Advertising Trouble: Malicious ads that inject onto banking websites

Independent Banker -- Oct 2015 -- Advertising TroubleBetween 5 and 15 percent of all visitors to some banking websites see ads there that don’t belong, according to some cybersecurity surveys. Some of those ads are barely legal browser plugins and extensions or ads placed by mobile carriers trying to make more money from abusing their users’ trust. However, increasingly such ads are injected into the sites by illegal malware, cybersecurity experts say.

Mobile banking customers are also more susceptible to these maliciously injected website ads because protecting their smartphones or tablets from infections requires particular care. Their mobile service carrier or a WIFI provider could also be inserting these ads—sometimes dubbed epoaching—even if their devices aren’t infected.

This year Google Inc. has received more than 100,000 complaints about injected ads, more complaints than for any other topic. In a recent study, the technology giant found more than 84,000 different types of software injecting ads onto public websites and stealing clicks and Web traffic from people visiting those sites.

Unfortunately, these injected ads are not just annoying but vectors for dangerous malware. Some have appeared as a login box or a text field asking for an email address, according to Chemi Katz, cofounder and CEO Namogoo Technologies Ltd., a malware security software provider in Israel. And these ads appear on the actual bank pages, where consumers expect logins and hyperlinks to be legitimate.

More software security vendors are surfacing to tackle the problem for banks, retailers and other businesses. San Francisco-based RiskIQ Inc. has a service to detect the ads. Namagoo Technologies offers a solution that it says identifies and blocks more than 25,000 types of this malware. Mountain View, Calif.-based Shape Security Inc. offers a service that scrambles webpage content behind the scenes to confuse these intrusions. Cabara Software Ltd., another Israeli company, offers software to help protect against this threat.

Here are four steps your community bank can take to fight injected website ads:

Step 1: If your community bank is using a third-party provider to host its website, ask the company what it plans to do about preventing injected ads. Don’t take “there’s nothing that can be done” for an answer, because other software companies are providing safeguards.

Step 2: Let your community bank’s customers know that there should be no ads on your bank’s website, and make it easy for them to report ads that do show up. That will help receive reports of any infections and gauge the scope and seriousness of the problem.

Step 3: Contact the advertisers that are using these malicious networks (most of the time, they’re also victims) as well as Google Inc. (the company is helping to crack down on this threat) and federal authorities and regulators. If enough people speak up, officials and law enforcement could take action.

Step 4: Once you know the scope of an ad-injection problem and the risk it poses, talk to security vendors or investigate the possibility of building your bank’s own security measures. Start with using the browser-provided content security policies and writing Javascript code that checks whether a Web page has been manipulated. The bad guys can work around this, but most websites don’t defend against the problem at all, so any amount of defense will be much better than nothing.

Read full article at Independent Banker.