Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

Searching for: malvertising


BEST PRACTICES: How to protect yourself from the enduring scourge of malvertising

By Byron V. Acohido

Malvertising is rearing its ugly head – yet again. Malicious online ads have surged and retreated in cycles since the earliest days of the Internet. Remember when infectious banner ads and viral toolbars cluttered early browsers?

Related: Web application exposures redouble

Historically, with each iteration of malicious ads, the online advertising industry, led by Google, has fought back, and kept this scourge at a publicly acceptable level.

However, malvertising has never been as dynamic, stealthy and persistent as it is today. Here’s what you should know about this enduring online threat:

Gaming the ecosystem

Malvertising has become enmeshed in the highly dynamic online advertising, shopping and banking ecosystem we’ve come to rely on. It has accomplished this by leveraging the openness of the browsers on our go-to computing devices, namely our smartphones and PCs.

Malvertising code often circulates in tiny iframes, the HTML element that enables objects to appear on a webpage without changing the page. This bad code comes and goes, circulating to even well-known, high-traffic websites as part of the flow of web ads being placed dynamically by the online advertising networks, of which Google is the largest.

Malvertisers game this ecosystem in several ways. There are endless ways for them to hack into websites and ad networks directly. Doors and windows are left wide open in the software applications being rapidly developed to support a swelling army of third-party contractors who supply shopping cart services, data management platforms, retargeting enablement systems, and the like.

“The bad guys are insinuating their malicious code as part of the code that renders on the victim’s device during fulfillment,” says Chris Olson, CEO of the Media Trust, a McLean, VA-based website security vendor. “If you visit a large retail website, you may encounter 100 or 150 third party companies that get access to your computing device. For the most part, no one is really thinking about the security of all of … more

NEW TECH: SlashNext dynamically inspects web page contents to detect latest phishing attacks

By Byron V. Acohido

Humans are fallible. Cyber criminals get this.

Human fallibility is the reason social engineering has proven to be so effective – and why phishing persists. Consider these metrics from messaging security firm Proofpoint:

•Email-based corporate credential phishing attacks quadrupled in Q3 2018 vs. the previous quarter.

•Web-based social engineering attacks jumped 233% vs. the previous quarter.

•99% of the most highly targeted email addresses in the quarter didn’t rank as such in the previous report, suggesting that attackers are constantly shifting targets.

What’s more, a study by antivirus vendor Webroot informs that more than 46,000 new phishing sites go live each day, with most disappearing in a few hours. And a recent survey conducted by SlashNext, a Pleasanton, CA-based supplier of advanced antiphishing systems, revealed that 95% of IT professionals underestimate phishing attack risks. This holds true even though nearly half the respondents reported their organizations experience 50 or more phishing attacks per month, with 14% experiencing 500 phishing attacks per month.

It’s not as if companies and cybersecurity vendors have been sitting on their hands. Vast resources have been directed at filtering emails – the traditional delivery vehicle for phishing campaigns – and at identifying and blacklisting webpages that serve as landing pages and payload delivery venues.

So quite naturally, cyber criminals have shifted their attack strategies. They are pursuing fresh vectors and honing innovative payload delivery tactics. The bad guys are taking full advantage of the fact that many companies continue to rely on legacy defenses geared to stop tactics elite phishing rings are no longer using.

I recently had an eye-opening discussion about this with Jan Liband, SlashNext’s chief marketing officer. Here are the key takeaways from that interview:

Unguarded vectors

By now, most mid-sized and large enterprises have a secure email gateway that’s highly effective at filtering out 80%-95% of phishing emails. So phishers have moved on to comparatively unguarded vectors: social media channels, … more

MY TAKE: ‘Cyberthreat index’ shows SMBs recognize cyber risks — struggling to deal with them

By Byron V. Acohido

Small and midsize businesses — so-called SMBs — face an acute risk of sustaining a crippling cyberattack. This appears to be even more true today than it was when I began writing about business cyber risks at USA TODAY more than a decade ago.

