The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats


Published on

company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

Published in: Education, Technology, Design
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats

  1. 1. WHITEPAPER The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
  2. 2. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats Table of Contents ABSTRACT:............................................................................................................................................................... 3 1. MALVERTISING AND FRIENDS: THE DISSECTION ............................................................................................ 4 2. INTERNAL STRUCTURE: CATEGORIES............................................................................................................... 6 3. COUNTRIES OF ORIGIN..................................................................................................................................... 14 CONCLUSIONS ..................................................................................................................................................... 15 AUTHORS: Bianca Stanescu – Bitdefender Communication Specialist Ionut Radu – Bitdefender Online Threats Developer Cornel Radu – Bitdefender Online Threats Developer [2]
  3. 3. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats ABSTRACT: Reputable companies are not the only clients of advertising platforms. Scammers are doing their best to tap more of the commercial market. Almost 10 billion ad impressions were compromised by malvertising in 2012, according to the Online Trust Alliance. 1 Millions of users worldwide are exposed to malware, spam, phishing or fraud (scams), and even the most tech-savvy users can become victims. Over 100 advertising networks are serving compromised display advertising, and malvertising incidents increased by more than 250% from Q1 2010 to Q2 2010, the OTA showed. At the same time, more than one million sites carry advertising from over 300 ad networks and exchanges, according to the IAB. If we compare figures, this means that one in three ad networks may be serving malvertising. 2 Because such attack vectors are likely to develop in the future, a Bitdefender team decided to investigate the anatomy of malvertising and other e-threats injected in legitimate ad networks: fraud, spam and phishing. We first explained the dissection process, then focused on the internal structure and web categories of the baits injected by scammers into legitimate advertisements. The results confirm that business and computer and software landing pages are even more lucrative than pornography. The research also retrieved the countries where the scammy domains were registered. Some actually belong to those countries, while others are just misplacements that cyber-criminals use to avoid detection and law enforcement. After drawing an alarm signal on the evolving phenomenon of malvertising, the document also offers some guidelines to help users and advertisers avoid these e-threats. By knowing more about the anatomy of malvertising, companies, security experts and users can better fight these emerging security threats. The main findings of the paper are based on the Bitdefender technologies that instantly block phishing and fraud attempts after extracting and analyzing dangerous URLs in real time. In 2013, the security software won an Advanced+ award from AV-Comparatives and, in 2012, was proven the best in the industry at detecting phishing attempts after testing by the same independent analysis firm. The antivirus leader blocks 98% percent of phishing attempts that target users of PayPal, eBay, numerous online banks, social networks, online gaming sites, credit card data and more. [3]
  4. 4. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 1. MALVERTISING AND FRIENDS: THE DISSECTION Malicious advertising, or malvertising, allows cyber-criminals to spread malicious files through online publicity. In September 2009, New York Times readers were redirected to a site hosting malware because of an injected ad. One year later, TweetMeme (which closed its doors in 2012) also suffered a scareware attack because of malvertising. These popular examples show that malvertising has become one of the most dangerous e-threats, as it can easily spread across a large number of legitimate websites without compromising them directly. Moreover, silent malvertising allows scammers to infect users with no clicking or direct interaction. To extend the definition, spamvertising, fraudvertising, and phishvertising are used to spread spam, fraudulent, and phishing URLs through legitimate online advertising networks and webpages. By visiting websites affected by malvertising and other scams, users risk infection. According to the Online Trust Alliance , cyber-criminals have two main methods to exploit advertising. 3 “An increasing trend has been to create a fictitious identity and ‘front’ purporting to be a legitimate advertiser or advertising agency,” the OTA said. “They provide upfront payment and often approach unsuspecting partners with the urgency of a breaking ad campaign. They simply provide the ad creative which appear legitimate on the surface.” The second and more “traditional approach” is to breach a vulnerable server to obtain credentials and then compromise legitimate ads to stay undetected. According to our research, these are the most common methods used by cyber-criminals to place malicious code through advertisements: • Pop-up ads for fictive downloads, such as computer and software (fake movie players, toolbars, plugins and media converters); • Hidden and obfuscated JavaScript code; • Malicious banners; • Third-party advertisements through sublet ad networks and Content Delivery Networks; • Using iframes to embed malware and to avoid detection. These fairly new phenomena are harder to combat because cyber-criminals take advantage of two key features of Internet advertising: · Dynamism: online advertising is a versatile medium that allows scammers to stay undetected, as web page