A Brief History of Malvertising
We all know the story of the Trojan Horse and the accompanying moral that we should be wary of strangers bearing gifts. Well, the modern-day equivalent extends well beyond the trojans but still very much applies today. We’ve all been warned about accidentally infecting our computers with viruses and spyware, but one of the most pernicious yet lesser-known forms is malvertising.
The good news is that, today, there are a number of ways that website owners can take steps to prevent the aforesaid malvertisement from reaching us. What’s more, the most forward-thinking of online publishers are already taking steps to put layers of real-time protection and QA automation in place, which detects and blocks malvertisements for us.
Although, it must be said that it’s taken quite a while for us to reach this point. After all, the very first malvertising attack is thought to have been inflicted on the world back in 2007. It exploited a weakness in Adobe Flash and one of the high-profile sites it targeted was MySpace. While both of these names are now in the past, sadly, the same can’t be said of malvertising.
The very next year the online version of The New York Times showed that no-one was immune by publishing an ad that informed countless readers that their systems had picked up an infection. They hadn’t, of course, but by the time the readers were informed, the malvertisement had already managed to trick countless people into downloading harmful software onto their PCs.
By 2010, there was a positive avalanche of the malvertisements in several shapes and forms, with a staggering 3,500 sites estimated to have been affected. It was also the first time that so-called drive-by download malvertising was seen. In this case, Spotify was targeted.
Then, in 2013, The Los Angeles Times and Yahoo were infected. This was the largest attack to date and put the 7 million monthly visitors to the site at risk of downloading the infamous CryptoWall ransomware. In 2015, new types of sites were compromised including online dating services and even Google Adwords.
But this was all building up to a threat that put all others in the shade. Called Zirconium, it involved an estimated one billion malvertisements appearing over the year. These worked by using forced re-directs and counterfeit flash updates to take unsuspecting web-users to sites where frauds were committed, or malware was downloaded. The scale of this was so huge that, at some time or another, an estimated 62% of legitimate websites were affected.
The practice of malvertising continues to expand, with one of the latest techniques being to take over old and abandoned domains, as well as converting the computers of the unsuspecting into crypto-coin mining machines.
So, try as we might to eliminate the fraudulent practice, it certainly seems like malvertising is here to stay for the foreseeable future. But at least using the right QA automation and real-time protection can enable us to avoid it.
