The malvertising problem and how to protect yourself against this common online threat

Perusing my home firewall, I came across an alert rated "critical". It was alerting me to a blocked attempt to compromise. Given recent news like this ad fraud scheme, my interest was piqued. Practicing my commitment to curiosity, I decided to dig into exactly what happened.

This is a rookie breakdown of malicious redirection and the malvertising problem, worded in plain language for 99%.  My hope is to help everyone understand the threats lurking on the Internet in the most obvious places. By the end of this blog, you should be able to understand some of the basic risks you face as an everyday Internet user and steps you can take to better defend yourself.

How I found out about this attempted attack

First up, an alert rated "critical" in my home firewall. Flagged as malicious redirection, this was an attempted attack leveraging obfuscation. By clicking into the logs, I was able to see that it was a bitly link that was attempting to redirect me to a malicious URL. I'm not one to click cloak-and-dagger-type links, which made me even more curious where I came across this URL and on which device.
By further drilling down into my logs, I can see that the URL underneath the bitly uncovered some further information into the payload:

1. It was a malicious HTML file with a header title of "Loading..."
2. It contained a javascript script that began with a function, followed by doubletstablesllc[.]com with a "?js=" string attached
3. This event occured on my personal network, which helped me to further narrow down attribution to one of my personal devices

Spear phishing is here to stay - know your risks

I post a lot and speak a lot about my passion for equestrian sports. I clicked the link because it looked like something that interested me. Unlike regular phishing attacks, designed to cast a large net (a quantity vs quality attack), spear phishing attacks are designed to be more relevant to the target audience (a quality vs quantity attack).

Unfortunately, spear phishing attacks have become easier with the latest tools and a bit of online research. Many of the tools and data collection techniques used by legitimate marketers and advertisers are also used (and abused) by cyber criminals.

Understand your risk factors:

1. How much information you expose to the public or to third party data processors. If you want to post on the Internet, limit your attack surface by either making your accounts private, choosing to not willingly disclose unnecessary information, or choosing to disguise things like your email address prior to sharing.

2. Your online shopping habits. Do you frequently shop on unknown sites or via digital advertisements (example: search ads, social media ads)? If you see an advertisement that interests you but you aren't familiar with the brand or website, do not click on the ad. Do a quick search (preferably via DuckDuckGo) and find the company website with a trustworthy URL. Any legitimate company will honor a deal or discount advertised elsewhere.

3. Your demographics. Did you know many scammers and less sophisticated cyber actors tend to pray on more vulnerable populations? They have been known to seek out people with lesser education, older populations, and other key indicators that suggest a lack the digital expertise when compared to other groups. The old adage of "you don't have to be faster than the bear - you just have to outrun the person next to you running from the bear" unfortunately rings true all too often in cyberspace.

One woman's tool is another woman's weapon

In this specific attack, the root URL was an equestrian-related URL, but the firewall had caught the fact that after the .com there was a "?" - the variable that stemmed from the need for advertiser's need for tracking. Advertisers call these "UTMs", and I encourage you to delete them before sharing a link with anyone, ever.

UTMs are a way for companies to collect all different types of data points on user actions taken to prove effectiveness and ROI of marketing and advertising efforts. They allow an infinite possibility for data collection of all types, since the variables before and after the "=" are entirely up to the individual(s) crafting the distribution model. Some examples of UTM data points marketers and advertisers use: user device type, user browser type, user operating system, user location, platform where the link was clicked, campaign association, etc.

In this particular link my firewall alerted me to, where you'd expect tracking variables, there was instead a line of Javascript. Luckily, my policy in my firewall judged this link as "suspicious" and took the pre-configured action to "drop" the connection. The result was an alert rated "critical" which pointed me to a log containing all the information I described above.

The malvertising problem

These are the types of spear phishing attacks require a layered approach to personal cybersecurity. No matter how many books I read, or courses I take, or how many years of I experience I obtain – I am still a fallible human.

The hard thing about playing defense is that you have to rely on a number of sources to come to the most truthful conclusion of what transpired. In this case, I had to rely on my firewall to catch the link and proactively block it, my logs to record the details, my alert configuration to surface the issue, my memory of an odd social media experience to tie it altogether, and consulting with another human to help me navigate this terrain.

Personal cybersecurity should not be this complicated. But don't worry – this blog is just the beginning.

What's malvertising?

Malvertising is when cyber criminals run malicious advertising designed to look legimate, in places such as digital advertising networks and popular search engines.

How do malvertisements work?

Common malvertisements in the wild have been observed using the following attack methods:

1. Using legitimate domains in malicious ads - one of the very first signs that basic cybersecurity teaches is to look carefully at any URL before clicking. However, the latest warning from the FBI points out that some ads are being placed on popular search engines that appear to be legimitate. You're better off finding an organic link in the search results than you are clicking a link that could be hiding malicious intent.
2. Domain squatting - when the cyber actor purchases a domain that looks similar or may be off by only a few letters. The mind's eye is trained to skim text without digesting each individual letter. This practice understands that by targeting known vulnerabilities of humans, as surfaced by disciplines like psychology, attackers can exploit the weakest link in the cybersecurity chain: the human.
3. Obfuscation - like the example I explained above, attackers can abuse link shorteners or create deceptive links that may look harmless, but lead to a malicious location or trigger a malicious event.

How to improve your personal security posture

• Implement a home firewall – what you get out-of-the-box from your internet service provider (ISP) is not good enough.
• Type in URLs directly into your browser instead of clicking on them - especially if you are intending to go to a login page or click through to an enticing email offer
• If you have to click a link, make sure to check for anything suspicious - like typos
• Remove anything (and including) the "?" in a link before clicking or sharing. A "?" in a URL string denotes a tracker, which is why removing it doesn't impact the URL address. You're better off removing this piece of the URL altogether and don't worry - it does not change anything except the backend data collection.

A layered security approach can help you better secure your digital life.

Shields up.