When Good Sites Go Bad: Malvertising and Watering Holes [Infographic]
Computer virus alert concept illustration

By Michael Perry and Val Vask

With more than three billion people using the Internet every day, malicious actors are finding more and more ways to target as many unsuspecting victims as they can. Though there are many web-based attack methods that cybercriminals use to expose an organization’s employees to malware and ultimately gain valuable corporate information, two that have been gaining popularity recently are malvertising and watering holes.  Both attack vectors take advantage of legitimate, trusted websites, which is why they are a major concern for enterprise management when it comes to controlling the viewing habits of employees.

Malvertising (‘malicious advertising’) refers to an online ad that’s infected with malware or malicious links. Cybercriminals place infected ads into legitimate advertising networks and webpages. In some cases, victims click the ad and malware is downloaded onto their device or they are redirected to another site with malicious code.  In other cases, criminals exploit zero-day vulnerabilities in Adobe Flash so that the malware will download directly onto the victim’s computer, even if they don’t click the ad. Ultimately, the cybercriminal is hoping to generate more income through “advertisement hacking” or fraud.

Malvertising is successful because it captures the reader’s attention by advertising exclusive content, breaking news, or promotional items to unsuspecting victims. Although malvertising can target specific groups or regions, the targets are usually broad in scope. It is a primary vehicle of infection for millions of unsuspecting Internet users.

Ad networks are a popular target for malvertisements because they have a large reach, providing more of an opportunity to lure victims to visit a website hosting infected ads. Malware-laden ads are often near-exact copies of the original, legitimate ad. It is estimated that more than 53 billion ads are infected with malware.

Malvertising is not considered to be sophisticated because it looks for known exploits embedded in HTML source code or advertisements themselves. However, it can still be dangerous because it can be hard to to detect.

Common exploits/methods of attack used in malvertising:

  • Plug-ins with rich content (e.g., Adobe Flash Player, Adobe Reader)
  • iframe injection – can silently trigger background installations unbeknownst to the end user
  • Pop-up and Banner ads
  • Links in text ads

One of the most well-known methods of malvertising is clickjacking. Clickjacking occurs when a user is tricked into clicking something different than what they thought they were clicking. With clickjacking, the cybercriminal compromises third-party ad feeds, not the actual website. They do this by exploiting the ‘iframe’ (inline frame), JavaScript, or the ad itself. Compromised iframe or JavaScript source (‘src’) properties embedded in HTML will usually contain a “redirect” to another website that contains malware.

Watering holes are another popular attack method that cybercriminals use to compromise trusted websites. It is a website that contains malware embedded directly into the site itself. In watering hole attacks, the cybercriminal or threat actor researches a specific target, focusing on infecting trusted sites the victim frequents. This type of attack typically affects government agencies or corporate organizations with the objective to collect intelligence or obtain intellectual property. In one watering hole attack, for example, a company’s employees were targeted via a compromised website for a local restaurant from which they frequently ordered lunch.

Watering holes exploit zero-day vulnerabilities that haven’t been reported through public channels – which means anti-virus software will rarely find them.

Common exploits/methods of attack used in watering holes:

  • Application layer protocols (e.g., HTTP, TLS/SSL, LDAP)
  • Browser-specific vulnerabilities (e.g., unpatched Internet Explorer browsers, Firefox)
  • Application Programming Interfaces (API) (e.g., ActiveX)

Watering holes and malvertising are not to be confused, as malvertising affects only the advertising feed (usually a third-party advertisement) and NOT the website itself. If you click on an advertisement and are redirected to a website with malware, then the advertisement did not contain malware, only the website to which you were redirected. Watering holes compromise an entire website, which, in turn, may compromise user credentials (e.g. passwords) of visitors to the site.

How to prevent falling for watering holes and malvertising:

  • Keep browsers up-to-date
  • Aggressively scan for network vulnerabilities
  • Monitor outbound network traffic

While the above precautions should be taken, it is worth noting that watering holes are difficult to prevent and mitigate. This is because they exploit zero-day vulnerabilities, and security teams often don’t find out about an attack until weeks after it was committed.

On the other hand, malvertising is easier to prevent and control. In addition to the previously mentioned techniques, you can also:

  • Configure ‘X-Frame Options’ on websites or employ anti-clickjacking attributes on HTML5 webpages
  • Use ad blocking software or extensions
  • Hover your mouse over the ad to ensure the URL makes sense
  • Install NoScript or other browser-specific add-ons that prevent frames from activating

Check out our infographic below for more on malvertising and watering holes!

Contact Us