July 4th is Independence Day in the U.S. It’s also a holiday for hackers and cybercriminals. For them it’s not the kind of holiday where you go to the beach and relax; it’s a holiday for making money from successfully planting malware on people’s devices. Hackers get paid a bounty for every successfully compromised device, because those devices can then be used for a wide variety of other cyber crimes.
In many past holidays, there have been surges in malvertising – ads laced with malicious code. These ads appear when users visit popular mainstream sites on weekends and holidays. Why weekends and holidays? That’s when more humans are at home and on their personal devices. These devices, including their kids’ iPads for example, are less hardened against malicious attacks than corporate devices managed by IT departments. These devices are therefore easier targets for hackers to compromise.
Consumers experience these malicious ads as pop-ups that virtually take over their entire screen or as unexpected redirects to fake sweepstakes or antivirus pages. The messages that appear typically include something like “you’ve won big money from T-Mobile, click here now!” or “your device has a serious virus, you must click here now!” Users may be scared into clicking. Once they click, their device is compromised. They might even get compromised when trying to close the ad, because hackers may have also altered the “close” button to mean “allow malware to install” instead.
Data from clean.io, a cyber security company that protects enterprises from malicious and untrusted code execution shows examples of malvertising surges observed during recent holidays. According to Matt Gillis, CEO of clean.io “Last year, the 4th of July was actually a non-event when it came to malicious ads. It fell on a Thursday. The surge came on July 15th instead, which was Amazon Prime Day. This year, July 4th presents a set of unique circumstances that we’ve not seen before. Most obvious is the fact that we are still dealing with the impacts of COVID-19 on the digital media ecosystem. The pull back of ad spending by big brand advertisers means the cost of ads is lower overall. Lower ad prices means it’s easier and more affordable for hackers to launch these attacks and their profit margins are higher. Historically, weekend days, especially Saturday, have seen the highest threat levels. July 4th 2020 falls on a Saturday. With all of these factors, it seems like this year could be the perfect storm for a malvertising surge on the 4th of July.”
Confiant, a cyber security company focused on protecting digital ads, similarly predicts a surge in malvertising threats over the long weekend. They predict the type of attack will be the familiar “redirects to carrier-branded scams” like “You’ve Got Money from AT&T.” The attacks will start early in the morning and attempt to compromise both desktop computers and mobile devices by exploiting browser bugs.
Confiant provided several additional observations from their H1 2020 data:
– 58% of weekends had a large scale malvertising event (and 77% of holiday weekends).
– 53% of weekend attacks started on Sundays and 47% started on Saturdays.
– 87% of weekend attacks were coming from either eGobbler or Nephos7 who both deliver carrier branded scams (credit card fraud) with a preference for victims found on desktop computers and Android devices.
GeoEdge, a cyber security company that guards digital businesses against malicious, unwanted, offensive and inappropriate ads, predicts that malvertising ads will increase this 4th of July weekend. However, unlike previous years, the volume will only hit a modest peak compared to the historic surges seen in previous years.
“When looking at 2019, we witnessed a massive spike up to 600% during the 4th of July weekend. Typically the surge in attacks on July 4th is due to the users change of environment and device usage over the weekend, according to Adi Zlotkin, Head of Security Research at GeoEdge. Due to COVID-19, users have been at-home on weekdays, not only weekends, and as a result we are witnessing different patterns of behavior from attackers.
When comparing this year’s holidays attacks, a very clear difference exists between those that occurred prior to the pandemic and after. On New Year’s Eve users faced a major spike in malvertising scams up to 11-fold compared to our daily routine. However on Easter 2020 users were faced with more modest growth in attacks of up to 300%, with a similar pattern on MLK day. In the COVID-19 era far more modest spikes in malvertising scams are seen on holidays from 3 – 4-time folds.”
Consumers who encounter a malvertising pop-up or redirect should exit the browser entirely, instead of attempting to click the [X] to close the ad.
Site owners, including mainstream publishers, should keep a close eye on any surges of ads from new or unknown advertisers, even if they appear to be coming from legitimate demand sources. Some of these publishers use the technology platforms of geoedge, clean.io and Confiant to monitor such advertising-based security threats. Without getting into any technical details here, suffice it to say cyber criminals are opportunistic and love to make money. Due to a unique confluence of events, July 4th weekend in 2020 presents a huge opportunity for bad actors to make money. So we are unanimously on the lookout for a surge in malicious ads for the holiday weekend.