A new form of digital malicious software that preys on users' implicit trust in major online brands, such as YouTube or Adobe, is rapidly spreading across the Internet.
Worse yet, these "malvertisements" may soon become the primary means of distributing what is known as malware, leaving users with little or no defense, a new study says.
Researchers at the digital security firm RiskIQ will release their study Tuesday at the annual Black Hat cybersecurity and hacking convention in Las Vegas.
The RiskIQ researchers monitored more than 2 billion Web pages and 10 million mobile apps over the past year. They found that the incidence of malvertising on those sites jumped by a whopping 260 percent from last year.
The number of unique malvertisements also grew from year-ago levels by 60 percent.
"Malvertisements is a combination of ‘malware’ and ‘advertisements,' or simply malware that comes through an advertisement," said James Pleger, RiskIQ's research director and the report's author. "The litmus test for me is, first, if it’s something I don’t want on my computer, and second, if it was delivered through an advertisement, then it’s malvertising."
Hiding in plain sight
For most users, a malvertisement would look as legitimate and indistinguishable as any of the other thousand-odd online ads offered up daily on websites, blogs and social networks. Malvertisements' "hiding-in-the-open" nature makes them effective at skirting our built-up skepticism of online trickery, Pleger said.
Among the most popular malvertisements currently are pop-up ads advising users to update their software from a trusted service, such as Adobe’s popular Flash player.
"So you go to a common website, and you get a pop-up with an ad that says your Flash is out of date," Pleger said. "... This isn’t actually Flash telling you it’s out of date; it’s an ad on the website that actually delivers malware. People click on that and they’re easily tricked into downloading it."
Complicating matters, some malvertisements employ what are known as "drive-by exploit kits," which can deliver malware through software security holes without the user having to click on a link or download anything. As soon as an ad loads onto a computer, smartphone or tablet, the device is infected.
Online advertising 'ecosystem'
Perhaps the biggest challenge in tracking down and eliminating malvertising is what Pleger calls the "vast, complex ecosystem" that creates online ads in the first place.
Think of the cyber-ad space this way: Each site you visit gathers as much information on you as it can: you identity, your social media activity, your friends, the other websites you visit and what you search for. All that information and more is collected and then shared across a labyrinthine web of marketing firms, allowing advertisers to instantly create highly tailored and customized ads just for you.
That, for example, is how Facebook knows you’re shopping for gym shoes, because earlier you were searching Amazon for the exact same thing. It also explains how the host sites often inadvertantly can play host to malvertising, even while trying to combat it.
"Security was an afterthought in this ad world," Pleger said. "This retargeting of ads almost makes a perfect platform for malvertising. You can actually use malvertisements to target specific types of users you’re interested in infecting. This is why it's a huge issue for users."
Beware, mobile users
Pleger expects malvertising will continue to surge in the coming year. He predicts the attacks increasingly will target mobile devices.
"As more people are mobile, it’s a little easier to target them and they’re a little more used to some of the ad content in there," Pleger told VOA. "We’re going to see a shift toward mobile and an increase in general of malvertising."
While cybersecurity firms and e-commerce sites such as Amazon scramble to keep up with the evolving malvertisement threat, users can develop a few commonsense habits to try to keep devices clean.
One of the best, said Pleger, is regularly updating a computer’s operating systems and applications.
"The important thing, when you update your software, is that you go to that vendor’s website," Pleger said. "You don’t wait for pop-ups but proactively update [the device] yourself."
Other good cyber-hygiene habits include creating strong passwords and using different passwords between various programs.
That said, history proves that many users pay lip service to those suggestions, but rarely actually employ them.