“The malware doesn’t just launch onto the person’s device and start doing bad things, unless they are unpatched,” he said. “Usually, the user has to manually and actively allow the malware content to run (versus just displaying a web page). So, users must be made aware that malicious advertising exists, and that if they don’t manually allow the content to run, usually they will be safe from it.”
For CISOs, the report shows how important it is to run an ad blocker as well as other defenses, said Johannes Ullrich, dean of research at the SANS Institute, and it’s not just in case employees ignore company policy to stay away from unapproved websites. “Sadly,” he said in an email, “malicious ads are still showing up on legitimate sites, too.”
Campaigns have multiple stages
In this campaign, the majority of the malware distribution went through GitHub, and Microsoft, which owns GitHub, blunted the campaign by taking down the infected repositories there. But GitHub is not the only site to be abused in this way; Ullrich said it’s a “difficult” problem for all file-hosting sites.
