Online ads can be annoying, but increasingly they’re malicious, too. In the wake of a highly publicized “malvertising” incident last December, during which attackers were able to deliver malware through online ads published on Yahoo.com, that question is now top of mind for some.
That incident, in turn, came just a few months after security researchers at Blue Coat Systems discovered a group of sites that were delivering drive-by malvertising payloads through ads embedded in many “name brand” websites, including Salon.com and The Los Angeles Times.
The issue is starting to get high-level attention. A recent report by the U.S. Senate said the problem endangers the security and privacy of users and recommended that the U.S. Federal Trade Commission should force the industry to offer better protections through comprehensive regulation.
But it is the advertising industry, rather than end users, that has the most to lose. “As an industry we’ve been reluctant to talk about these problems in the past,” says Steve Sullivan, former vice president of ad technology at the Interactive Advertising Bureau (IAB), a consortium of more than 600 online advertising media and technology companies. (Sullivan recently moved to fraud detection company White Ops.)
But over the past year, the problem has risen to a level where the hundreds of businesses that make up the online advertising ecosystem are both talking about it openly, and actively supporting the IAB’s Trustworthy Digital Marketing Supply Chain. That effort, part of a five-year plan (PDF) announced by the IAB in February, could set the bar for best practices and require a level of oversight for all IAB members to help reduce the incidence of malvertising, fraud and other issues.
It’s a pocketbook issue, Sullivan says. Most malvertising, he explains, is designed not to harm the individual consumer but instead to recruit personal computers and mobile devices into large-scale botnets used to generate revenue by producing false advertising impressions and clicks online. In the case of the Yahoo malware, users were redirected to domains related to Paid-To-Promote.net. “The real money,” Sullivan says, “is in advertising fraud.”
But malvertising is also used to steal user data, says Bogdan Botezatu, senior e-threat analyst at antivirus vendor Bitdefender. “Malvertising is one of the few techniques that allow cyber criminals to silently attack unsuspecting users.”
If a user’s machine is infected with a botnet designed for advertising fraud, the owner of that botnet may try to monetize it by offering to install other software — in reality malware that steals the user’s information — on the infected computer, says Chris Larsen, research architect at security software vendor Blue Coat Systems. That’s what happened with Crytolocker, which initially used spam to trick users into downloading it. “Then [the authors] shifted to underground forums and paid someone to install it on already infected computers,” Larsen says.
A deep-rooted problem
Getting rid of malvertising won’t be easy. One challenge lies with the structure and operational model of the online advertising ecosystem itself. It includes hundreds of players that sell services ranging from ad networks to advertiser-focused supply-side platforms, publisher-oriented demand-side platforms and ad exchanges — open marketplaces where publishers sell inventory that advertisers can purchase.
Ad networks can also sell excess inventory through other networks and affiliates that in turn may work with other partners. Publishers — and even the ad networks themselves — don’t always know who the buyers are.
In 2012, the Online Trust Alliance estimates, the industry delivered more than 10 billion ad impressions containing malvertising.
It’s an imperfect system, Sullivan says, but one that publishers must rely on to sell “remnant” inventory — ad space that they can’t sell themselves. “You either sell it to a network for a lower cost or you don’t get anything at all. No one is immune to the problem,” he explains. And in an opaque marketplace like an exchange, advertisers have no idea where their ad impressions are actually coming from. That makes it a target for advertising fraud.
The malvertising payload is delivered through advertising networks in various ways, which presents its own challenges to prevention. Cyber criminals tend to use three different approaches, says Sullivan. The most straightforward is for the malware distributor to simply buy ad inventory through an exchange and submit an ad with malware embedded within it.
Publishers and ad networks can deploy tools from security vendors such as The Media Trust and DoubleVerify that inspect ads for malvertising and scan associated ad tags — embedded code that tells the browser where to retrieve an ad — to verify the location. But not every ad network uses the tools, and a malvertising ad may link to an affiliate or partner that in turn links to another site, cascading as much as four levels deep.
“If all the ad is doing is sending traffic somewhere, you may miss the fact that that the attack is happening on the third or fourth hop,” says Blue Coat’s Larsen. “It’s rare to trace it back to a web ad company. It’s almost always some other site.”
In the case of the malvertising that affected the L.A. Times and other sites last fall, the cyber criminals used more than 275 different sites to deliver the malware, with the number of affected host websites in the “low hundreds.” Those sites received thousands of hits per day, according to Larsen.