content changes regularly. This open system relies on multiple parties, including advertisers, ad networks, ad exchanges, ad services and site publishers, so cyber-criminals can obscure their trail. · Externalization: companies pay ad networks to distribute ads on their websites without knowing their content and purpose. This allows cyber-criminals to pose as legitimate clients. Some fraudulent commercials also appear because big ad networks sublet some advertorial space to third-parties, usually smaller platforms. In this process, the smaller networks end up placing malicious ads on reputable web sites. Our dissection on malvertising and other e-threats ran between 23 July and 24 August 2013, when the research team randomly selected over 70,000 ads served on nearly 150,000 web sites on the greyer area of the Internet. To select the ads, we scanned search engines for over 50 relevant search terms such as download cracks, lose weight now, earn money at home, free movies, free music, games, and torrents, that regular users look for. Because ads are chameleon-like, changing regularly, we also retested the web pages for new commercials to increase our data base. Out of the total number of ads, 41,400 advertisements led to the same number of landing pages with non-identical URLs. Some were composed of the same domain and path, but with different [4]
  5. 5. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats parameters. These parameters help ad networks retrieve information on user behavior, such as the web site that initially brought users to click on the ad. To analyze the malware, fraud, spam and phishing prevalence, we had to put the domains under the magnifying glass. We discovered that only 15,037 unique domains were hosting the 41,400 landing pages, which means that malvertisers and “friends” place the same baits on different web sites for increased efficiency. We designed a script to open the URLs with a browser emulator that simulated user behavior by clicking on the ads and retrieving the landing pages automatically. We have also retained the redirection chain, as most ads redirect users to two or three other web sites, which register them as visitors to bring extra revenue to the publishers. According to our data, the bad ads usually have more redirects than good or neutral ads. We analyzed the initial page (client page), from the first URLs where they were redirecting to the final landing page. After we concatenated the landing pages and applied an MD5 algorithm, we obtained the unique list of signatures. We scanned them with the Bitdefender engines to check if they are blacklisted. Almost 7 per cent of the landing pages analyzed was misleading, infecting users with malware or targeting them with fraud, spam and phishing. The neutral ads represented 46%, a percentage point less than the good ones. 4 Figure 1: Distribution of good, bad and neutral ads After checking the reasons for blacklisting by the Bitdefender engines, we discovered most dangerous landing pages that were advertised on multiple web sites were fraudulent URLs luring readers with fake software, business and financial offers. After this dominant category, spam (14.89%) and malware (14.52%) also target advertising platforms, followed by phishing, which helps scammers gain money or personal data by mimicking web sites of legitimate companies. With only 4 per cent prevalence, phishing is spread less through advertising networks because users are more securitysavvy than before. In 2012, an analysis on malicious Facebook domains published by The Virus Bulletin also showed that phishing is less distributed on the social network. The research on over 20,000 domains revealed that cyber-criminals prefer more effective weapons, such as malware (54%) and fraud (34%), followed by spam (11%) and phishing (1%), as a last variant. 5 Some analyzed landing pages belong to several categories. The most common combination cybercriminals abuse is phishing with a “sense” of malware. In this way, if they don’t get users’ money and personal data through the phishing attack, they install malicious files on the system for similar or worse repercussions. Because of potential and future security threats, Bitdefender also classified over 9 per cent of the analyzed web pages as untrusted. [5]
  6. 6. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats Figure 2: Different types of advertising security threats and their distribution 2. INTERNAL STRUCTURE: CATEGORIES To determine the internal structure of malvertising and other e-threats, and to distinguish the relationships of its components, we retrieved the web categories of dangerous landing pages. Our research shows that malvertisers make more money out of computer & software, business and health categories, than out of pornography. Figure 3: Most dangerous web categories promoted via malvertising and other e-threats Similar research this year also showed that online advertising is more likely to spread malware than porn is. According to Cisco’s 2013 Annual Security Report , online advertisements are the riskiest of all: 182 times more likely to infect users with malware than searching the Internet for adult content. The report also revealed that the highest concentration of online security threats is found not among pornography, pharmaceutical, or gambling sites, but on major search engines, retail pages, and social networks. 6 7 [6]
