Poisoning the stream: Malvertising's toll on publishing
Poisoning the stream: Malvertising's toll on publishing

Malvertising used to be something you'd find in the dark alleys and bad neighbourhoods of the internet.  No longer.

RiskIQ recently reported a 400 percent rise in malvertising in the first half of 2016. Late last year Ernst and Young, collaborating with the Interactive Advertising Bureau, estimated the bill for advertising fraud to be US$8.2 billion (£6.2 billion). US$1.1 billion (£842 million) of that was lost to malvertising alone.

Numbers that big can't be dismissed as petty scams on porn sites and streaming hubs. No, this year seemingly everyone is a target. Not least the western world's most important publishers and media companies.

The Independent, The Daily Mail, The New York Times, The Hill, MSN, AOL, Forbes, Newsweek, the BBC and even Yahoo all ended up serving malicious advertisements to users throughout this last year, exposing potential millions to infection. Not only did malicious ads appear on some of the most popular and established news outlets, they were served through large, credible ad networks.

So who dropped the ball here?

Was it the third parties who serve the malicious ads? With the ad networks who let those malicious ads run unnoticed? With the publishers who host the ad space? Or even with the users?

It's not quite clear who should be doing their job better. Dimming our view is that the whole process is underpinned by something called real time bidding.

Advertisers buy a certain number of impressions from a certain demographic through an ad network who sells ad space from the publisher's website.

When that particular demographic visits the site, whoever has paid most for them, gets to show their ads, normally through an iFrame. Complex, right?

At any one second, there are multiple levels of interaction and a plethora of actors involved in the presentation of one solitary ad to one solitary visitor.  “You've got to look at the way the ad ecosystem functions. The reality is that it's very complex and very layered”, Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told SC.

It frustrates not only the understanding exactly where the ads are coming from, but whether or not they're malicious.

“Nobody wants to take ownership of the problem” said Segura, the publisher will say it's the ad network, ad network would say it's the advertiser party and so the bag passes around.

It also doesn't seem all that hard to trick the ad networks even if they are watching what's running through their platform.

Ad networks do put in place checks and barriers to malicious exploitation. Google's Doubleclick apparently requires certain standards of security before it will deal with a third party. AppNexus has it's own in house anti-malware solution called Sherlock.

“The problem we're seeing”, added Segura, “is the sophistication and the degree to which rogue advertisers are going to, you can still bypass those security checks”.

Through a mixture of technical expertise and social engineering, malvertisers find their way through even leading ad networks.

There are a variety of tactics malvertisers might use to obfuscate their tactics to the ad network or publisher. Launching malicious ads on days when ad networks aren't watching, limiting attacks to every customer, refining the malvertisements' targeting or delaying malicious attack until a while after the ad's approval are all tactics that have been observed in malvertising campaigns.

Rogue advertisers, added Segura, will spend months building legitimacy with an ad network by buying ad space for perfectly kosher ads. Once the advertiser is trusted, it can then deploy their campaign at a time of small risk and huge payoff.

It's a great scam, too. It involves a low investment and a potentially very high return. One thousand impressions might cost less than one pound, even if a fraction of those impressions turn into successful ransomware infections, the profit margin could be gigantic.

Ben Harknett, vice president for EMEA at RiskIQ told SC that the reasons for that continued popularity are several fold:  “Malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on websites. The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has introduced sophisticated profiling capabilities which can be exploited by cyber-criminals to precisely target specific populations of users. Bottom line is that the ROI (Return On Investment) on malvertising is higher than many other tactics.”

Even with phishing, you have to get the target to click on a link. Malvertising is commonly performed via a drive-by-download, where the user doesn't even have to be tricked into clicking on a malicious link, the ad merely downloads the infection from the iframe often without the knowledge of the user.

Sometimes the ad will download software which will collects information on the user's computer, sometimes adbots are downloaded to add to a wide ranging ad network. Ransomware is also common, encrypting the unfortunate victim's files and charging to get them unencrypted.

This isn't just a threat to users who might get infected but the publishers and media companies who rely on the credibility of that advertising. At a time when many legacy media companies are struggling to figure out how they survive in the digital future, this problem is critical.

Adblockers have become very popular in recent years, perhaps in response to the uptick in malvertising. According to one study by PageFair, the number of users of adblock software was a modest 21 million in 2010 and by June 2015 it was nearly 200 million.

Needless to say, adblockers are not particularly welcomed in the advertising world. Many websites don't allow access to browsers with adblockers enabled and according to that aforementioned Ernst and Young study, adblocking takes US$781 million (£598 million) out of the ad industry every year.

Bryan O'Kelley, CEO of AppNexus, writing for Forbes concluded simply that when faced with the problem of fraudulent ads, ‘“ad blocking isn't the answer”.

Yet their use might be vindicated. In January, Forbes stopped allowing access to browsers with adblockers enabled and soon after served malvertisements to its users. At the time Engadget reported, “visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information.”

How to break this impasse, then? Mike Zaneis might have a solution. He heads up the Washington DC based Trustworthy Accountability Group (TAG), an ad-industry body whose mission is to combat ad-fraud and malvertising.

The Federal Trade Commission and software security companies have done great work in educating the public about the nature of the problem and we need to help consumers close security holes on their computers and other devices so that they are not easy victims,” Zaneis told SC.   

In the private sector, fortunately, there is a strong incentive not to merely overlook this problem: “this is an instance where consumer protection and business interests align perfectly.”

Collaboration seems to be the current watchword for cyber-sec, so why not advertising? TAG has started collaborating with law enforcement and developed an anti-malware program to share best practices over the ecosystem: “By including marketers, agencies, networks, and publishers, TAG's program will be able to identify legitimate actors and clean creative as it moves from the advertiser all the way to the consumer. A shared responsibility requires a shared solution by all of the business partners that make this one of the most productive parts of the global digital economy.”  

Some have noted a drop in large scale malvertising attacks. Segura wrote in a blog for malwarebytes earlier this year, that the disappearance of the Angler exploit kit has fallen in line with this decline in large campaigns. He speculated in his post, “threat actors are busy reorganising planning for their next objectives and malvertising is most likely going to remain their weapon of choice to drive traffic to their malicious payloads.”

Maybe next time, we'll be better prepared.