US Senate reviews the security challenge of malvertising

Questions raised over the opacity of ad server bidding processes contributing to malware delivery via adverts.

US Senate reviews the security challenge of malvertising
US Senate reviews the security challenge of malvertising

The running security issue with so-called `ad farms' operated by Google and Yahoo resurfaced this week after the US Senate heard testimonies from the two IT companies about the dangers of targeted infections on the ad servers, resulting in consequent infection of third-party websites. The attack vector has been called `malvertising' by some security vendors.

Ad servers can serve multiple websites which may have chosen to outsource their advertising and generate a steady stream of extra revenue. Problems have surfaced in recent years when cybercriminals - mindful of the potential for onwards infection - started targeting the ad servers with all manner of attacks, hoping to infect the servers with their malware.

Yahoo's ad network was reportedly compromised late last year, potentially resulting in infections of visitors to third-party sites that had the Yahoo advertising stream on their pages.

In its on-going investigation into the issue, the US Senate is looking to confirm whether the ad servers operated by companies like Google and Yahoo cause privacy problems and give cyber-criminals an easy route to infecting visitors to third-party client sites of the ad companies.

According to US wire reports, Senator Carl Levin and his team are reviewing whether the self-regulation approach the industry has used to date is enough - and whether government regulation is now required. If the US Congress favours this route, then it will likely pass the baton on to the Federal Trade Commission to implement any legislation.

The ad revenues involved are significant, with the Bloomberg newswire noting that online advertisers spent £25.5 billion (US$ 42.8 billion) in the US last year – exceeding the total for broadcast TV.

The situation is complicated by the fact that many ad server networks operate a complex bidding process, whereby advertisers that pay the most can achieve prime placement for their ads on third-party sites.

There have been reports of cybercriminals manipulating this process and outbidding other players in order to stream their infected adverts to unsuspecting users, and - ironically - charging the costs to stolen payment cards. This technique was reportedly used against security researcher Brian Krebs' site back in November, 2011.

David Harley, a senior research fellow with ESET remained doubtful as to whether the US Congress can tackle the ad server security issue.

“I don't have a problem with companies providing Internet, search, and social media services being to some extent accountable for the misuse of those services, but this isn't a problem that's going to be legislated away," he said.

“It doesn't surprise me if they worry that if they're required to take absolute responsibility for malvertising, that they'll be hit with legal penalties and litigation every time they're seen to have failed to prevent some breach. And they will fail: malvertising is a complex technical issue. Information sharing does help – it's been a staple of the anti-malware industry for decades – but it won't put a stop to malvertising any more than it's put an end to malware in general.” 

Tim Keanini, Lancope's CTO, however, seems to be in favour of legislation, saying that the issue is a problem that has been looming for quite some time - and it is clever for the adversary to leverage the very processes that have made Yahoo and Google the giants they are today.

"I'm just surprised it has taken this long because the lack of authentication and authenticity mechanisms with online ads has been a ticking time bomb," he said, adding that, since the registration - and genesis - of a brand new site on the Internet is so easy and can often times be automated, adversaries can fire up and take down hundreds of malicious sites, all of them distributing these malware-based ads before they are detected and taken down.

Tim Erlin, director of product management at Tripwire, said that one alternative is to encourage the participants in the online advertising ecosystem to do a better job at catching malicious ads before they hit the Web page.

"This is typical of the US government's limited power in private industry. As recommended, this doesn't hold Yahoo or Google responsible for the malicious ads, but it does aim to enforce a minimum standard of validation for the content they ultimately deliver," he explained.