Malvertising is the Spooky Threat NCUA Wants You to Know About

857 views
0

Cybersecurity month may be drawing to a close soon, but awareness and diligence of cyber threats is a year-long effort. In October 2024, National Credit Union Administration Chairman Todd Harper published a letter to credit union board of directors outlining their responsibility in overseeing the cybersecurity of their institutions.

In addition to detailing boards’ roles in operational management and incident response planning, Harper called to attention one particular type of cyberattack that is drawing the NCUA’s attention: malvertising.

As a credit union recently suffered a ransomware attack attributable to malvertising, it’s a good idea to learn what it is, why it’s dangerous, and what credit unions and their staff can do to mitigate the risks.

Ads can be more than just annoying

A relatively new form of cyberattack, malvertising uses digital ads injected with malicious code to infect unsuspecting users’ devices. The scary part is that it’s difficult to detect by both users and publishers as they often come from ads served by legitimate advertising networks. Scarier still, in some cases it doesn’t even require you to click on a link, making virtually every ordinary page viewer at risk of infection! (Though these are less common and depend on browser vulnerabilities.)

Attackers accomplish this by breaking into a third-party server, injecting the malicious code within a display ad, like a banner or video content. Clicking on the ad then delivers the code to the user’s computer, which might include malware or adware. Depending on the code, it might damage files, redirect traffic, monitor and steal activity, or set up backdoor access.

In some notable cases, organizations like The New York Times, BBC, and Forbes were hit with malvertising attacks. Since these sites often depend on ad revenue to sustain themselves, they set up agreements with ad networks that present ads on their websites. But those networks’ servers may have been susceptible to bad actors, allowing malvertising to be presented to users on the legitimate websites. In cases like the Angler Exploit Kit, users were automatically redirected to a malicious website where they were then exposed to malware.

Not all is lost

As far as cyberattacks go, this may seem like a scary one. And while it can be, there are ways to mitigate the risks. As far as your own credit union websites, it’s extremely unlikely that you are using a third-party advertising network. So this is not a case where it’s your website that’s likely to be the delivery mechanism. Rather, it’s the websites you visit that might cause a problem.

Unfortunately, as we saw above, even large, reputable organizations that depend on ad revenue are at risk as they may use ad networks with huge ad volume and circulation, making it tough for them to ensure every ad they present is clean. And since ads often rotate, it can make it tough to know who might be presented with a malicious ad and what exactly they saw.

Avoiding the internet at large is not a realistic option, so instead you and your teams should focus on proper cyber hygiene and common sense behavior. For one, keeping your software, web browser, and systems up to date with the latest security patches is a no brainer. I see you clicking that “install update later” button! Don’t do it! The cyber threat world is fast evolving and vulnerabilities need to be patched quickly.

Your workstations likely have an antivirus software and firewall, but you should also consider installing an ad blocker if it won’t interfere with your job. Ad blockers detect things like ads, pop-ups, and auto-play videos and prevent them from loading, greatly reducing your risk of malvertising (while also often making your user experience more pleasant). Unfortunately, as many sites depend on ad revenue, they have found ways to detect ad blockers and prevent you from viewing the website until you disable it. Ask yourself how badly you need to be on that site.

Keep in mind, that recommendation comes directly from Todd Harper, who in his letter wrote “Credit union cybersecurity teams should focus on standardizing and securing web browsers and deploying ad blocking software to protect against this threat.”

As with the myriad other threat vectors, awareness is key. The human layer of your cybersecurity program is often the squishiest, but with some education and precautions, you can help reduce the risk to you and your organization as much as possible.

Author

  • Esteban Camargo

    As a supervising editor of CUSO Magazine, Esteban reviews and edits submissions, assists in the development of the publishing calendar, and performs his own research and writing. His experience provides CUSO Mag with a seasoned writer and content curator, able to provide valuable input to contributors, correspondents, and freelance journalists. Esteban has worked at CU*Answers since 2008 and currently serves as the CUSO's content marketing manager.

Your email address will not be published. Required fields are marked *