Malvertising and Other Online Mischief
Malvertising — or malicious advertising — is getting a bit more attention as of late. In essence, it’s just another method by which criminals attempt to infect user PCs with some form of malware — albeit a very scary form as it can reach so many users so easily.
The important point is that criminals will continue to exploit new methods to infect users with malware. Regardless of the method (e.g., malvertising, spear-phishing, infected websites, drive-by downloads, etc.), the objective remains the same: criminals want to obtain control over online identities.
So, what do you do to help protect against malvertising? As an end-user? As an organization seeking to protect employee information and identities? As a service protecting online customers?
Unfortunately, regardless of how careful we are as end-users, enterprises, customers or governments, the malware will get through. Again, even if we:
- Avoid certain websites
- Adhere to strict online practices
- Protect corporate networks with firewalls and intrusion detection
- Secure access to online customer accounts
The malware will infiltrate the perimeter — and it’s best to assume this has already taken place. And, the more sensitive the transaction or information at risk, the more sophisticated the attack.
Here are some best practices to help protect against malvertising and any other online threat.
End-Users & Online Customers
- Be safe. Practice safe browsing and always keep all your software up to date. Be educated and share good practices with others.
- Use suspicion. Don’t assume SMS, email and social networking messages are necessarily from legitimate acquaintances or businesses. Be suspicious and never reveal account or personally identifiable information.
- Switch it up. Where passwords are your only choice, use a passphrase technique such as taking the first letter of an easy-to-remember phrase AND use different ones for different sites.
- Take advantage. Always take advantage of advanced security controls offered by online providers. So many online thefts can avoided.
- Go mobile. To access online services, consider downloading and using mobile applications from legitimate app stores (i.e., no jailbreaking) versus traditional PC browsers.
Employers & Service Providers
- Secure in layers. Implement layered security controls for networks, employees and online customers. Perimeter security is just step No. 1.
- Protect identities. Ensure identities are well protected with controls beyond username and passwords with some form of two-factor authentication that is dynamic in nature.
- Go OOB. For higher-risk transactions, make sure they are confirmed on an out-of-band (OOB) channel to defeat malware that has initiated or modified transactions.
- Be smart. Consider both security and usability when introducing controls — the technology exists.