By Daniel Stirnimann and Serge Droz
Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.” So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.
Ads: enter through the hallway
Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.
Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.
The image below shows all the external sites involved whenever you visit three popular news sites.
Using ads to distribute malware
It’s difficult for end users to protect themselves against such attacks. Having an up-to-date system will help. Other than that, an ad blocker will prevent any ads from loading, including malicious ones. Obviously, news sites won’t like this advice, but we have seen in the past that distributing malware through ads (be this malvertising or something else) can cause a lot of damage. SWITCH analyses dozens of web pages every day to detect drive-by code but the ad servers are good at hiding behind complex news sites, and they deliver their payload only sporadically. Detecting this is hard. Nevertheless, several large sites have reported high infection rates that could be traced back to this infection vector. The use of adblockers is highly debated, and we don’t want to lead that discussion here, there are good comments found elsewhere.
Similarly useful is Ghostery, a plugin that disables the various trackers websites deploy.
The taste of a bad meal
So, how bad are these ads? As mentioned a successful infection leads to an infection with the banking trojan Gozi ISFB. As in any modern trojan the configuration is dynamically loaded in once the malicious code is executed. In this case we were lucky: We were given access to the logs of a server delivering a crucial component of the config. The result was a daunting 1500 infections per day across Switzerland. So one bad ingredient spoils the lunch of a great many people.
Ads continue to be problematic from a security point of view as they allow attackers to smuggle malicious content into seemingly reputable sites. Too often we have heard that website owners cannot take responsibility for the third-party feeds. That couldn’t be more wrong: much more scrutiny is needed by webmasters in monitoring the quality of the third-party feeds they serve to their visitors. Its the original websites’ responsibility to ensure quality and a safe experience to their visitors.
As any decent restaurant pays attention to hygiene, the internet community must start taking internet hygiene more serious, for all their suppliers.