Malvertising a threat to individuals or should I be concerned about organizational data as well?

Malvertising is a threat to all data including organizational data.

Malvertising is a type of online criminal fraud where bad actors incorporate malware into what looks like online advertising. The advertising draws in the viewer by offering a product or service and the viewer selects the link and is taken to an imposter site or malware is downloaded directly.

The FBI recently warned online users about malvertising - specifically search engines that are unknowingly pushing tainted advertisements. This is an effective social engineering technique because many users believe that by using a search engine, they are safe - unaware that some of the ads at the top of a search engine result are a trap.

The FBI describes the methodology better than I can:

Cyber criminals purchase advertisements that appear within internet search results using a domain that is similar to an actual business or service. When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result. These advertisements link to a webpage that looks identical to the impersonated business's official webpage.

In instances where a user is searching for a program to download, the fraudulent webpage has a link to download software that is actually malware. The download page looks legitimate and the download itself is named after the program the user intended to download.

These advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms. These malicious sites appear to be real exchange platforms and prompt users to enter login credentials and financial information, giving criminal actors access to steal funds. https://www.ic3.gov/Media/Y2022/PSA221221

Just like individual users, organizations use search engines to search for goods and services, including financial services. So, any organization that conducts such searches and selects a bad advertisement is at risk.

The FBI provides the following prevention tips for business:

• Use domain protection services to notify businesses when similar domains are registered to prevent domain spoofing.

• Educate users about spoofed websites and the importance of confirming destination URLs are correct.

• Educate users about where to find legitimate downloads for programs provided by the business. https://www.ic3.gov/Media/Y2022/PSA221221

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to ask@mccalmon.com. Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.