About two months ago, I was enjoying some well-needed downtime and preparing for a weekend trip to Big Bend when something interesting happened. I first noticed it while I was on wikiHow, figuring out how to fix a problem with my bike. While there, I noticed a spammy ad that looked familiar - that's when I realized I'd seen it the night before on a local weather site.
I decided to do a little digging: it's not the first time I've looked into spammy, malicious ads. But this one seemed to be following me around across different destinations - somewhere along the way, a cookie must have been dropped on my device, and it was persistent. While that's not unusual behavior, what I discovered on further investigation was more disturbing.
After cycling through some of my recent destinations to see where else the ad would appear, I found it replicated across a few different sites, including Bleacher Report (go Cowboys) and TVLine. But most surprisingly, it also showed up on the CNN 2022 election site where I'd been tracking the midterms earlier that week.
That's when I knew I had to figure out where this ad wanted to take me and what it was ding on a public news site. After clicking, the ad directs to a download page for a browser extension. This was red flag number one: browser hijackers like ChromeLoader are becoming a serious problem - they can modify browser settings without user permission, download software, and track them across the Web over time.
Red flag number two: the software this ad wanted me to download had already been flagged as risky by multiple sites, as I determined with a trusty Google search. Strangely enough, none of the vendors on VirusTotal flagged the program as malware despite the fact that it clearly was. To me this suggests a pretty recent malvertising campaign.
As someone who spends time researching Web security, I wanted to do a deeper dive - unfortunately I didn't get a chance before the ad stopped showing up for me. But the fact that it appeared at all - and appeared on a site many Americans depend on for reliable information about upcoming elections - is concerning to me.
Browser hijackers are capable of all kinds of malicious activity - they might log keystrokes and they might provide a channel for ransomware attacks. Worst of all, they might be used to show misinformation based on a user's voting preferences to manipulate their decisions and beliefs.
In previous election seasons, malicious actors used recommended content and targeted advertising to spread propaganda – they used those same mechanisms to promote fake health products during the COVID pandemic – and the U.S Cyber Command is afraid they will try to interfere with the 2022 Midterms. Here’s an article about it from CNN (be careful).
The 2022 election season in the U.S is coming in hot – with geopolitical tensions rising, nation state actors have every incentive to target voters in any way they can. Even if that weren’t the case, Internet users should be able to depend on trusted sites like CNN not to serve them spammy advertisements that link to dangerous malware.
While many websites are impacted by this problem, media and news companies should be leading the way in scanning their web pages for this kind of content and removing the parties who put it there. I would say it’s part of their basic responsibility to non-paying readers and subscribers alike – what about you?