How to protect your organization against ad-based JavaScript exploits

According to DEVCON, cyber criminals continue to exploit vulnerabilities in JavaScript to attempt to steal sensitive consumer data through advertisements.

Java and JavaScript dominated software development in the 2010s
Ruby on Rails and PHP were popular in the short term, but in the long term, and Python is increasing again.

JavaScript has long been a favorite target of cyber criminals who take advantage of vulnerabilities in the web-based code to implement malware against unsuspecting victims. A specific type of attack that JavaScript exploits is malvertising or advertising threats, which use online advertisements to spread malware.

DEVCON’s 2019 Holiday Threat Report, released on Wednesday, illustrates how criminals use ad-based attacks and offers advice on what organizations can do to better protect themselves against these types of campaigns.

SEE: The 10 most important cyber attacks of the decade (free PDF) (TechRepublic)

Advertising threat is defined by DEVCON as the armament of advertising technology to spread malware, Trojan horses and other malicious attacks to consumers and to deceive marketers and publishers.

During the 2019 Christmas shopping season between Thanksgiving and Cyber Monday, the level of lower-risk digital advertising even dropped to 0.07% from 1.25% in 2018, DEVCON said. However, the number of highly advanced attacks with this method increased. More than 60% of malicious advertising threats from this period came from highly advanced attacks such as Led Zelpdesk, Lucky Star, Avid Diva and Invisible Ink.

These more advanced attacks use both social engineering and exploited JavaScript in an attempt to steal consumers’ credit card information or mislead a user into downloading a trojan.

How cyber criminals bind their victims

In this regard, cyber criminals apply a few tactics to attack their victims:

Misuse of the code of a service provider. Bad actors create fake accounts with ad networks and use that company’s ad tags to deliver exploits on websites without jeopardizing the target company’s servers.
Partner exploitation. One type of attack that has surfaced is Magecart, which skips e-mail addresses, passwords and other sensitive data from online payment forms in an attempt to steal that information. To carry out these attacks, cyber criminals will look at checkout and login pages to find external partners that can easily be compromised. The attackers then implant malicious code into those pages to collect the sensitive data as it is entered on the form.
Exploitation of code vulnerabilities. Cyber criminals target companies that use JavaScript or third-party libraries and try to exploit vulnerabilities in the script itself.
Infect JavaScript with malicious code. Cyber criminals can use JavaScript to hide infected items such as image files, fonts and advertisements. For example, an image for an advertisement infected with malware can be hidden with JavaScript code.

“While these less advanced hackers are being excluded from the ad threat game, the more advanced bad actors are not only becoming more covert in covering up these attacks, they have escalated the types of exploits, broadened the attack surface and are not limiting these attacks on the ad tag scripts, “said DEVCON CEO Maggie Louie in a press release. “The real risk is data breaches, which can lead to huge fines in the new regulations. Advertising threat is a security gap that should not be managed by marketing teams, just like phishing attacks by email marketing teams.” threats must be managed and monitored by security teams. “

SEE: How to build a successful CIO career (free PDF) (TechRepublic)