Newspaper site the Independent is the latest to succumb to the threat of “malvertising”, which sees criminals booby-trap trusted websites with malicious code disguised as advertising. The BBC reports that visitors to an Independent blogs website page risked having their computers infected with ransomware, which locks users out from their own files or systems until they pay the attacker a fee.
As Trend Micro, which discovered it, notes, the attack on the Independent forms part of a campaign targeting the blog hosting service WordPress. However, it is also part of a far wider trend targeting media and non media groups alike: Victims have included Forbes, the Daily Mail’s website, Yahoo!, eBay, and Barclays Fantasy Football, among others. According to a recent study in the US for the Interactive Advertising Bureau (IAB) by consultants Ernst & Young, malvertising already costs about $1.1 billion a year.
As the IAB study noted, there are measures that can be taken to fight against malvertising. Sites hosting ads are, for example, increasingly scanning for malicious code before allowing ads to launch. However, the sophistication of criminals who use malvertising is also growing, and US-based security firm WatchGuard has said it expects malvertising attempts in 2016 to triple.
Such attacks offer a number of important lessons.
One is the wide range of online dangers and the growing complexity of the risks. Malvertising itself, for instance, is really only a delivery mechanism for other malware types such as ransomware – itself a growing threat and key emerging danger over the last year.
Another obvious lesson is the difficulty in guarding against such threats. Cyber threats are ubiquitous, costing European businesses alone £41 billion in lost revenues a year, according to estimates from accountants Grant Thornton. As high profile attacks against the likes of TalkTalk and, more recently, JD Weatherspoons show, even the giants are vulnerable.
Related to that is another lesson: You can’t rely on dealing with big named brands to give you security. A solid reputation is no guarantee when it comes to your business partners, customers or service providers. No matter how big the business, you must assume it could be compromised.
Of course, there is value in research and checks to establish the reputation and legitimacy of those you deal with and, where possible, the strength of their cyber security. Due diligence is rarely wasted.
However, your security cannot be outsourced. The only route to security is rigorous, proactive measures to protect against the evolving risks. Robust procedures, processes and applications to monitor, detect and eliminate risks will not guarantee security: total security does not exist. However, your own security strategy is the only one you can truly control, and it’s the best place to put your confidence.