Malvertising attacks are surging beyond levels the industry has ever seen before. A recent study today found that instances of malware served by ad networks more than tripled between June 2014 and February 2015. Just this week, a malvertising attack impacted millions of users of the Plenty of Fish (pof.com) online dating site – a seemingly trusted site, but deemed vulnerable by an exploit kits. According to Malwarebytes, one of the ad networks that used pof.com was exploited as a key link in the attack chain that ultimately infected visitors’ devices with the Tinba banking Trojan.
Similarly, a recent breach of Yahoo’s networks highlighted the scale and affect of malvertising. Yahoo’s properties, which see nearly 7 billion visits per month, were redirecting users through ads to sites that have been compromised and set up to serve malware.
The attacks exposed millions, if not billions of users, and their private data. Yet, there wasn’t anything especially interesting or sophisticated about the attacks, nor was there anything novel in the recommendations being made in their wake – patch your systems, keep your antivirus (AV) updated, etc. Of course, if everyone actually did keep their systems patched and their AV updated we might see far fewer of these types of attacks because they wouldn’t yield much for attackers. But that’s clearly not the case, so the economics of such attacks still favor the bad guys. Even worse, keeping systems patched and AV updated don’t protect against zero-day attacks. Given the rate at which new zero-days are being introduced, it would seem that creating and using them is a very good business indeed.
There’s an often-used quote defining insanity as doing the same thing over and over again and expecting different results. The quote seems apt as a comment on the current approach to preventing malware attacks. We can’t find vulnerabilities, patch systems and identify new attacks faster than attackers. Businesses spent more than $70 billion on cyber security tools in 2014, and collectively lost nearly $400 billion as a result of cyber crime.
And yet we continue to try, as if there’s nothing else we can do – except, perhaps, disconnect from the Internet.
Even the most trusted websites could be compromised, delivering zero-day malware to unsuspecting users. With breakthroughs in virtualization, cloud and remote rendering technologies, there is a way to eliminate the threat of Web-borne malware attacks. Isolation security operates on the simple premise that attacks are undetectable, and therefore no content from the Web should ever reach a user’s device. It doesn’t rely on the ability to detect attacks – zero-day or otherwise, and it doesn’t require that users’ operating systems and browsers remain patched and up-to-date.
Any attempt to categorize a website as good or bad, with respect to malware or malvertising, is a false notion. We are fooling ourselves into thinking that this is even possible. With billions of dollars being spent on enterprise security, we are nowhere closer to securing our users or making the Internet a safe place to be. As an industry, we need to step back and think about definitive ways to eliminate attacks, not just detect or react to them after the damage is already done.