skip to Main Content
Malvertising Woes—Cisco Discusses Malvertising In Latest Threat Report |

Malvertising Woes—Cisco Discusses Malvertising in Latest Threat Report |

Wednesday, August 20, 2014 – 11:14


Peter Zavlaris

In Cisco’s freshly released midyear threat report, it declares malvertising “a disruptor for the Internet Economy.”  It points out that malvertising played a key role in spreading the CryptoLocker Ransomware.

Malvertising is incredibly effective because it can infect host machines during the normal course of Internet browsing and can be served up on major websites without exploiting the website host’s infrastructure.

Recently, RiskIQ researchers observed a malvertising campaign using the RIG exploit kit present on  An excellent write up by RiskIQ Head of Research, James Pleger, can be found here.

In the security report, Cisco points out that its researchers dissected attacks using RIG to spread CryptoWall (successor to CryptoLocker) via malvertising campaigns.  RIG, it points out, is a drive-by style attack specifically designed for high profile websites.

RiskIQ researchers and Symantec researchers both discovered RIG on in early July.  Detailed analysis by RiskIQ researcher Darren Spruell describes how the attack is carried out and how, by using RiskIQ, he was able to identify the source of the infection.

For anyone who is new to malvertising, here is a breakdown from the RiskIQ website.  As Jason Brvenki, Principal Engineer, Security Business Group at Cisco explains in a short video released along with the midyear threat report, “malvertising produces results.”  Because of this, it is gaining in popularity.  The Online Trust Alliance (OTA) estimates in 2013 alone, malvertisments appeared in 12.4 billion ad impressions.

Why is malvertising becoming more popular?  As Brvenki puts it, ”You have the ability to distribute your malware indiscriminately across the board and attack hundreds of thousands of people a day.”  This is particularly dangerous for consumers and customers of high profile organizations.  Brvenki explains that attackers can “target specific business and entities through the advertising networks and be gone before you even know you’ve been compromised.”

So how does it work?  Brvenki offers an explanation:

Its much the same as you would take on advertising a product…only the product happens to be my malware and command and control infrastructure…conceptually its just as easy as regular advertising only we deliver specific ads designed to infect your machine.

Unfortunately, due to the complexity of the ad exchange on the Internet, the ease of use for distributing malicious ads & the success in proliferating malware—the malvertising problem is going to get worse.  However, organizations concerned with this issue have sources they can turn to.  Vendors and organizations alike are looking to provide solutions to this problem.

RiskIQ’s unique crawling infrastructure operates at Internet scale and offers the sophistication necessary to track malicious ads.  Operating millions of bots programmed to imitate real user behavior, RiskIQ captures individual malicious ads served up any point in time on a given webpage: an incredibly difficult task, considering the sheer magnitude of ads served up each millisecond across the web.  Using RiskIQ for Ads allows organizations to gain insight into attempts to leverage their web properties in order to spread dangerous malware via malicious ads.

-Peter Zavlaris, RiskIQ Blogger

Original Article: Malvertising Woes—Cisco Discusses Malvertising in Latest Threat Report |


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back To Top
%d bloggers like this: