS and that ad calls are updated to reflect that; adopting IAB Tech Labs’ Safeframes 2.0 to prevent ads from taking control of a publishers’ websites and to help stop forced redirects; encouraging upstream partners to adopt buyers.json; and working with dedicated ad tech cyber security companies to continually scan creatives – especially from a third-party.” 

She adds that: “It’s also essential that advertisers are complying with the CAP Code to ensure that native advertising is clearly labelled and that viewers can easily distinguish it from editorial content.” It’s all great advice, so let’s explore it in more detail:

Migrate from regular HTTP to HTTPS

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, the primary protocol used to send data between a web browser and a website. Migrating to HTTPS is really the first step publishers should take when attempting to improve site security for their users. 

Adopt IAB Tech Labs’ Safeframes 2.0

SafeFrame is an API specification for communication between a web page and an ad that is enclosed within an iframe (an HTML document embedded inside another HTML document on a website). It enables safe ad interactions without direct access to the publisher's page data.

Encourage upstream partners to adopt buyers.json

Buyers.json is a mechanism for advertising systems and other intermediaries between payor and publisher to publicly declare the buyers that they represent. Armed with this information, publishers and their partners can more easily identify the sources of malvertising attacks and take action to protect their users.

Work with dedicated ad tech cyber security companies to continually scan creatives

According to the Trustworthy Accountability Group’s ‘Best Practices for Scanning Creative for Malware’ document: “All ads and landing pages require scanning against malware by using either in-house and/or a reputable third-party service.” Furthermore, “Scanning should incorporate updated blacklists that account for new threats” and “strive to detect and recognize threats that are at times hidden but still exposes users to malware (cloaking).” Finally, landing pages should be scanned, “near real-time and preferably prior to first user exposure.”

Comply with the CAP Code

Section two of the CAP Code states that: “Marketing communications must be obviously identifiable as such.” And that: “Marketers and publishers must make clear that advertorials are marketing communications; for example, by heading them ‘advertisement feature.’”