Pretty much nobody likes to see adverts when they browse the Internet. But the fact is that we’ve come to accept them as a necessary evil. Another thing is interstitial ads, or the banners that jump from one place to another covering up content, and which, without a shadow of a doubt, end up giving a bad user experience.

However, if only this were the only harm that these ads could cause; at times, the banners we see most often day to day can end up becoming a real cybersecurity problem and a lure for cybercrime, especially in the business environment.

A draw for XSS attacks

The researcher Randy Westergren has found one of these security bugs. As he has been able to demonstrate, there is a kind of ad that is particularly vulnerable: those that are activated using the iFrame Buster, which makes a banner expand when the cursor is passed over it.

Westergren affirms that a significant (but unspecified) amount of these ads allow iFrame Buster to trigger an XSS attack that can access the website in question’s cookies, as well as the DOM (Document Object Model – the structure that prioritizes the elements generated by the browser when it loads a website) and several other identification services. If this happens while the employee of a company is browsing the Internet, this malware could obtain information or a way into the company, all of which would put the whole organization’s corporate cybersecurity in serious danger.

A more wide-spread problem that it may seem

When we see this kind of threat, it’s always tempting to think that the attacks only happen on strange, fringe websites, or websites that no one in their right mind would trust. However, nothing could be further from the truth: Randy Westergren asserts that it has even infected ads managed by Double Click, Google’s own ad service.

And the fact is, as the expert puts it, the problem doesn’t necessarily lie in the ads themselves, nor in the browsers. The issue starts with advertising agencies, which often choose to develop their own iFrame Busters. This leads to them being incorrectly developed, giving rise to these points of entry being opened up.

Thus, the danger isn’t confined to just sporadic, marginal websites, but rather it is also found on large sites, many of which can be visited by any employee in a company, even if they are on the website for strictly professional reasons. It is therefore not a case of an employee spending their time browsing websites for their own enjoyment and endangering their company’s cybersecurity; the danger can even get in when someone is working effectively.

So the cybercriminals that make use of these tactics will have it easier than ever, since they won’t even need to keep employees busy with suspicious websites or activities; they’ll be able to reel in these employees when they’re browsing normal websites.

How to avoid these attacks

XSS attacks can cause serious problems for corporate cybersecurity, which means that companies of all kinds must be on the look out to keep cybercrime from knocking at their doors. They can do so in two ways:

1.- Raising awareness. We’ve said it on numerous occasions: most of the time, employees are the weakest link in the chain of cyberattacks, becoming the perfect victims because of their lack of knowledge about the potential risks they’re exposing themselves to. This is why it is so important that companies ensure at least a minimum of awareness about cybersecurity: making sure employees don’t trust suspicious websites, extending banners, sites that request more permissions than expected and so on. In any case, anyone can be a potential victim, which means, if they have even the slightest doubt, employees must refer any suspicion to the cybersecurity team to keep the attack from spreading to the rest of the company in the case of an intrusion.

2.- Cybersecurity solutions. Cybersecurity can never depend on employee awareness alone, so it’s vital that companies have cybersecurity services and solutions such as Panda Adaptive Defense, that not only act in case of an incident, but also work preventively, analyzing the possible risks, and constantly updating security protocols in the face of new threats. In the case of vulnerabilities in third party applications, as would be the case here, it’s also vital to have a specific solution that also automatically manages updates and necessary patches – a solution like Panda Patch Management.

Problems with corporate cybersecurity don’t necessarily have to get in using organized cyberattacks, nor with attachments in emails: they can happen even when browsing normally, so companies must stay vigilant to keep cybercrime from getting into their company.