Online advertising is being abused heavily to spread spyware to unsuspecting internet users by exploiting the lack of comprehensive security, as well as technical and policy loopholes on the ad providers’ side.
An article from the Israeli publication Haaretz alleges that Israeli cyber firms have leveraged the aforementioned vulnerabilities to disseminate powerful spyware to selected individuals. Furthermore, this technology has reportedly been sold to non-democratic nations keen on surveilling activists advocating for free speech, regime critics, and their political opponents.
The firms mentioned in the report are Insanet and Rayzone, who have developed tools like ‘Sherlock’ that harness advertisements to spread to specified targets and then collect intelligence. The most concerning part, according to Haaretz, is that advertising service providers like Google, Apple, and Microsoft have failed to block these attacks, and there doesn’t appear to be a practical method to stop spyware infiltration into their advertising systems.
How ad-bidding works
The ad bidding process, commonly associated with programmatic advertising, is a real-time auction system for ad placements on websites and applications.
A user visits a site or opens an app that hosts ad space, and the system generates a request to fill that space automatically, for which a real-time auction is initiated involving multiple advertisers. Based on user profiling, these advertisers determine the relevance of their ads for the particular user and adjust the bidding amounts accordingly. Ultimately, the advertiser that bids the highest wins the auction, and the user sees their ad.
Spyware distributors can disguise their malware as legitimate advertisements. When they win the bid, the malicious ad is displayed, and merely clicking on it (or sometimes even just viewing it) can lead to the installation of spyware on the user’s device.
At this stage, spyware distributors may choose to either attack anyone randomly within a given space, like a website visited by their opponents, or leverage data brokers to gather information on a category of users and only bid on ads targeting them. Haaretz mentions that new firms devoted to user profiling through online ads appeared in Israel during the COVID-19 pandemic, one being Intelos with its product ‘AdHoc.’
If a zero-day vulnerability is exploited for the infection, which is the case in most Israeli spyware, the ad will run code that leverages an unknown flaw in the target’s web browser or their plugins to perform a “zero-click” infection, meaning that no additional interaction with the users is required.
Haaretz labels this as “indefensible” due to the level of infiltration of these infection mechanisms on the ubiquitous online advertising system. Considering that even up-to-date software can be easily breached using undocumented exploits, the induced sense of vulnerability is understandable. However, there are simple yet powerful measures a user can take to mitigate spyware or malware infection threats, most notably, ad blockers.
Ad blockers to the rescue
A good ad blocker is currently the simplest and most effective tool to help people defend against state-operated intelligence-collection operations that involve advanced stealthy spyware.
Due to internet ads being used as a funnel to serve various malware, including state spyware, simply blocking those ads eliminates a massive distribution channel and helps mitigate a large portion of the threat. Although the danger isn’t completely eradicated, the attack surface is significantly reduced.
At their core, ad blockers prevent advertisements from loading or being displayed on websites and online apps, support custom blocklists, limit tracking, enhance the user’s privacy by preventing extensive profiling, and give the user more control over their online experience.
However, it is essential to note that not all ad blockers are created equal, and their effectiveness in blocking risky ads or preventing tracking can vary depending on the underlying technology and code implementations. That is especially the case in the Manifest V3 era, with Google introducing several restrictions that made implementing effective ad-blocking mechanisms while maintaining compliance quite challenging for extension developers, particularly ad-blocker makers.
For a selection of reliable and effective ad blockers, check out RestorePrivacy’s ad blocking guide here with comprehensive blocking solutions.
Finally, internet users should note that while ad blockers are powerful tools in defending against spyware, relying solely on them for protection is not advisable. Ad blockers should be a part of a holistic security approach, including antivirus software, safe browsing practices, firewall rules, and keeping the OS and all apps up to date by applying the latest available security updates.