Cybercriminals behind the Yahoo and Azure malvertising attacks are back -- this time using MSN. It's the same group behind the attacks on the ad network AdSpirit.de, the one recently abused in malicious advertising attacks against other top media sites.
Advertising networks need to implement stricter standards for submitting ad inventory, said Jerome Segura, senior security researcher at Malwarebytes Labs. Ad networks are too relaxed, and higher standards are needed. "There's a lot of work to be done in terms of tighter regulations on who can place an ad on the network," he said. "Some require very little information and no previous history before submitting the advertisement. The industry needs a zero-tolerance policy for offenders."
These are not dark underground sites, but rather, mainstream portals serving malvertising-infected ads, Segura said -- adding that one campaign could serve billions of ad impressions daily, so it could have 2,000 to 3,000 hits. He calls for a blacklist policy after one strike, meaning that if an advertising network that gets caught once with malvertising running on the network and must face consequences, companies will view this much more seriously.
Malvertising does not require user interaction -- the ad simply needs to display in the browser. Most cybercriminals take advantage of the vulnerabilities in Flash player, but Segura expects to see similar attacks in HTML5 in time. Search engine advertising is not vulnerable to these types of attacks because malvertising sits in the code of the advertisement. Cybercriminals cannot hijack the browser with a simple text-based ad. Sometimes the publisher isn't aware that the ad comes from an advertising network five degrees removed.
Unfortunately, companies still view the problem as part of doing business. In all fairness, some advertising networks have protocols and quality control processes in place to validate the person or the company submitting the ad, but the industry lacks standards. "If ad networks can centralize where the ads are stored, they would have better control," Segura said. "There are too many loopholes that need to be checked."
It's not all about ad networks. Too many consumer machines are not up-to-date on the latest security software running out-of-date Flash players. About 40% of victims faced with malware or an exploit kit are not protected, according to Cisco Systems.