Is that ad you see on your favorite website a real ad, or a booby-trapped ad placed there by cybercriminals to infect you with a virus?
Buying ads on popular websites is quickly becoming the favorite way for cybercrooks trying to hit as many victims as possible with malware that holds computers for ransom, or steals people's banking credentials. In the last few months alone, security firms have caught campaigns serving malicious ads—also known as "malvertising"—on websites like Yahoo, the Huffington Post, YouTube and eBay, among others.
Malvertising is booming. In the first six months of this year, there have been 260 percent more reported campaigns using malicious ads than in the same period in 2014.
If you read the technical reports on some of these malvertising campaigns, it's clear why they are so popular: they are dirt-cheap.
The latest malvertising campaign discovered on the dating site Match.com, for example, cost only $0.36 per 1,000 targeted users. Another one abusing the site of the New York Daily News only cost the hackers $0.45 per 1,000 ads. One targeting Huffington Post cost $2.31.
The latest malvertising campaign cost only $0.36 per 1,000 targeted users.
That's "nothing compared to how much infected computers can bring in terms of revenues," Malwarebytes researcher Jerome Segura, who's been studying malvertising for months, wrote in a blog post.
"Keep in mind that you also only pay for ads that are actually shown (RTB) so there's no wasting your ad budget," Segura told Motherboard in an online chat.
If one of these ads ends up infecting a victim with ransomware, a type of malware that kidnaps the users' data asking for money to unlock it, and the victim bites the bullet and pays, it could get the cybercrooks $500, Segura notes. (It's not uncommon for victims to pay out of desperation. A recent study found that 13 percent of ransomware victims end up paying.)
For the sake of argument, let's do the math. Let's say criminals buy 1 millions ads serving ransomware. If the ads cost $0.50 per 1,000 impressions, they'll only pay $500 for the campaign. And if just 1 percent of targeted victims (10,000) pay a ransom of, say, $100, that will earn the criminals $1 million.
So in this theoretical scenario, with an investment of $500, the criminals rack up $1 million.
In this theoretical scenario, with an investment of $500, the criminals rack up $1 million.
Moreover, as Segura put it in another blog post, malicious ads are a "silent killer" because they normally "do not require any type of user interaction" to infect the victims. And criminals can target millions of users indiscriminately using ads on popular sites like Yahoo, or even craft precisely who they want to infect using the ad network's targeted advertising features.
"You can leverage the ad platform to only target the population of interest: location, age, [Operating System] type, browser type, etc," Segura told me. "To my knowledge there's no better tool than what marketers are using."
Of course, it'd be even cheaper to infect people using a hacked site, security expert Graham Cluley told Motherboard in an email. That costs nothing, but you need to find an insecure website to breach, and popular sites like Yahoo aren't that easy to compromise.
"The advantage of going the semi-legitimate 'malvertising' route to get your malicious code out in front of the masses is it means that there may be many legitimate sites that aren't insecure carrying your pox-ridden ads," Cluley said.
As long as the economics of malvertising are so skewed in favor of the cybercriminals, and websites outsource their ads to third party marketing firms that don't care about security, malvertising will continue to boom.