Browser exploitation and Malvertising

27 June 2018

HMRC regularly warns about the risks of malicious software (‘malware’) being delivered by email and being cautious when opening attachments and clicking links. Email is a common method used by criminals, but other techniques are equally dangerous and require different defences. One such technique is exploiting security vulnerabilities in web browsers.

Web browsers and associated software (e.g. plug-ins like Flash) enable users to enjoy a wealth of digital content, in a range of different data formats. There is a lot of complexity behind the scenes in these programs, and security researchers and criminals work hard to find mistakes made by software developers that maintain them. These mistakes often relate to how the web browser processes data within a web page; by crafting the right content, an attacker can get the browser to mistakenly run the attacker’s code. When these vulnerabilities are discovered or reported, the software developers hurry to release software ‘patches’ (updates) to plug the holes.

Not everyone applies these updates though, or they may even use older versions of web browsers that updates are no longer provided for. This presents an opportunity for criminals, who use ‘exploit kits’ - a collection of specially crafted code, on a website that will target a wide range of vulnerabilities. Their only challenge is to get potential victims to visit their site - once they do, criminals are able to gain entry and install or run their malicious software. This includes sending out emails with links to these websites, littering social media sites with links, or paying for online adverts, which direct victims to the malicious site.

The latter technique is referred to as malvertising (derived from malware and advertising), and criminals use a range of techniques to sneak their adverts past the checks of online marketing companies to appear on popular websites. Many legitimate sites have unknowingly hosted malvertising, including household names.

Applying software updates is an important part of keeping your IT systems secure, and generally keeps you safe from this method of attack.

Applying security patches to ensure the secure configuration of systems forms part of the National Cyber Security Centre (NCSC) 10 Steps to Cyber Security.

Further information on the 10 Steps and other useful guidance can be found on the NCSC website.


This information was originally published in Agent Update 66.