What You Don't Know About Malvertising WILL Hurt You!
Most people think that hacking happens in the dark corners of the Internet, but the reality is that popular mainstream sites are actually the most dangerous. The reason is "malvertising" – the act of hijacking ad serving networks in order to push exploits onto legitimate websites. Simply viewing the malicious ads infects the unsuspecting user. These exploits don’t need active participation from the target; undermining the process of conventional user training.
You can no longer assume that you will be safe if you avoid the dangerous back alleys of the Internet, because malicious actors actively and intelligently hunt their victims. High value targets for attackers spend their time on mainstream or industry specific web pages, so that is where the attackers go too. According to Cisco’s Annual Security Report, the most common, trusted websites we visit everyday have the highest overall incidents of web malware encounters. For example, Cisco reports that online advertisements are 182 times more likely to infect you with malware than porn sites.
All the effort spent training users to avoid dangerous parts of the Internet ironically leads to a counterproductive false sense of security when visiting well traveled and popular websites. That false sense of security tends to cause users to be less on their guard and more willing to click links and “OK” buttons on trusted sites, which in fact are more likely to put them at risk for compromise than less mainstream sites. Even if a user sees an alert it is often ignored because they believe they are visiting a presumed “safe website.”
Why Malvertising Is So Effective?
Malvertising works because attackers are taking advantage of the dual misperceptions that mainstream sites are safe and if you don’t actually click on a link you won’t get infected. They are betting on the fact that users are too busy to be bothered with truly understanding the threat from today’s sophisticated malware. And they are right. Real users have real jobs, and security is generally incidental to their core responsibility. In fact, needlessly cumbersome security often actively gets in the way and must be circumvented for the worker to actually get their job done. Despite that, when there is a breach they are frequently shamed and blamed. To be effective security needs to work in a way that lets people do their jobs and does not fall like a house of cards when they absentmindedly click the wrong thing. This leads us to the other reason malvertising is so effective – insecure web browsers!
Malvertising on major websites is effective because traditional browsers are ineffective in protecting against these attacks and despite training and/or security alerts, people will continue to look at the webpages and click the links that are crucial for them to get through their days. As a result, the only likely evolution in malvertising is towards increased targeting of attacks which makes them harder to detect and increases the likely damage to the selected victims.
So if users are more likely to circumnavigate security protocols because they inhibit their ability to do their jobs (further training is not going to address the issue) and browsers continue to be vulnerable, how can enterprises ensure their employees do not fall victim to these highly sophisticated malvertising campaigns?
A Simple Solution
If training doesn’t work and compromise still happens regardless of whether users click on a link or not, the solution comes down to effectively isolating the user’s web session from their actual computer. This can be achieved by using a secure virtual browser. By implementing secure virtual browsers, enterprises can be assured that the corporate networks are protected against web based attacks. Additionally their employees will not be inclined to circumnavigate this security solution because virtual browsers look and feel to the user like traditional web browsers.
What makes virtual browsers so effective at protecting against compromise is the ability to isolate all browsing activity from the local computer and network, allowing users to access any website and follow any link without risk to the company’s infrastructure or data. Unlike traditional browsers, users are able to be on the web, watch and download videos, music, and files of all types, as well as print without putting their actual machine at risk. Using a secure virtual browser as the default method for Internet browsing assures that when a user clicks a bad link or is targeted with a web attack, they will be protected. Another key benefit of some virtual browsers is the capability to hide a user’s identity and corporate affiliation, significantly reducing the ability of adversaries to conduct targeted web attacks.
As malware continues to become more sophisticated and adversaries are turning to more targeted attacks, the ability to isolate web sessions and stay anonymous is more critical than ever. While end user training may not have success against this new form of compromise, IT education will. The truth of the matter is, what you don’t know WILL hurt you. The dark alleys of the Internet aren’t as scary as we once thought; it’s the sites we visit in our daily activities that we need to be wary of. We can no longer assume that simply avoiding certain websites and avoiding clicking links will be enough to keep us safe.
About the Author
Lance Cottrell is Chief Scientist for Passages, a secure virtual browser that allows users to navigate and browse the Internet without fear of picking up malware. He is a well-known expert on security, privacy, anonymity, misattribution and cryptography, and is the principle author on multiple Internet anonymity and security technology patents.
Edited by Peter Bernstein