Ad networks have been hit with a string of compromises in recent months, and according to a new report, many of the infections are making it through to consumers. A study published today by Cyphort found that instances of malware served by ad networks more than tripled between June 2014 and February 2015, based on monthly samples taken during the period. Dubbed "malvertising," the attacks typically sneaking malicious ads onto far-reaching ad networks. The networks deliver those malware-seeded ads to popular websites, which pass them along to a portion of the visitors to the site. The attacks typically infect computers by exploiting vulnerabilities in Adobe Flash, typically triggered as soon as an ad is successfully loaded.
Cyphort measured the problem by sampling Alexa's top 100,000 most-visited domains and counting how many of the domains served an infected ad during a visit. It's just a random sampling, since a given visitor will only see a fraction of the total ads served by a site, but the results show a clear upward trend in malware activity on ad networks. The biggest jump came in August, at the same time as a large infection served by Google's Doubleclick ad network.
Even at the peak, the numbers are still less than half a percentage of the total sample — just 407 domains out of 100,000 — but researchers are still troubled by the upward trend, which looks to have continued through this year. Earlier this month, Jerome Segura at MalwareBytes discovered infections in both Yahoo's ad network and a separate network serving ads to the dating site PlentyOfFish. Segura says the Cyphort's findings match what he's seen. "I think the rise in malvertising really started last fall and can be synced with the Flash Player debacle and the ensuing slew of zero-days," he says. "Ad blockers are a short term solution but the core of the problem are software vulnerabilities which can be triggered in various ways that go beyond malvertising."
Unfortunately for Cyphort, criminals switched tactics in February, adding new measures to avoid detection and cutting the company's data set short. Cyphort research director Nick Bilogorskiy points to an update in the popular Angler exploit kit, which let the bulk of malvertisers drop off the company's scans. "It was absolutely to avoid security measures," Bilogorskiy says. Cyphort has changed tactics too, but the shift makes a pure apples-to-apples comparison difficult after February of this year. Still, if the Yahoo and PlentyOfFish breaches are any indication, ad-served malware is still a serious problem, and one networks are struggling to keep in bounds.