A surge in malware disguised as online advertisements aimed at unsuspecting web users has hit major U.S. military contractors in the past few weeks, marking a dangerous twist on a decade-old scourge for advertisers, security researchers said on Thursday.
Researchers from Fairfax, Virginia-based security software company Invincea said they had documented new uses of so-called "malvertising" to carry out highly-targeted cyber espionage campaigns against three firms in the military-industrial arena.
Malvertisements lurk behind banner ads and videos, delivering hidden code via ad networks to consumers and business users browsing the web. They exploit the automated dance that takes place in the blink of an eye between advertisements and web pages, every time a user lands on an ad-supported web site.
Data security breaches now regularly hit high-profile businesses such as banks and retailers, leaving millions of consumers vulnerable to identity theft and financial fraud. But research into malvertising has revealed how cyber-criminals and spies can use the marketing industry's latest tools to pinpoint high-value targets.
Invincea researchers said the goal of the intrusions appeared to be the theft of military secrets or intellectual property rather than click-fraud or bank account phishing. They noted that some of these companies are producing technology for use in combat zones.
"In the past, we have seen organized cyber crime learn attack techniques from advanced nation state actors," Invincea Chief Executive Anup Ghosh said, using industry parlance for cyber spies. "This is a case where advanced state actors would be learning from cyber crime in terms of methods and tactics."
Invincea researchers said that in the last two weeks of September they had detected up to six malvertising attacks that targeted one aerospace contractor and saw similar attacks against two other military contractors.
They declined to speculate on who or where these specific cyber-attacks originated, focusing instead on how they worked.
What is clear is that perpetrators are turning to the demographic targeting tools available to any online marketer, taking advantage of real-time advertising bidding networks, which work like stock exchanges for marketers, to place malware-laced ads that target specific organizations or audiences.
Invincea said they thwarted the attacks but declined to name the targeted firms. It will provide forensic evidence in a report it plans to publish on its website at http://www.invincea.com/ on Friday.
ADWARE MEETS SPYWARE
Malvertising sprang up as a way to make easy money by installing malicious code on computers that redirected the infected machines to web sites to earn cash from advertising click fraud or to steal bank accounts. Researchers from several security firms have detected a malvertising surge this year aimed at consumer and business users.
Victims can be targeted based on their interests in certain news sites, or online poker or stock forums, Invincea researchers said. Browser cookies can be used to target users with specific tastes in handbags or luxury holidays.
Perpetrators can set up a corporate front to deliver normal ads, then swap landing pages from time to time for malicious code. They place these ads on advertising exchanges and bid up prices for placement on sites that its targets are known to visit, based on what they glean from these intended victims' advertising profiles.
Malvertising sites are typically online for less than four hours, before they are deleted, making it nearly impossible to keep track of new vulnerabilities, Invincea said.
The Invincea study found these vulnerabilities in most online advertising networks. "Any real-time ad bidding service that allows for automatic redirection is inherently insecure," said Pat Belcher, who heads Invincea's security analytics team, which conducted the forensic research. "It is across the board."
The evolution of malvertising into a toolkit for spies raises the stakes for the online advertising industry, which cyber experts say has failed to protect Web site customers and their users by weeding out fake advertisers who exploit the instantaneous nature of Web ad delivery to defeat most existing anti-malware tools.
Three major advertising organizations in the United States said last month they would team up to fight ad fraud, malware and piracy. An independent body is being set up to monitor nefarious actions.
"Criminal activity threatens to erode trust in the digital ecosystem," Randall Rothenberg, chief executive of the Interactive Advertising Bureau said. "It is time that publishers, marketers and agencies stand together to combat these dangerous forces as a unified entity."
Digital marketers are projected to spend $140 billion globally this year, with that growing to an estimated $214 billion by 2018, which would represent nearly one-third of all media ad spending, according to market research firm eMarketer.
By undermining consumer trust, the attacks imperil the vast number of web sites which fund themselves by running online ads alongside their own content to keep their sites free to users.
"Ad delivery networks today are not incentivised to address the problem in a credible manner as they derive revenue from the criminal enterprise," the Invincea report states. "Turning a blind eye to the problem is rewarded economically," it said.
(Additional reporting by Jennifer Saba in New York; editing by Jim Finkle and Jane Merriman)