Best practices for avoiding novel threats online
By Tom McVey, Senior Sales Engineer EMEA, Menlo Security
Artificial intelligence has transformed digital marketing.
From tracking customer conversations to measuring engagement with content, it’s a technology that’s enabling organisations to unlock incremental competitive advantages through productivity improvements, data-informed service enhancements, and enhanced customer interactions.
However, there are two sides to every coin.
Research conducted by CensusWide for Menlo Security reveals that one in three UK consumers believe that over half of all advertisements on websites or social media sites are generated by AI. The merits of AI in marketing and advertising are clear – it’s an undoubtedly useful resource. Yet it also opens up opportunities for malicious actors.
With the increasing use of AI in digital advertising, we at Menlo anticipate a major spike in ‘malvertising’ due to the rise in convincing fake ads created by AI tools like ChatGPT and image generators such as Midjourney and DALLE.
What is malvertising?
Malvertising is a form of highly evasive threat where malware is embedded into online or social media ads.
Malvertising can be particularly tricky to detect for both internet users and publishers, with malicious ads typically serving consumers through legitimate advertising networks; all internet users encountering them are at risk of infection.
Not only is malvertising novel, it’s typically complex, and usually comprises several rungs in the attack chain.
Attackers will usually begin by breaching a third-party server to inject malicious code within a digital advert, such as a banner advert, or video. If clicked by a website visitor, the corrupted code will lead to the installation of malware on the user’s endpoint device or direct a user to a malicious website.
Indeed, some advertising attacks involve the use of exploit kits – created with the intention of surveying a system to then identify and exploit vulnerabilities. And, if installed, malware can wreak untold damage.
Threat actors may delete, modify, or encrypt data. Further, malware may be used to corrupt files, redirect internet traffic, monitor user activity, steal data or develop backdoor access routes to a system.
Awareness of malvertising is currently low
Given this is a relatively novel and innovative attack method, awareness of the threats of malvertising remains low at present.
In our survey conducted with CensusWide, we found that while seven in ten consumers say they currently click on advertisements on the internet ‘to some extent’, the vast majority (70%) of respondents simply didn’t know they can be infected with malware by clicking on a brand logo.
By comparison, almost three-quarters (73%) understand they can be infected by malware hidden in an email link.
The research also revealed that around half (48%) are unaware they can be infected via a social media ad, while 40% didn’t know they can be infected by clicking on pop-ups and banners. Furthermore only 32% wouldn’t trust any website not to contain malvertising.
These statistics are concerning. Indeed, it’s estimated that approximately one out of 100 online ads is currently malicious, and we now expect this to rise even further as more AI tools and software become increasingly available and easy to use.
Malware-as-a-service and AI generated text and images are already accessible, meaning even attackers with little or no skills can create convincing ads and powerful evasive malware to boot. We’re expecting a big uptick in malvertising as a result.
Best practices for avoiding malvertising
Awareness of the risks needs to increase so that anyone online applies caution to clicking on adverts on any website – no matter how much they trust it.
Some people may be shocked to learn that even the most credible websites are not immune to malvertising. Indeed, we recently found that the top three brands impersonated by malicious threat actors attempting to steal personal and confidential data over a 90-day period were Microsoft, Facebook, and Amazon.
So, how can consumers ensure they don’t become the victim of malvertising?
First, it’s important to carefully check website URLs before clicking. This can be done by hovering your mouse over the advert until the URL appears. Threat actors can often use convincing domain names by replacing certain characters to trick the eye, but they won’t be able to use the actual domain of the site you think you’re clicking on. Therefore, meticulously checking links for discrepancies is important.
Second, web users should check the brand logo to see if it looks genuine. When logos are copied, they can appear stretched, squashed, or pixilated. This could be a sign that it’s not legitimate – large companies tend to have strict branding guidelines that malvertising attackers won’t necessarily follow.
It’s also worth considering what the advert is asking you to do. Legitimate brands often place adverts to increase brand awareness. Malvertising campaigns do not care about these impressions. They will be more direct, asking you to ‘click here’ or ‘buy now’.
In this sense, it’s important to be cautious of redirections. If you do click on an advert and it takes you through to the site you expected, be aware that the more ads you click on the higher chance you have of encountering malware.
Our research has found that you’re only 3-7 clicks away from malware online. And the growing prevalence of AI generated content online will only fuel highly evasive threats such as malvertising further.
Ultimately, the key is taking a cautious approach to adverts. No website is immune to malvertising. By staying vigilant and always following best practices, you’re much more likely to stay protected.
About the Author
Tom is a Senior Sales Engineer at Menlo Security for the EMEA region, a leader in cloud security. In this role, he works closely with customers to meet their technical requirements and architects web and email isolation deployments for organisations across different industries. Coming from a varied background in cyber, Tom provides expert cybersecurity advice and strategic guidance to clients.
Prior to Menlo Security, Tom previously worked for LogRhythm and Varonis. Tom is experienced at speaking at live events, including Infosecurity Europe, and presenting on webinars and podcasts.