Dark corners of the Internet harbor trouble. They’re supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?

That’s the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes.

Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.

How targeted? Security company Invincea says geo-targeting of advertisements can pinpoint ads geographically, limiting attacks to specific states or even neighborhoods. Hackers can do the same kind of targeting, focusing in on an enterprise’s public IP space with malicious ads through RTB, or use more generic profiling of users through their shopping habits, or via high-traffic websites hosting certain click-bait types of content.

“All ads are RTB now, it’s been that way for 18 months, so any time you hear about malvertising, it’s always because RTB has been abused,” said Pat Belcher, director of malware analysis at Invincea.

Belcher said hackers who dabble in malvertising are generally a step ahead of defenders by exposing loopholes in controls put in place by ad networks to sidestep ad scanning. And even if malvertising campaigns are found out, they’re generally live only for a matter of hours and are burned to the ground before an ad network can take action against a phony account.

“It’s almost foolproof,” Belcher said.

How Malvertising Works

Malvertising is the means to an end for an attacker–and the ends haven’t changed much. Hackers use the tactic to build botnets, distribute banking malware, or even deliver complicated exploits used in targeted attacks. The nuance is in the simplicity with which malvertising schemes are pulled off. Belcher said the first step is to create a phony corporate front in order to buy ads posing as a legitimate advertiser.

Usually, the attackers already manage compromised websites hosting exploit code where malvertising victims will be sent. Once a victim is chosen, either geographically, by entity, or user class, the hacker will bid up their ads via RTB to get their ads displayed on the sites they target. The money to jack up the bidding, Invincea says, is usually stolen or generated from click-fraud and other malware campaigns. Once the ad bidding is won, the malicious ad that either contains an exploit or an iframe redirect to an exploit sit is delivered via the ad network.

The hackers quickly dispose of their landing page once they’ve popped enough victims to build up another botnet or click-fraud network, or stolen enough banking credentials to see some money. Belcher said most campaigns last less than four hours.

“Part of it is proliferation, part of it is attackers figuring out how insanely easy it is. It’s easier than hacking websites.”

-Robert Hansen

Threatpost requested comment from several large ad networks for this article, none of which replied.

“[Malvertising] is consistently growing because ad networks are in a lot of places they never used to be in,” said Robert Hansen, vice president of WhiteHat Security Labs and a longtime researcher who goes by the handle RSnake. “Now basically every site, even banks, is using DoubleClick. You can’t avoid it.

“Part of it is proliferation, part of it is attackers figuring out how insanely easy it is,” Hansen said. “It’s easier than hacking websites. Also ad space doesn’t cost them anything. If they hack a website, they’ll likely get busted, therefore it’s more costly to them.”

Risks of Third-Party Ad Content Hosting

Ad networks and RTB are built for speed, for efficiency. As a result, not many of them want to host ad content on their servers. Many of them allow for third-party content to be pulled into an ad, fulfilling a desire for rich online ad displays. While that’s fine for legitimate ads, hackers are doing it too, pulling in malicious Flash Player files or JavaScript from a third-party server they own. Those files often don’t require user interaction to trigger an exploit; just landing on the page with a vulnerable version of Internet Explorer, Firefox, Chrome or any browser will result in an invisible redirect to another site hosting an exploit kit. That kit will then drop whatever payload the hacker desires, be it a banking Trojan, click-fraud malware or even ransomware.

“In Q4 (2014), we saw Cryptowall variants moving through malvertising,” said Rahoul Kashyap, chief security architect at Bromium. “In the last three to five months, it’s not been widespread, but definitely seeing a lot more infections, which is kind of odd. It’s counterintuitive, a bold move from attackers. Ransomware is the opposite of traditional malware, which wants to be stealthy. With ransomware, you pay or they clean out your system. Their use of ransomware shows they’re making money.”

As a counter, WhiteHat’s Hansen says users can always choose to block ads in the browser through a number of extensions provided by browser makers or third-parties. The number of users who do, however, is relatively small.

“The first thing [ad networks should do] is not allow those rich types of ads unless they have all the code on your site and you can prove it’s only doing what it says it does,” Hansen said. “Don’t allow redirects, and don’t allow it to run code.”

Michael Tiffany, coufounder and CEO of security company WhiteOps, said reputation systems similar to what’s available with website and email integrity could be applied toward malvertising to stem its growth.

“There’s tremendous market pressure to automate everything; the better job you do there, the faster the growth,” Tiffany said. “The open question is how do you provide the maximum amount of openness for innovation and automation that excludes the bad guys? The path from here to there looks to be about reputation systems. If there is a good reputation system built into the marketplace where if you try 999 malware attempts that don’t work, the 1,000th won’t be taken either and you’ll be banned. You won’t purge all vectors, but it has to just prevent these attacks from succeeding at scale. I’m optimistic we’ll get there.”

Malvertising Isn’t Just for Click-Fraud Anymore

Major websites have been identified as hosting malvertising, cutting a wide swathe across the Internet, including big news and entertainment sites, search engines and many more. The scale at which campaigns can ramp up is undeniable–if hackers so choose. Their profits from these campaigns too are not limited to click fraud, which until the last six to nine months has been the most damaging outcome of malvertising forays.

Almost all campaigns lead to exploit kits, and some kits such as Angler are rigged with ransomware that can force users to cough up a few hundred dollars via Bitcoin to regain control of their machines, or worse, unlock files encrypted by the malware. Invincea, for example, told Threatpost it has discovered that malvertising displaying on popular real estate resource Zillow.com was recently redirecting users to sites hosting Cryptowall ransomware.

The stakes got even higher last October when Invincea uncovered an APT campaign it called Operation DeathClick, where malvertising crossed over into the realm of state-sponsored targeted attacks against the defense industrial base. Operation DeathClick’s brand of malvertising was precise, targeting victims based on a long list of characteristics, including user-agent strings such as versions of Flash, operating system, Java and browser; cookie-based, content-related interests; and geography and corporate-based IP address ranges in order to target specific industries, companies and individuals.

Bromium’s Kashyap said his company’s sensors have seen ads pushing rootkits, in addition to Trojans, ransomware and Bitcoin-mining malware.

“RTB has made it easier for malware authors to target individuals,” Invincea’s Belcher said. “Before RTB, you had to compromise the ad delivery network. Now, you not only win bids and place ads, you can use the same platform to pinpoint and target anyone you want.”

Business Incentives to Stop Malvertising

Ad networks, meanwhile, have a business incentive to step up and curb the spread of malvertising. Blocking ads or ads from networks is often a last resort, and while it’s much easier to blacklist known dropper sites hosting exploits, those are burned so quickly by hackers that it’s really not a feasible option either.

“There are ad bidding networks found on Blue Coat’s proxy block list, and that’s bad mojo for an ad network,” said Belcher. “Once you’re blocked there, you can’t deliver ads to the corporate environment. If the ad network is so notorious and it’s been blocked, it’s bad for business. It’s the ultimate retribution that happens if you’re delivering malware too often.

“They have an incentive to be as clean as possible,” Belcher said. “The easy way is to host your own content, but most ad exchanges don’t want to invest in creating their own storage. The biggest control and the best way to make this go away is when advertising exchanges approve new users and content, the content should be hosted at the ad exchange, and not be delivered via third-party hosting. It’s how hackers are able to deliver their own content. That’s the best and fastest way to reduce malvertising.”