Malvertising… Is Your Business Infected?

Posted by Matt Simon on Dec 3, 2015

Studies have shown that human error accounts for more than 50% of the data breaches that occur in businesses. So how are cyber criminals responding?  They're developing more sophisticated forms of malicious software and using trusted sites to lure their next unsuspecting victim.

Enter one of the newest threats - malvertising.

And users aren't the only victims here – businesses and advertisers also suffer from this growing threat 

Malvertising is the use of online advertising that contains hidden malware, and is spread by slipping the malware into advertisements found on legitimate websites... sites we trust and rarely think twice when clicking on their advertisements.

This new cyber risk has been on the rise over the past year and a half. In August, Yahoo said it had been the victim of a massive malvertising attack, one that could have affected its 6.9 billion monthly visits.

Stories like this are poised to become even more prevalent, and recent studies show just how serious this threat has become.

One study, released by security company RiskIQ found that the number of malvertisements in 2015 had jumped 260% compared to the same period in 2014.

Another study, from security firm Bromium found that more than 58% of malvertisements were delivered through news and entertainment websites, including trusted sites like CBS News, NBC Sports and Weather.com.

What is malvertising?

Malvertising is the combination of two words:  malicious + advertising.

Malvertising is not just about malicious misleading advertisements that lure users to phishing websites – they're designed to compromise your computer by downloading a short malicious code when a user hovers over, or clicks on an advertisement

And before you say 'it can’t happen to me because I never click on those advertisements,' understand that this malware can also auto-run – have you ever been redirected to a website that’s different from what you trying to visit?

So unless you simply refrain from using the internet… forever, you could potentially become a victim of this type of malicious advertising.

How does malvertising work?

One of the reasons malvertising has flourished is because it uses legitimate websites to deliver its malware.

Cyber criminals spend money to place legitimate ads, either through agencies or by approaching websites directly. Under the cover of that legitimate transaction, cyber criminals then plant their malware in the ad’s code, either in the form of an exploit kit, which runs undetected, or as a prompt for a fake software update that requires the end user’s consent to execute its malicious code.

Once the malware has been installed or installs itself, it grabs information off the user’s hard drive. The hackers behind it can then use that to gain access to sensitive business data and customer information.

That’s bad for the computer user and their business, as well as the business represented in the ad containing the malware.

  • The computer user made their business vulnerable to malicious code and put their customers’ data at risk.
  • The company who had the infected advertisement could be known for delivering malware.

And to make matters worse, because business owners visit their own websites frequently, they can infect their own computers and systems.

Why is malvertising a growing threat?

According to a recent study conducted by CompTIA, human error accounts for 52% of data breaches. Yet, companies generally rate human error as a lower concern among security issues. As a result, cyber criminals are developing software that takes advantage of these human errors.

Attackers have the ability to orchestrate their ads based on your online profile and preferences to lure users into clicking on malvertisements.

Many users consider online ads as harmless or even a nuisance, and because malvertising attacks rely on a trusted destination as a lure, it's easy to see why this scheme is effective.

The scary thing about these ads is that they are cleverly hidden behind the scenes, but the outcome typically involves tampered accounts, identity theft and financial loss – all of which can have devastating consequences for the business.

Tip. A properly structured Cyber & Data Breach Insurance Policy could not only respond to the costs associated with identity theft and the data breach, but also the costs of restoring your systems that we damaged as a result of the malware.

Preventing malvertising

Experts recommend taking these actions to protect your business from becoming a victim of malvertising.

  • Install security patches. There’s no easier target than a known vulnerability; deny criminals that opportunity by updating web browsers and plug-ins with the latest security patches.
  • Enable click-to-run. Malicious ads can’t run their exploit kits if Flash isn’t allowed to automatically play ads.
  • Invest in anti-virus software. Quality, up-to-date anti-virus software can’t stop malvertising, but it can identify exploit kits and should be able to prevent most malware from installing.
  • Consider ad-blocking plug-ins. This is a powerful solution, but it has a downside. Ad-blocking plug-ins prevent all advertising content, which provides wide-ranging protection; however, it might prevent the sites you visit from collecting ad revenue from legitimate advertisements.
  • Train your employees. It’s important to discuss safe Internet usage with your employees. Make sure they are aware of the risk involved in clicking on pop-up advertisements.
  • Limit employee internet usage. Unfortunately, malvertising is being delivered through more and more trusted websites every day. However, you can limit the number and types of websites your employees have access to.

Experts warn that none of these protections are absolute, and since most companies can’t avoid using the Internet, it’s important to make sure you’re covered in the event of a data breach.

Curious about what you can do to prevent Cyber Crime?

ohio-cyber-crime-prevention

Protection from malvertising

Unfortunately, there’s no way to completely prevent malvertising, a cyber attack, or a data breach from occurring. With the growing threat of malvertising, it’s no longer a question of IF you will be hacked, it’s just WHEN?

If our country’s largest, most sophisticated organizations deploying the best cyber security protocols can be breached, how can we assume we’re immune?

If the data and systems of our government, the IRS, CIA and FBI can all be compromised, is it realistic to believe that just because we’re a small business, we’re safe?

Now more than ever, small businesses are standing up and saying ‘we need help.’

And that’s exactly what we provide.

Help in managing the exposures a small business faces so we can reduce the likelihood of a breach, and help in securing the most appropriate Cyber & Data Breach Insurance to respond when the inevitable breach does occur.

Cyber insurance is hugely complex, and since each policy is different, only a Licensed Insurance Advisor is equipped to assist you in understanding what type of cyber insurance you need, and then most importantly, helping you develop a specific policy designed to adequately protect your business.

To learn more about how we can help, download our Cyber & Data Breach Liability eBook, or if you need to get insurance coverage in place now, simply Request a Proposal and we’ll get to work right away.

 

Cyber & Data Liability Insurance eBook

Additional articles that may interest you:

Cyber Liability Claims Examples

I'm a cyber breach victim, now what?

A lesson from the Sony Data Breach

Cyber Insurance Coverage: Why Commercial General Liability isn't enough

Category: Cyber Liability Insurance (1)