We've all got "that person" in our offices. Maybe it's even several "that people." The one(s) who can't resist clicking on trashy articles on their Facebook or other news feed, and maybe even sharing them with everyone else in the office. Articles with titles like:
"You won't believe how a single kumquat earned me $5,000 last month!"
"OB-GYNs Hate This One Easy Trick!"
"Children playing with baby alligators?! What happens in #6 will amaze you!"
These are, of course, commonly known as clickbait: headlines which deliberately leave out vital pieces of information, specifically to try to induce people to click out of curiosity. Often, the article is barely related to the headline, what one might call clickbait-and-switch. It's just a cheap excuse to try to drive up online ad impressions by sending gullible viewers to worthless pages.
Unfortunately, such tactics aren't merely an annoyance or an excuse to avoid emails from certain people. They're increasingly becoming a threat due to malicious attacks using online ads as the vector.
The Rise Of Malvertising
Malvertising - as the name suggests - is online advertising which is designed to deliver malware to computers displaying the ad. Sometimes ads are deliberately set up to do this. Other times, cyber-criminals will find ways to hijack ads or ad-distribution services to deliver malware without the legitimate advertisers even knowing it's happening.
And if it seems like malvertising and clickbait would go hand-in-hand, you already see the problem here.
The sorts of websites which happily deploy clickbait titles to drive people to their advertisements are the ones who are likely signed up to as many advertising-delivery services as they can manage. Nor are they likely to care much about quality control or monitoring the ads being placed on their pages. If their view numbers are going up, and the money is coming in, that's all they care about.
So they become the "Typhoid Marys" of malware.
What sort of programs can be delivered by these ads? The answer might surprise you!
In the last few years, the black market for compromised computers has blossomed into entire black industries, complete with verticals and distribution chains. Although there are many variations on the formula, one typical chain might look like this:
- A workplace computer becomes compromised via malvertising. The malvertiser sells access to people running a botnet.
- That computer becomes part of that botnet, participating in activities such as DDOSing or ad-click fraud, services which are sold to interested parties.
- The owners of the computer notice the botnet activity, and start blocking its access. However, they fail to discover the root program compromising the system.
- Access to the computer is sold again, this time to more experienced system crackers.
- Those crackers attempt to compromise the larger business network, obtain financial records, siphon money, etc.
- Even if the computer is taken offline, wiped/restored, or otherwise sanitized, the compromised data has been released "into the wild" and sold off to yet another level of criminals who specialize in exploiting data.
If you're surprised to learn this level of sophistication exists in the "black hat" hacking community, that's because it's only recently even come to be understood. Further, both governments and law enforcement have very little ability to even shut down such networks, much less actually capture\punish the people involved.
As with so many things involving systems security at the moment, you are your own first and last line of defense.
Train Your Employees To Avoid Clickbait and Other Threats
The best protection in this case is training. Employees need to understand the very real threats posed by click bait and other malicious websites.
Obviously, the most effective policy would be to simply ban all non-work-related web browsing, but that's hardly practical in many businesses. Such a policy is also likely to create a lot of workplace ire. However, if it seem like you could implement such a ban in your office with minimal blowback, it would be by far the safest option.
For everyone else:
- Help employees understand the difference between clickbait and legitimate headlines. Legitimate headlines provide information, rather than withholding it.
- Encourage employees to only click on links coming from reputable domains they recognize, such as major news sites.
- Discourage them from ever clicking on ads. Some forms of malvertising require clicks to activate.
- Consider implementing ad-blocking software company-wide.
Also, encourage your IT staff or systems manager to monitor traffic more closely, particularly for high-volume requests coming from unusual domains or DNS servers. This is usually the best way of detecting in-office botnets. If a botnet is suspected, segregate and sterilize the computer(s) immediately. BYOD Security plays an important role here as well since most employees connect their devices to the WiFi network and will access their social media pages throughout the day.
Finally, think about upgrading your network hardware to brands which deploy in-hardware malware protections, such as Meraki security appliances.
Need more advice on protecting yourself? Contact Hummingbird Networks for a full consultation on your options!