Exploits and malware – sometimes even highly advanced ones – are sometimes distributed via ad networks and hacked websites. And while you can’t control the latter even if you have a whitelist policy on your web proxy, you can control which ads are seen in your network.
The way it works:
Hackers know, that every website you load (CNN, Forbes, etc.) load dozens of external resources – ads, fonts, scripts, content, tracking cookies.
Which one is easier to hack on: the website of CNN, which has dozens of security engineers taking care of its defenses, or a small ad network managed by two guys in their garage, which by chance serves ads there today?
The hackers break into the ad network’s servers and insert their own malware along or instead of the legitimate ads. The unfortunate news site then serves this malware, all while being perfectly secure itself.
Malvertising
The term means serving malware via ad networks. Recent news reports have proof of malware being served even on Youtube via AdSense (Google). If even Google can’t control what its ad network is showing to your employees, isn’t it time to do something about it yourself?
From my experience, a significant percentage of all malware incidents in a company are generated from malicious ads. If you can decrease the malicious incidents at your company by 30% just via blocking ad networks, you should.
Not to mention an added benefit: better browsing experience, less tracking for your users, better privacy, and last but not least – less bandwidth utilization, by as much as 5-10%!
Blocking ads via browser extensions
Browsers cannot block ads on their own as they can’t distinguish advertising from non-advertising elements and in order to block ads in your browser, you will need an extension (which should also be easy to distribute in corporate environments, just follow your browser’s manual).
Many are already using ad-blocking extensions on personal devices – it is time to convince management and IT to start adopting the practice in the corporate world.
uBlock Origin is readily available for most browsers out there. It is the most widely adopted and the most effective measure against ads and malvertising in Chrome.
uBlock for Firefox can be found here: uBlock origin for Firefox
If you use the Safari browser, you can find an extension to block ads in it here: https://ublock.org/safari/.
Advertising networks are getting smarter, just as malware writers got smarter with time – and the blacklist approach really starts to lag behind, but we should continue doing our best. Even though AV detection rates are diminishing we must use antiviruses at work. The same applies when blocking ads – even though there might be new and unknown delivery hosts every day, we should and must use ad-blocking techniques all the time to prevent at least the most widely used ad distribution networks and prevent malicious code distribution in this way.
Blocking ads via a HOSTS file
On Linux and Windows (as well as FeeBSD, Mac OS and other operating systems) you can block ads by redirecting ad network domains to localhost.
You can read more about this extremely effective technique at https://github.com/StevenBlack/hosts
Pretend to be using a different browser?
Exploits are trying to target specific versions of browsers on specific operating systems.
When you visit a website serving malware through exploit kits, the exploit kit’s job is to determine your software versions and send you the correct exploit.
If you mimic a different browser by changing your User Agent ID, the exploit sent to you will be the wrong one – and will most likely fail.
Changing user agent strings is a bit too technical for this article – and I presume that the ones who know what it means, will know how to implement it. For most other people – just continue reading the article!
Block redirects
Redirects have been long blocked by default in Chrome, and if you install and configure your uBlock extension in it you should be covered by both Chrome and the extension.
It works well, I am happy with this combination and recommend it.
If you must deploy a solution for this across the enterprise, just block 302 redirects on your web proxy appliance, as that would take care of the problem company-wide.
Talk to your corporate proxy administrator
Your web proxy appliance (or your handy proxy admin) can block ad networks without you having to modify yours or every computer on the network. This has the added benefit of centralized management and easy troubleshooting, in case some domain needs to be unblocked.
Block ads at the gateway level
There is a really nice tutorial at https://medium.com/@alexellisuk/lightweight-ad-blocking-with-dnsmasq-and-raspberry-pi-665dbb3242e3 on blocking ads using DNSMasq and raspberry pi. You can easily scale this to enterprise size by scaling up the hardware. The setup takes less than 30 minutes and can be performed on any gateway provided they run an OS capable of running these packages. Pixelserv is used to serve 1×1 gif pixels to prevent 404 errors from the blocked ads and to enhance the user experience – otherwise, you will see all kinds of nasty rendering bugs on your web pages. Note: this method does not block text ads and it is still recommended that you use some of the browser add-ons mentioned above.
Besides blocking malware there are other benefits to blocking ads – less traffic and faster, safer browsing experience. After all, why would you want to load a 10-second clip of someone selling you stuff you don’t want, thousands of times per day for every single employee of your company?