  7. 7. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats The landing web pages were assigned to one of 19 categories, based either on the category of the domain or on the content of that specific web page. For instance, a personal blog hosted on a blogging platform will be categorized as a blog, but it could also be categorized as a gambling page, based on its content. These categories are based on the background scanning of Bitdefender technologies, which overcame the limits of standard blacklisting, by classifying domains into 43 categories. That allows the webfiltering module to develop intelligent and human-independent filtering techniques that provide more accurate ratings and work faster. Non-profitable web categories that scammers don’t usually promote through malvertising include advice (forums), blogs, drugs, education, hacking, and hate websites. This last niche category covers websites that encourage violence or racism. Usually blocked by parental control software, this category includes websites that promote religious or sex discrimination, violence, xenophobic content, and terrorism. Here are the most lucrative web categories promoted through malware, spam, fraud and phishing placed on legitimate ad networks, with recent screenshots and a short description for each of them. 1. Business: 20.73% This dominant malvertising category covers websites that promote private businesses (corporate websites). The results made it the most popular web category because fraudsters create sites that pose as legitimate businesses and target users with fake offers, usually at very low prices. Unlike phishing web sites created by breaching vulnerable web sites or domains, fraud is better crafted and has web pages registered for longer period of times. Because they can easily be mistaken for authentic companies, it takes longer before they are taken down, so their uptime is higher than that of phishing attacks . 8 Examples of fraudvertising include fake offers for online garage sales, web hosting or satellite services. 2. Computers and software: 20.29% This category covers websites that provide computer information, software or internetrelated services. Malvertising in this category included a fake Disney website that promoted sexually explicit cartoons. Other dangerous ads led users to fictive downloading for SEO plugins, video convertors and cursors. [7]
  8. 8. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 3. Gambling: 12.84% This category covers online casino or lottery websites, which usually require money transfer before users can gamble. Dangerous landing pages found on ad networks trick users into sending their money and personal data with no chance to win. “Gambling” web pages also include “beating tips and cheats” web sites, which describe how to make money this way. 4. Health: 12.7% The fourth popular malvertising category typically covers websites associated with medical institutions, disease prevention and treatment, and websites that promote weight loss and pharmaceutical products, diets, etc. Malicious ads in this category offer miraculous tricks for “a tiny belly,” fraudulent detox medication and weight loss advice presented in the form of news. 5. News: 9.97% This category covers news websites that provide journalistic text, video content or newsletter services. It includes both global and local news websites. Our research showed that one in 10 dangerous landing pages were offering content presented as news. Typical fraudvertising cases include fake newsletter offers and weight-loss tips presented by a medical news “reporter.” [8]
  9. 9. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 6. File Sharing: 5.54% This category includes web pages that allow users to share or store files online. Some dubious websites promoted through advertising are used for fraud, identity theft or malware infections, after luring users with fictitious software downloads. 7. Pornography: 5% This category typically covers websites containing erotic and pornographic content (text, pictures or video). For accurate blacklisting, it may also detect erotic content on mixed websites classified in multiple categories. 8. Games: 4.78% This category covers websites with game presentations, reviews, and online games such as Flash-based applications. It also includes websites that offer the possibility of buying or downloading non-browser based games. Nonlegitimate game websites promoted through malvertising lead users to fake downloads and fraudulent surveys. [9]
  10. 10. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 9. Illegal: 2.5% This category covers websites related to software piracy, including peer-to-peer and tracker websites known as distribution channels for copyright content, pirated commercial software websites and discussion boards, as well as websites providing cracks, key generators and serial numbers for illegal software use. Illegal websites promoted through advertisements may lead users to malicious downloads and fraudulent URLs. 10. Job Search: 2% This category covers websites presenting job boards, job-related classified ads and career opportunities, as well as aggregators of such services. In the case of malvertising and other e-threats, the most common traps are job scams that ask users for money and personal details so they can follow their “American dream.” [10]
  11. 11. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 11. Online Shop: 1.76% This category includes online stores and platforms that sell different goods or services. The typical threat infiltrating legitimate ad networks is once again fraud - scammers put up fake shops, register them on reputable TLDs such as “.com” and even design them better than some authentic ones. Poorly crafted online shops may also be breached by phishers, who can then steal users’ money and sensitive data. 12. Online Dating: 0.74% This category typically covers paid or free websites where users register to find a dating partner or a new relationship. An extension of the social networks category, online dating is typically misused to steal users’ personal details and to help social engineers craft human data bases. [11]
  12. 12. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 13. Financial (Banks): 0.73% This category covers the websites of all banks and financial institutions, including loan companies, credit card agencies, and companies in charge of brokerage of securities or other financial contracts. One recent scam promoted through malvertising was a fake loan web site that got almost 200,000 Facebook likes. 14. Travel: 0.25% This category covers websites that offer travel facilities and equipment as well as destination reviews and ratings. Anti-fraud technologies blacklist fake websites in this category if they discover they were registered to trick users with fraudulent offers. Recently, a Dubai promotion web site was being advertised through malicious techniques. [12]
