Why your agency needs to worry about ‘malvertising’

2014_08_iStock_000041369772_Large ‘Malvertising’ takes a little snippet of JavaScript and loads an exploit kit to your local machine. (Credit: iStock)


Any federal workers taking breaks from their jobs to visit mainstream news websites may be susceptible to exploitation kits just by loading the page, according to a new report from Cisco Systems.


The company released its 2014 Midyear Security Report Tuesday, which focuses on a number of low-key, low-risk vulnerabilities that hackers are using to exploit systems and access data.

Levi Gundert, the technical lead for Cisco’s threat research, analysis and communications team, said cybercriminals are purchasing last-minute ad packages in the hopes that their kits — which may only show up every 100 or 1,000 ad impressions — make it through the exchange’s security measures.

Malvertising then takes it one step further: Even hackers know clickthrough rates for online display ads are infinitesimal, so the exploit kits do not require the user to actually click on an ad.

“You load the page, the ad is loaded with it and you are instantly redirected because it contains either an iFrame or some JavaScript that says ‘redirect browser,’ and that address is an exploit kit landing page,” Gundert said. “It’s completely transparent to the user. If they haven’t patched their applications, if they haven’t patched Windows, haven’t patched their browser, they’re instantly exploited.”

The malvertising also takes advantage of Internet users’ unfamiliarity with the maze of ad networks that mainstream sites partner with, making it virtually undetectable to the average user’s eye.


“Folks don’t understand the risk, they don’t understand how it works,” Gundert said. “They don’t understand that when you go to, they have hundreds of external relationships with parties off the site — content delivery networks, advertising exchanges — that’s the primary mechanism that’s feeding the redirection.”

While Gundert said he has had conversations with leading ad networks to solve the problem, it is crucial that agency chief information security officers and chief information officers take the time to plan for these exploits as workplace culture continues to change.

“So much [security] effort has been put on the perimeter,” he said. “There is no perimeter any more. We all work remotely, we all work on the go, we all work on the road and there are restrictions in government, but they are going to fade over time.”

WordPress problems?

The reports also highlights a number of rising vulnerabilities, including exploit kits being used on popular content management systems like WordPress. Hackers are becoming particularly adept at cracking sites no longer used in order to have them “upload malicious binaries and use them as exploit delivery sites.”


“There are millions of installations and instances of CMS software and people don’t care about security, they just want to run the site,” Gundert said. “There are fundamental vulnerabilities in older versions, there are vulnerabilities in the third-party add-ons that [hackers] are exploiting.”

Java still hot — for hackers

Java exploits represented 93 percent of all incidents of compromise measured by the company, a 2 percent increase since Cisco’s last report.

“Java’s extensive attack surface and high return on investment are what make it a favorite for adversaries to exploit,” reads the report, which also sais Microsoft Silverlight is a key target for Java exploits.

Can CISOs ever sleep?


The 50-page report, which covers a number of other vulnerabilities, is enough to give any seasoned cybersecurity official a reason to sweat. However, Gundert said the best way to defend against attacks is to expect them, no matter how prepared an agency may be.

“You can absolutely think about threats, you can inspect threats, you can expect that you are going to be compromised and really shorten that detection window,” Gundert said. “I think that’s where people need to focus. As a CISO, you sleep better at night knowing ‘Yes, this is a real attack, this is probably going to happen to us, but we have a very smart team in place and we are going to detect it and its going to be a really short remediation window.'”

You can read Cisco’s full report here.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts