You’ve got 5 minutes between meetings. So, you pull up Snapchat to check on your family. Before you can click on your kid’s feed, an ad pops up and won’t go away. You can’t even back out of it. You must force stop the app and then relaunch it. By the time it reloads, the 5 minutes are up, and you have to begin the next meeting still wondering if your son or daughter is staying out of trouble online.
Ads have a way of getting in the middle of things. Pop-up ads, banner ads, redirect ads, prestitial ads, interstitial ads, and the list goes on. And for some reason, popups seem particularly invasive on mobile devices, where the display is already so small that a pop-up often hijacks the whole screen. Not only are you dealing with pesky legit ads from advertising companies but also malware laced ads from nefarious actors trying to make a quick buck.
Let’s face it, we rely upon our mobile devices to deliver the content we want, including visiting sites where we input and view sensitive data. “Pop-up ads may be lead generators for many businesses, but those which take over a user’s ability to view a site altogether are leading to lost revenue and potential malware hosts,” Inspired eLearning’s IS-GRC Specialist Jennifer Mick points out.
The good news is Google, Facebook, the Interactive Advertising Bureau (IAB) and others formed the Coalition for Better Ads to establish global ad standards. Senior VP Sridhar Ramaswamy for Google Ads & Commerce announced last year that Chrome will stop showing ads (including those owned or served by Google) on websites that are not compliant with the Better Ads Standards from 2018.
Unfortunately, cyber criminals have a way of ignoring regulatory standards and aren’t interested in actually advertising anything. Their malicious agenda can take many forms. Our Snapchat user above was likely hit by a bulky redirect that couldn’t load the phony page because it was already downloading a trojan (aka backdoor). A hacker might try other malicious actions, including:
- Collect and send GPS coordinates, contact lists, e-mail addresses etc. to third parties
- Send SMSs to premium-rate numbers
- Subscribe infected phones to premium services
- Record phone conversations and send them to attackers
- Take control over the infected phone
- Download other malware onto infected phones
- “Push notifications ads” delivering alerts to a phone’s notification bar – when the user swipes to pull down the notification bar from the top of the screen, an ad shows up under Notifications.
- “Icon ads” inserted onto a phone’s start screen – when the user touches the icon, it usually launches a search engine or a web service.
- Send users on a detour to phishing sites that collect personal data
- Redirect users to pages containing malicious code
Since most websites choose to work with advertising networks rather than individual advertisers, ads are automatically aimed at targeted audiences as well as littered across all sorts of websites, even the more reputable ones. Moreover, the advertiser or operator of the page doesn’t keep track of where these ads exactly appear much-less whether the ads are running malicious scripts.
How does this affect me as a consumer?
Since ads are being driven by two main camps, consumers are being hit with a double whammy. Apart from a paid subscription of Youtube Red or a Google Contributor ‘ad removal pass,’ consumers will be hard put to escape pop-up ads. Ad-blockers, NoScripts, and others can reduce the number of ads users are plagued with, but they are not fool-proof.
Since redirecting mobile ads could create a jumping off point for attackers, the average joe must be vigilant and aware of what they are clicking. Advertising networks do not discriminate against age groups; if anything, they will target the younger set even more as youngsters are all about speed and are click happy. So, educating our young users on secure cyber habits is vital as well.
What can I do as a business?
What can I do as a user?
As malware writers try to earn money for their bad deeds, they will use increasingly clever techniques to try and trick users into clicking on their baited links and installing their malicious apps. So as users, we need to be especially alert while accessing online content on our devices.
Keeping security at the forefront, just as you would lock your car doors, the following cyber habits may prevent you from succumbing to clicking on a pop-up ad with malicious injected code:
- Install vetted mobile ad blockers to help avoid the pop-ups.
- Utilize known browsers that have increasingly incorporated protections to limit malicious intrusions, like Chrome, Samsung native browser, iOS Safari, etc.
- Research apps before installing, even reading the reviews will hint at whether the app sounds fishy.
- If an app requires more permissions to access functionality of your device than the free app you downloaded requires, then take a hard pass.
- If you are willing to pay, Youtube Red and Google Contributor Ad Removal passes will block all ads except the ones you choose to opt-in for.
If nothing else, think twice before installing untrusted software or clicking on strange looking links!!
Remember, mobile redirects are systemic and need to be addressed at scale. While these issues are being addressed, now is the time to educate your users with TechGuard® S.H.I.E.L.D’s™ award-winning Cybersecurity Awareness Training Solution. Don’t delay, get the message out there: “If you see a weird notification that entices you to play blackjack interrupting your daily newsfeed, THINK before you click!”
© 2018 Inspired eLearning, LLC. All Rights Reserved.