Malvertising — or malicious advertising — is a relatively new cyber-attack technique. The term comes from a combination of ‘malware’ and ‘advertising’. Cyber-criminals embed malware into the advertisements (ads) of well-known online publications. Trusting these legitimate sites, internet users load the webpage or click on the ad, allowing malware to be downloaded onto their device.
Recent attacks have occurred on high-profile websites such as The London Stock Exchange and Spotify, and it’s easy to see why. With millions of ads distributed daily, it’s difficult for organisations to vet each one. Therefore, website publishers must take steps to reduce the risk of malvertising. Consider these tips:
- Review ad networks—Before signing up for ads, inquire about their ad delivery paths and data security practices. Use trusted networks that have adequate malvertising prevention measures in place.
- Run regular malware scans—Don’t rely on your overall network security. Take additional security measures by running regular scans to ensure your website is malware-free.
- Keep software up to date—New vulnerabilities in website software are regularly uncovered, so it’s essential to check that your website is up to date and fully supported. Upgrade or apply service patches as soon as an update is received.
Additionally, employers and all website users should take steps to protect themselves:
- Invest in an antivirus programme—A trustworthy antivirus programme can go a long way in reducing your chances of encountering a malvertising attack. Once installed, remember to regularly update your antivirus software.
- Turn on click-to-play plugin—Through selecting the ‘click to play’ option in your browser, online content that requires plugins to play (eg Java, Adobe Reader) will be disabled unless manually allowed. This helps protect you from having a fraudulent website play content automatically and gives you more control.
- Install an ad blocker—By installing an ad blocker, you can prevent most malvertising attacks by ensuring that ads aren’t displayed in the first place. Be aware that some websites may not run properly when an ad blocker is enabled. However, you can choose to allow online ads from certain sites once you’ve properly examined the cyber-risk.
And a reminder on password security:
The National Crime Agency has recently recovered a database of 225 million login credentials from cyber-criminals, sharing the hacked passwords with the Have I Been Pwned (HIBP) security project. It’s sensible for organisations to regularly check the HIBP website to see whether passwords have been compromised. Additionally, consider these tips:
- Use strong passwords. Employees should create passwords at least eight characters long, using a combination of upper- and lower-case letters, symbols and numbers. Passwords should be easy to remember but difficult to guess. A good rule of thumb is to make sure that somebody who knows the user well couldn’t guess their password in 20 attempts.
- Avoid reusing passwords. Passwords shouldn’t be reused, especially for more sensitive systems. For less important accounts, employers may wish to use a password manager tool, which creates and manages passwords in one system, helping to prevent ‘password overload’ in employees.
- Be secure. Ensure passwords aren’t written down, shared with others or sent by email.
Additionally, organisations should consider implementing failed-login monitoring and account-lockout mechanisms to counteract brute force attacks.
For more information on cyber insurance contact us today.