There has been a marked increase in malware distribution campaigns in recent months using fake adverts that direct users to malicious websites where sensitive information such as login credentials or credit card numbers is collected, or malware is distributed. This tactic is called malvertising.

One of the most common types of malvertising is the creation of malicious adverts for software solutions, which are displayed when users search for software in search engines. The reason why software-related malvertising is effective is users are searching for a software solution, which means they will be expecting to download an installer. Software installers are executable files, and malware can be packed into the installers. When the installer is executed, the user will get the software they are expecting but malware will also installed in the background.

There are a variety of defenses against malvertising. Installing an ad blocker will prevent the adverts from being displayed, security awareness training should teach employees to always be wary of adverts and to hover their mouse arrow over the advert to show the destination URL and ensure that the URL matches the software being offered. Another important defense is a web filter, which will block access to the malicious sites that the adverts direct users to. Web filters such as WebTitan can also protect against Internet-based malware distribution that doesn’t use malvertising to drive traffic to malicious websites, and can also block downloads of executable files from the Internet for individuals or user groups.

For example, a campaign has recently been detected that uses booby-trapped websites that generate a fake web browser update warning. The websites have embedded JavaScript code which redirects users to an update page where they can apply important browser security updates. The user proceeds to download what appears to be a zip file that contains the updater; however, the updater is a JavaScript file that will launch PowerShell scripts that will download and execute a malware payload from the threat actor’s remote server. In this campaign, at least two malware payloads are delivered – the BitRAT remote access trojan and the Lumma Stealer information stealer.

Another browser update scam has been identified that involves tricking the user into copying, pasting, and executing a PowerShell command to protect their browser; however, the PowerShell command will deliver and execute malware.

While an ad blocker will block the malicious adverts in these campaigns, it will not block drive-by malware downloads and attacks that use email, SMS, and instant messaging services to distribute malicious links. WebTitan is a more comprehensive web security solution that has multiple curated threat intelligence feeds that block access to a malicious website for all WebTitan users within about 5 minutes of a malicious site being detected anywhere in the world. The solution will also block downloads of executable files and has an easy-to-implement and configure category-based filter, that allows businesses to block access to risky and/or non-work-related websites.

WebTitan adds an extra layer to your security defenses to protect against malware distribution and the web-based component of phishing attacks. Further, being a DNS-based filter there is no latency, and the solution can be used to protect devices on and off the network, with the latter possible by installing a roaming agent on mobile devices.

For further information on malvertising protection, web filtering, and DNS and URL filtering, give the TitanHQ team a call.