Related: ‘Malvertising’ threat explained

However, one small positive step is that company decision makers today, at least, don’t have their heads in the sand. A recent survey of more than 1,000 senior execs and IT professionals, called the AppRiver Cyberthreat Index for Business Survey, showed a high level of awareness among SMB officials that a cyberattack represents a potentially devastating operational risk.

That said, it’s also clear that all too many SMBs remain ill equipped to assess evolving cyber threats, much less  effectively mitigate them. According to the Cyberthreat Index, 45 percent of all SMBs and 56% of large SMBs believe they are vulnerable to “imminent” threats of cybersecurity attacks.

Interestingly, 61 percent of all SMBs and 79 percent of large SMBs believe cyberhackers have more sophisticated technology at their disposal than the SMBs’ own cybersecurity resources.

“I often see a sizable gap between perceptions and reality among many SMB leaders,” Troy Gill a senior security analyst at AppRiver told me. “They don’t know what they don’t know, and this lack of preparedness often aids and abets cybercriminals.”

What’s distinctive about this index is that AppRiver plans to refresh it on a quarterly basis, going forward, thus sharing an instructive barometer showing how SMBs are faring against cyber exposures that will only continue to steadily evolve and intensify.

I had the chance at RSA 2019 to discuss the SMB security landscape at length with Gill. You can give a listen to the entire interview at this accompanying podcast. Here are key takeaways:

Sizable need

AppRiver is in the perfect position to deliver an SMB cyber risk index. The company got its start in 2002 in Gulf … more

MY TAKE: What ‘fake news’ really is: digital disinformation intended to disrupt, manipulate

By Byron V. Acohido

President Trump’s constant mislabeling of mainstream news reports he doesn’t appreciate as “fake news” has done much to muddle the accurate definition of this profound global force – and obscure the societal damage this rising phenomenon is precipitating.

Related: The scourge of ‘malvertising’

Fake news is the willful spreading of disinformation. Yes, much of political propaganda, as practiced down through the ages, fits that definition. But what’s different, as we approach the close of the second decade of the 21st century, is that it is now possible to pull the trigger on highly-targeted, globally-distributed disinformation campaigns – by leveraging behavior profiling tools and social media platforms.

Like seemingly everything else these days, this is a complex issue, and it takes effort to decipher the bottom line. Here are three things it is vital for every concerned citizen to grasp about disinformation campaigns in the digital age.

Fake news is scaling.

There are plenty of factual articles  about how “fake news” influenced the 2016 U.S. presidential election. What many citizens still don’t realize is that this was just one of the major elections jarred by this potent variant of disinformation spreading. This includes England’s Brexit vote and very recent cases in Brazil and India, where disinformation campaigns fueled some tragic outcomes.

In the 2016 US elections, Russia targeted Facebook users to receive incendiary ads and bogus stories, and used botnets to facilitate intelligence gathering and distribution. And human  “supersharers” – mostly Republican women older than the average Twitter user – got into the act, as well, Tweeting stories from ideological websites at a furious daily pace, according to a study by Northeastern University in Boston.

Meanwhile, in January 2016, during the heat of the presidential contest, some 39 percent Trump’s Twitter followers were faked.  A tally by Twitter Audit showed Candidate Trump with 22.7 million Twitter followers – 16.6 million real, and 6.1 million fabricated.

Fast forward to Brazil’s presidential … more

NEW TECH: SyncDog vanquishes BYOD risk by isolating company assets on a secure mobile app

By Byron V. Acohido

The conundrum companies face with the Bring Your Own Device phenomenon really has not changed much since iPhones and Androids first captured our hearts, minds and souls a decade ago.

Related: Malvertising threat lurks in all browsers

People demand the latest, greatest mobile devices, both to be productive and to stay connected to their personal lives. But big organizations move methodically and in general struggle mightily when it comes to balancing productivity and security. This has led the BYOD dilemma cycling afresh, with each advance of the technology, which is what it’s doing right now.

SyncDog, a Reston, VA-based startup, has jumped into the mobile security space to help companies get a firmer grip on their BYOD exposures. I had the chance to sit down with SynCDog’s founder and CEO, Jonas Gyllensvaan, along with its Chief Revenue Officer, Brian Egenrieder, at RSA 2019.

