While malvertising is not a new tactic, cybercriminals are continuously looking for ways to deceive their victims and attract them to their malware. That’s exactly what they are doing when they place their malicious ads on distributed ad networks that appear on legitimate websites. When people visit these sites, they are under the belief that everything they are viewing can be trusted, but that is not necessarily the case. Malicious advertising was discovered on The New York Times website by SlashNext. The ad that appeared on The New York Times page was promoting a PDF viewing and conversion tool. If a reader clicked the link in the ad, they would be taken to a legitimate-looking page that provided further information about the product as well as a large green button labeled, “Download to Continue.” What most visitors do not catch is the inconspicuous pop up in the lower right-hand corner of the page that appears and reads “By clicking the button, you agree to install the Homepage & New Tab and agree to the EULA and Privacy Policy.” After the app is installed, a unique phishing page will appear on the victim’s browser. This page carries out behavior monitoring of the victim by commandeering search and browser functionalities. The app is also capable of running malicious third-party content. If people took the time to carefully read the End User License Agreement (EULA) and Privacy Policy, they would find that they agreed to allow all of this. The policy specifically states that they do not take responsibility for any third-party actions. So, in essence, people are being fooled into allowing themselves and their machines to become victims, while the malicious behavior is disguised as legitimate through an inconspicuous EULA.
Analyst Notes
It is important for companies to educate employees and make them aware of the risks behind unsanctioned downloads. Browser extensions and other software downloaded from the internet directly by end-users represent a risk to corporate network security. One effective policy for mitigating this risk is to provide a convenient way for employees to request software needed to perform their job functions and allocate sufficient funds and IT staff hours to quickly respond to employee requests. With this policy in place, employees can be prevented from installing any software through security controls, without causing disruption to the business. Employee accounts should never have administrator-level access to computer systems because malware that is introduced to systems by employee mistakes will run with the same access level as the employee’s account. Binary Defense Managed Detection and Response is capable of detecting attacker post-compromised events such as privilege escalation (gaining administrator access from a non-privileged account) and lateral movement, as well as many other attacker behaviors.
