Why the epidemic of malicious ads grew so much worse last year

Last year brought a surge of sketchy online ads to the Internet that tried to trick viewers into installing malicious software. Even credit reporting service Equifax was caught redirecting its website visitors to a fake Flash installer just a few weeks after reports of a data breach affecting as many as 145 million consumers.

Now, researchers have uncovered one of the forces driving that spike—a consortium of 28 fake ad agencies. The consortium displayed an estimated 1 billion ad impressions last year that pushed malicious antivirus software, tech support scams, and other fraudulent schemes.

By carefully developing relationships with legitimate ad platforms, the ads reached 62 percent of the Internet’s ad-monetized websites on a weekly basis, researchers explained in a report published Tuesday.

 Forced redirects push phony malware and fake Flash updates.

The ads were delivered on so-called “forced redirects,” in which a site displaying editorial content or an ad suddenly opened a new page on a different domain.

These forced redirects are a technical mechanism that can be leveraged to deliver a variety of malicious attacks, from those targeting businesses (affiliation fraud), to those targeting individual users (phishing scams, malicious downloads, fake updates etc.)

At a minimum, these forced redirects often make a website unusable for an everyday user, and at worse visitors are being directly attacked. Its important to understand where the issues are coming from (often the website owner gets blamed, even as they themselves are a victim, too) and what the new risks are for them in an ad supported Internet.

Use of forced redirects has increased for three reasons:

1) Browser makers have grown more resistant to drive-by exploits,

2) the use of the often-exploited Adobe Flash for ads has declined, and

3) security companies have gotten better at detecting exploit code in online ads.

While not as effective as malvertising exploits that install ransomware and other types of malware with no social engineering required, forced redirects remain an appealing alternative that’s also cost-effective. Until publishers and ad platforms better organize to stamp out these kind of groups , the redirects are likely to remain a common Internet menace.