They dissected the historical context, and conveyed some fresh insights about the societal drivers that make the BYOD such a mercurial operational challenge. A full drill down is worth a listen, and is  accessible via the accompanying podcast. Here are a few key takeaways:

Alphabet soup

When the initial wave of employee-owned iPhones, Androids and Blackberries began turning up in workplace settings, companies reacted by turning to MDM (mobile device management) service providers to handle the inventorying and provisioning of these new endpoints. MDM enabled administrators to oversee smartphones much like desktop PCs.

Soon, the MDMs added password protection and remote wiping capabilities to enable security staff to remotely “brick” a company device gone missing: destroy all apps and files, including any personal data. That was fine – until employees revolted.

MY TAKE: 3 privacy and security habits each individual has a responsibility to embrace

By Byron V. Acohido

Would you back out of a driveway without first buckling up, checking the rear view mirror and glancing behind to double check that the way is clear?

Consider that most of us spend more time navigating the Internet on our laptops and smartphones than we do behind the wheel of a car. Yet it’s my experience that most people don’t fully appreciate the profound risks they face online and all too many still do not practice simple behaviors that can dramatically reduce their chances of being victimized by malicious parties.

Related: Long run damage of 35-day government shutdown

Why we’re in the ‘Golden Age’ of cyber espionageThe fact is cyber criminals are expert at refining and carrying out phishing, malvertising and other tried-and-true ruses that gain them access to a targeted victim’s Internet-connected computing device. And the malware that subsequently gets installed continues to get more stealthy and capable with each advancing iteration.

This has become an engrained pattern in our modern digital world. A vivid illustration comes from Palo Alto Networks’ Unit 42 forensics team. Researchers recently flushed out a new variety of the Xbash family of malware tuned to seek out administrators’ rights and take control of Linux servers. This variant of Xbash is equipped to quietly uninstall any one of five popular types of cloud security protection and monitoring products used on such servers.

Targeting one device

The end game for this particular hacking ring is to install crypto currency mining routines on compromised Linux servers. But the larger point is that Xbash is just one of dozens of malware families circulating far and wide across the Internet. Xbash gets rolling by infecting one device, which then serves as the launch pad for deeper hacking forays limited only by the attacker’s initiative.

To be sure, it’s not as if the good guys aren’t also innovating. Worldwide spending on information security products and services rose to $114 billion … more

GUEST ESSAY: On the floor at the Advertising Transparency & Trust Forum

By Ben Williams

On March 30, I walked across First Avenue in New York City toward the United Nations headquarters. For whatever reason, none of the 192 flags normally raised out front were flying. The white and turquoise marble building on the banks of the East River was impressive, nonetheless.

I was there to attend the inaugural meeting of the Advertising Transparency & Trust Forum, a cross-industry collaboration formed under the auspices of the University of Pennsylvania Wharton School. The forum was convened in reaction to tumult within the advertising ecosystem: fake news, ad viewability fraud, alleged kickbacks to ad agencies, malvertising and the ever-present rise in ad blocking among consumers. The outcome of the forum, though tentative, was encouraging—for both the online advertising industry and for consumers.

Related video: How companies can profit by returning privacy control to consumers

I was invited to the forum because I work for eyeo, a company that works to empower internet users while keeping the web fair and profitable. We’re best known for Adblock Plus. I attended to lend our user perspective. Other attendees included Procter & Gamble and other advertisers, Empower MediaMarketing and other agencies, the American Association of Advertising Agencies, the Association of National Advertisers, the ADvertising Research Foundation, and a couple dozen other organizations ranging from publishers to brands to advertising agencies to academics.

As the title implies, these participants came because they wanted to improve trust and transparency around the ways that ad ecosystem participants interact. We discussed how the industry could create more trust among itself and use that to improve the ad ecosystem for consumers. Somewhere in that ecosystem are the ad blockers, which give users the ultimate power to shut down ads they find disrespectful or obnoxious.

Speakers at the forum included:

• Andrew Susman, co-chair of the Transparency & Trust Forum, and vice president of Empower MediaMarketing – New York.

• Michael Donahue, co-chair of … more