  13. 13. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 15. Portals 0.19% This category covers websites that aggregate information from various sources and domains. Portals also offer features such as search engines, e-mail, news and entertainment information. Here’s how a recent malvertised portal looked: 16. Instant Messaging: 0.08% This category covers websites where users can chat in real time or download IM software. Such websites may be included in several other categories, such as pornography. [13]
  14. 14. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats 17. Webmail (0.06%), Entertainment (0.04%), Social Networks (0.04%) These three less popular malvertising categories cover websites that provide e-mail functionality as web applications, websites that provide information related to artistic activities, and social media websites. 3. COUNTRIES OF ORIGIN Research on ad networks also showed the top countries of origin for malvertising web sites. Most malvertising and other e-threats originate from the US, the Netherlands and Canada. This doesn’t necessarily mean that cyber-criminals are residents of those countries, as they can easily register web sites in any place they want to hide from law enforcement. We also discovered malicious web sites registered in remote islands. Figure 3: Countries of origin for Malvertising and other e-threats GUIDELINES To lessen the chances of getting tricked by malicious and fraudulent advertisements, users and ad networks can take several precautions: Before activating commercials on their web sites, companies and ad networks should carefully check their origin and legitimacy. To verify if a website is authentic, users and companies can look for WhoIS information to see if the web page is hosted in the country where the company is based. Most fraudulent web sites are registered for just a year, and this can also be a sign. Also, if a website was created from a private e-mail address such as or, it’s almost certainly a scam. To prevent malvertising effects, keep your antivirus updated, together with your operating system and other software. Dangerous websites inserted in advertising platforms can’t download malicious files if a security solution is installed and up to date. [14]
  15. 15. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats CONCLUSIONS Research showed that almost 7 per cent of landing pages multiplying on advertising platforms pose serious dangers to computer users. The most dominant malicious category of all malvertising e-threats is fraud, which takes the form of fake software offers, business and financial scams. In addition, users are targeted by malware injected in legitimate ads, which helps cyber-criminals stay undetected longer. By using their baits on multiple advertising platforms, scammers also multiply their chances of making money with minimal effort. Another pertinent conclusion is that the highest concentration of online security threats promoted through advertising are found not among pornography and online dating, but on business and computer websites. In conclusion, users and other stakeholders should be more careful when dealing with online advertisements. If the inner structure of the system continues to be this open, with so many parties involved and without firm security scanning, cyber-criminals will take advantage more often of companies, advertising platforms and end-users. [15]
  16. 16. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats REFERENCES: DAMIAN, Alin, Understanding the domains involved in malicious activity on Facebook, Copyright © 2012 Virus Bulletin,, June 2012 DIMA, Bianca, DAMIAN, Alin, “Phishing and fraud: the make-believe industry”, Copyright © 2013 Virus Bulletin,, April 2012, Cisco 2013 Annual Security Report (ASR), html?SurveyCode=6653&KeyCode=000204094 MLOT, Stephanie, “Online Advertising More Likely to Spread Malware than Porn”, February 1, 2013,,2817,2415009,00.asp. Online Trust Alliance, “Anti-Malvertising Resources”, 29-07-2012 malvertising.html Online Trust Alliance, Voluntary Anti-Malvertising Guidelines & Best Practices Helping to Combat Malvertising and Preserve Trust in Interactive Advertising, final10_18.pdf5-5. (Endnotes) 1 Online Trust Alliance (2012-07-29), “Anti-Malvertising Resources”. Retrieved 2013-25-5. 2 Voluntary Anti-Malvertising Guidelines & Best Practices Helping to Combat Malvertising and Preserve Trust in Interactive Advertising,, Retrieved 2013-25-5. 3 idem 4 The web sites were considered neutral because there wasn’t sufficient data to classify them otherwise, as they only had a few visitors and no user ratings. 5 DAMIAN, Alin, Understanding the domains involved in malicious activity on Facebook, Copyright © 2012 Virus Bulletin,, June 2012, Retrieved 2013-29-09. 6 Cisco 2013 Annual Security Report (ASR), Retrieved 2013-29-09. 7 Stephanie Mlot February 1, 2013, Online Advertising More Likely to Spread Malware Than Porn,2817,2415009,00.asp, Retrieved 2013-29-09. 8 DIMA, Bianca, DAMIAN, Alin, “Phishing and fraud: the make-believe industry”, Copyright © 2013 Virus Bulletin,, April 2012, Retrieved 2013-29-09. [16]
  17. 17. The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats [17]
  18. 18. All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners. About Bitdefender Bitdefender is a global company that delivers security technology in more than 200 countries through a network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced award-winning security technology, for businesses and consumers, and is one of the top security providers in virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has created the highest standards of security excellence in both its number-one-ranked technology and its strategic alliances with some of the world’s leading virtualization and cloud technology providers. All Rights Reserved. © 2014 Bitdefender. All trademarks, trade names, and products referenced herein are property of their respective owners. FOR MORE INFORMATION VISIT: ENTERPRISE.BITDEFENDER.COM