The Demon in the Network
The Demon in the Network
In the early 2000s, Rob Beeler—currently the content czar of online advertising community AdMonsters— received a message from a customer complaining about porn pop-ups appearing on his computer. At the time, Beeler worked for a company that sent out advertisements to different publishers on behalf of advertisers—essentially an early ad exchange.
Beeler was caught off-guard by the customer's accusation. There was no way this was his problem. The porn pop-ups were clearly indicative of the customer's own browsing habits, and Beeler typed out a response delicately stating such. But soon, more complaints started pouring in, prompting Beeler to turn off all the networks. At this point, he realized the problem was his.
“It had all the tell-tale signs that I now know of someone posing as an agency that had a short-term deal that they wanted to start right away,” Beeler says. He recalls the situation: the advertiser—ultimately the distributor of the malware—wanted to start an advertising campaign by the weekend, and everything was transacted over the phone. While Beeler's company typically performed credit checks, the process would not have allowed the campaign to start on time. Only afterward, when Beeler began looking into the entity he thought was a legitimate advertising agency did he realize he'd been duped.
“If the deal is too good to be true, it probably is,” he says.
Exposed to a new threat, Beeler got in touch with other ad operations companies, and found they were experiencing similar issues. This made it easier to isolate and eliminate the troublesome campaign.
This was an early malvertising event—malware embedded in advertising assets on publisher websites. And as online advertising proliferates– eMarketer estimates around $24 billion in ad revenues in the U.S. by 2015—the arms race between malware developers and ad networks will continue. For black hats, inserting malware into ad networks is alluring—significant distribution across numerous heavily-trafficked sites.
Indeed, in recent years publishers like Gawker, the New York Times, and Yahoo Mail have all been subjected to malvertising attacks. Robert Hoblit, senior director of product management at computer security solutions provider Symantec, quotes the results of a survey it conducted on par with AdMonster - “half of [directors of ad operations surveyed] stated they'd been victims of an attack in the past year.”
Hunting and hunted
“The spread of malware is a revenue problem for the ecosystem because malware … leads to blacklisting and browser flagging – preventing viewers from looking at pages, which takes away impressions,” Hoblit says. Additionally, it damages the reputation of both the publisher and the ad network.
Malvertising assumes a variety of guises: malware perpetrators can mimic real-life organizations, partner with a publisher or an ad network, and supply creative that feels and looks harmless, but contains malware components. Alternatively, the attackers can hijack an ad server, and get hold of the username and password that would allow them to substitute legitimate creative with malware. Often, malware invites users to click on the ad, redirecting them to a website that serves malicious content. Users can also be exposed to malware that doesn't require clicks – the so-called drive-by downloads, where corrupt software, such as keyloggers, embeds itself on the user's device and mines personal data.
These are on the rise. Hoblit notes that in 2012 such attacks were up by a third. “The majority of what we [at Symantec] detect is drive-by,” says Hoblit. “The one thing that makes click-through downloads a little more attractive as an attack vector is that it's harder to detect. You do indeed have to click,” he explains.
The problem with combating malvertising is that for every measure implemented by ad networks—say protections around downloads—there is a destructive countermeasure. Static approaches, such as blacklisting the domain from which malicious content or setting up a scanning device from a static IP address, simply don't work. Malvertisers react by simply setting up another domain, or by blocking the IP address that scans for malware. A more dynamic solution involves behavioral analysis, says Hoblit: load the ad, watch its behavior, and see if it matches any characteristics typical of malware.
The digital advertising ecosystem is founded on a huge network of connections between multiple companies. The breadth and depth of these connections is the space's Achilles' heel. If a piece of malware infiltrates one of the companies, the security of the entire network is compromised. One of the core issues is that publishers, ad networks, and exchanges rely on each other to scan for, and detect dangerous software. Publishers can inadvertently host malicious content if they rely on somebody else to deliver the code, so they have started to invest in monitoring software to protect themselves from threats.
Ad serving companies are wising up too, and putting up shields. “They want to protect themselves—publishers have a lot of sources, a lot of people they can work with and if they know a publisher has problems, it's easy to swap them out,” says Hoblit.