Best practices for defeating malvertising attacks
Guest column: Ted Dhanik, CEO of engage:BDR, talks about an increasing problem: the use of advertising as a distribution method for malware, and what publishers can do to combat it
Malvertising is an increasingly common threat to the Internet advertising industry, yet many publishers and advertisers aren’t fully aware of how much the issue affects them. Malvertising is the use of advertising as a distribution method for malware. Malvertisers exploit ad networks by delivering sophisticated drive-by exploits from popular underground websites to compromise end user devices. Unlike spam, which requires a user to click on and interact with a malicious email, malvertising doesn’t require clicks, but instead leverages vulnerabilities within browsers to turn ads into malware. A consumer can unknowingly turn their computer into part of a botnet or worse yet, compromise their own security simply by loading a publisher’s page that holds a malvertisement.
These invasive ads are maneuvering past advanced network security solutions in large enterprises by disguising themselves as real buyers in order to take advantage of Real-Time Bidding (RTB) platforms. The scammers are incredibly savvy; a malicious advertiser may use RTB platforms to serve what appear as normal ads, the majority of the time, in order to establish legitimacy and trust on the platform. However, it’s easy to redirect the code and switch from a legitimate ad banner to a drop site that hosts an exploit kit. Once the malvertiser detects that he has infected several endpoints, he removes the redirection code and goes back to serving standard ad banners. He then “burns” his temporary exploit kit drop site, moving his exploits to another location for a new campaign. This allows the malicious advertiser to perform “hit and run” attacks, and still maintain a presence on the advertising marketplace without drawing attention.
According to Invincea’s advanced threat trend report, June 2015 was the worst month so far on record for advanced threats delivered via malvertising. The threat affects every layer of the digital advertising ecosystem since each link in the chain is so intertwined. Once a malicious ad gets inside, it has the potential to harm relationships across the supply chain. There are several best practices that ad tech providers can adopt to help prevent malvertising in their ecosystems.
The first is to apply tech-based scanning. Since malvertising has the potential to get in through buy-side platforms, scanning tags could help alleviate the threat. Industry players have the opportunity to scan all tags before they go live to ensure that ads are clean and safe. By looking at ads from the tech perspective before they go live, platforms can flag any malicious material and weed out potential infections. It’s helpful to have a minimum 72-hour incubation period of thorough scanning before ads go live, and frequent scanning should continue throughout the campaign flight. Once something malicious is identified, not only should the ad be pulled, but the entire account of the person or organization trying to run the campaign should also be closed. Applying several scanners that use different methodologies, as well as human eyes, can help provide a double layer in identifying malware.
The next step is making sure you thoroughly research your clients. Open, self-serve buying is a thing of the past. Scammers have achieved incredible sophistication and will go to great lengths to sneak through your security. Some bad actors will go so far as to steal the identities of actual media buyers to appear real. For instance, they might say they work at a specific agency and even have a LinkedIn page that aligns, however, their email address and phone number might not quite match up. A strong vetting process ensures that LinkedIn accounts line up with email addresses and phone numbers and that the information is accurate, among other layers of verification. By talking to users and trying to understand their business goals, a network can also ensure that the identity lines up.
Malvertisers continue to evolve and so too should industry players, in order to guard against them. It is hard to predict what they may do next, so it doesn’t make sense to establish one strategy and stick to it. Instead, we have to evolve just as quickly as they do by staying in lock step with the criminals. As an industry, we not only have to participate in anti-malware associations and work groups, but we have to be willing to work with competitors and contribute knowledge, so that we can identify weaknesses across the supply chain. The IAB’s anti-malware working group is a good example of a place where companies in the industry can communicate and gain insights to help improve their systems.
Advertising should not be malicious to consumers; this would be detrimental to the entirety of the digital advertising business. It’s imperative that our industry gets ahead of the threat of malvertising before it’s too late.
As co-founder of engage:BDR, Inc. Ted Dhanik serves as Chief Executive Officer overseeing strategic marketing, sales and business development, client relationship management, and content acquisition.