Malicious code hidden in advert images cost ad networks $1.13bn this year

So-called steganography is rapidly becoming a favored tool of fraudsters.

Malvertising, the practice of embedding malicious code in seemingly innocent online adverts, is evolving through the use of steganography.

Files, messages, images, and video can be hidden within content of the same format, potentially leading to malicious redirects and the download of exploit kits.

The steganographic technique is fast becoming a popular method for fraudsters to dupe legitimate ad networks and spread malvertising across legitimate domains, according to researchers from GeoEdge, with a recent string of incidents highlighting the method's capabilities.

Malvertising incidents utilizing steganography were first recorded this year. Since the emergence of the first cases, records have been "growing exponentially in Q4 2018," the team says.

Experian, a global credit monitoring agency, was one such victim of steganography-based malvertising.

GeoEdge says that Experian had one of their legitimate adverts targeted with a second image, one "that was not visible to the user but hidden inside the ad request which called up the embedded malicious code."

"Once the ad appears on a user's desktop or phone, the malicious code is enabled," the researchers said. "In this instance, the malicious code was an auto-redirect to a phishing site targeting US users."

See also: Guilty of your roots: Why Kaspersky believes tech nationalism is on our doorstep

In other examples uncovered by the team, auto-redirects were set up through the technique to send visitors to malicious websites. If a visitor is sent to a website under an attacker's control, this could dupe them into believing such services are legitimate and, as such, parting with valuable personal and financial data.

GeoEdge estimates that auto-redirect and steganography techniques used in malvertising cost publishers $120 million over the past year, and marketers up to $920 million. In total, the firm believes online advertisers lost $1.13 billion in 2018 -- and this figure is expected to rise by up to a third over 2019.

"The use of steganography increases the sophistication in the constantly evolving arsenal of tactics employed by malicious actors, making a detection technology solution which is updated weekly, daily and even hourly, coupled with real-time blocking, a necessity for publishers today," says Amnon Siev, CEO of GeoEdge.

TechRepublic: Cyber Monday shoppers will overlook past cybersecurity breaches for a good deal

Malvertising is a well-known problem, with companies including Facebook, The New York Times, BBC, AOL, and MSN, among many others, have been targeted in the past.

Ad-blockers -- a thorn in the side of many online services -- touting their software as a way to protect against advert attack vectors.

Malvertising is often used to redirect users from legitimate websites to fraudulent ones but is also now being used in drive-by cryptojacking campaigns, as well as for the spread of exploit kits and ransomware.

CNET: Firefox warns if the website you're visiting suffered a data breach

The use of content-within-content obfuscation techniques, however, has stepped up the game -- and may allow more fraudulent ads which do not detect malicious code contained within images to accept more fraudulent ads.

As our ads become potentially riskier to click, our televisions are also being targeted for fraudulent purposes. This week, DoubleVerify researchers uncovered a botnet which specifically targets smart TVs in order to generate false ad impressions from TVs and gaming consoles, permitting the botnet controllers to reap financial rewards.

Previous and related coverage