The user’s browser was redirected through four hops to a “drive-by download” site that used an exploit kit to check for known vulnerabilities. “If you were vulnerable you would be infected without ever clicking on anything,” Larsen explains. Blue Coat researchers discovered the sites as part of an ongoing search for sites using exploit kits and then traced the traffic backwards to the ad networks and publisher sites that had inadvertently carried the malvertising, Larsen says.
A spokesperson for The Media Trust says the company also had detected the malvertising attacks and notified its customers when they appeared so they could block them. It says its software was not in use by the affected publishers and the ad networks.
Mobile devices can also fall victim to malvertising that uses social engineering tactics to get the user to bypass existing protections against malware apps. These ads mimic user interface elements of the mobile operating system, such as system messages or pop-ups, in order to mislead the user into taking specific actions, says Botezatu.
Sizing up the problem
Just how big is the malvertising problem? Opinions vary, and while anecdotes abound, hard numbers on the scope of the problem are hard to come by. The Online Trust Alliance (OTA), a nonprofit advocacy group that says its mission is to build trust online, estimates that fewer than 1% of all online ads involve malvertising of some sort.
That number might sound small, but each ad is typically served up many times. “A single incident of malvertising can equate to several hundred thousand exploits,” says Craig Spiezle, OTA executive director. In 2012, the OTA estimated, the industry delivered more than 10 billion ad impressions containing malvertising.
But there are no hard numbers, in part because figuring out which malware infections came from malvertising isn’t easy. While it’s hard to get a handle on the full scope of the problem, Botezatu is certain about one thing: “The problem is definitely not decreasing.”
One Blue Coat Systems client, which research architect Chris Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. “They were concerned about malware coming in from this vector and not being able to stop it,” he says.
Certainly the issue has grown large enough to have the IAB’s full attention. And part of that may be the potential negative impact of even a few widely publicized incidents. A high-profile infection such as the Yahoo attack can have consequences for both publishers and the online advertising industry. “The Yahoo incident, a portal visited by millions of people a day… takes the game to a whole new level,” says Botezatu.
The problem appears to be increasing in the mobile arena as well. According to research by security software vendor RiskIQ, the incidence of malicious apps increased 388% from 2011 to 2013, and malvertising is an increasingly common technique that cyber criminals use to deliver those apps.
Around 7% of the threats Bitdefender blocked in the last month were Android packages delivered by way of mobile advertising that “falsely claimed that those devices had been infected,” Botezatu says. In this scheme, a pop-up dialog, which looks like it was generated by the Android operating system, prompts the user to take action that will supposedly remove the virus.
But when the user clicks on the pop-up to take action, she is prompted to change her settings to allow installation of a third-party app — delivered outside of the protected walled garden of Google Play — so that the malware payload can be delivered undetected. Because these “scareware” messages look like they were generated by the operating system, they’re very effective, Botezatu says.
The digital advertising industry must stop having unprotected sex.
Randall Rothenburg, President, Interactive Advertising Bureau
Malvertising could also cost the online advertising industry, and web publishers that depend on it, in other ways that are even more difficult to measure. “These threats are undermining the integrity of the interactive advertising ecosystem,” says Spiezle. Users cite a lack of trust in the safety of online advertising as one reason for using ad blocking software, even though the use of such software eliminates all ads — good or bad — along with the primary revenue source for many web publishers. “Blocking all ads and scripts will most likely keep the user safe,” but would reduce revenue for web publishers, Spiezle says.
One Blue Coat Systems client, which Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. “They were concerned about malware coming in from this vector and not being able to stop it,” he says.
Fixing the problem
“I agree absolutely,” says Sullivan. Today, a well-managed ad network that knows every one of its affiliated sites and monitors them constantly may still sell its excess inventory to a secondary ad network that doesn’t operate at the same level.
“If all of the networks in a trustworthy supply chain operated [to the same standard], we wouldn’t have the problem at scale that we have today,” Sullivan says. “In an opaque marketplace the inventory for a company that doesn’t follow best practices sits side-by-side with a company that does — and they’re treated equally.”
The IAB’s five-year plan, which includes quality assurance guidelines and the establishment of a “Traffic of Good Intent” task force, isn’t fully developed yet, and many details have yet to emerge.
Nonetheless Spiezle says, he’s encouraged, although he’d like to see the IAB open up the process to all affected parties. “An effective solution needs to include a multi-stakeholder approach including the advertising community, ad networks, publishers and the security community. We look forward to working with the IAB and others towards this goal.”