Malvertising, ad blockers, revenue streams and you


Just as malware is malicious software, so we have malvertising, which is malicious advertising. Unlike malware though, malvertising can literally eat away at your revenue stream if you are an online content provider.

One unexpected consequence of the growth in malvertising has been the growth of ad blockers as a security, rather than just privacy or annoyance factor mitigation, measure.

Specialist malvertising exploit kits are widely available on the dark market that enable online advertisements to be infected with malware and which are then served up to unsuspecting users visiting prominent and again unsuspecting websites.

The attacker buys a legitimate piece of advertising real estate, a banner purchased through an ad broker or network, and runs an infected advert through it. These banners are most often on totally legit sites, and usually big ones from well-known brands, as they attract the most visitors and therefore offer the broadest attack surface.

The unsuspecting user clicks through as usual, and instead of landing at a genuine product page they land somewhere that executes whatever exploit the bad guys have as the payload: ransomware, bank credential stealer, botnet Trojan.

That sounds bad enough, but remember that the world of advertising is all about targeting the right user; and in this regards it’s very similar to the world of cybercrime. In fact, the exact same methods can be used to ensure that the malicious advert is targeted to a specific demographic. Take that into account and the stakes couldn’t be higher.

If this were a one-off spike it would be worrying enough, but other research reports have shown 300% increases 2013 to 2014 and 200% 2012 to 2013

Why bother with all that social engineering stuff, the persistent phishing tactic, when you can get immediate access to the public sector organisation staff you need to pull off that data heist a foreign government is paying you to undertake for them? Of course, that’s an extreme example but one that is perfectly feasible nonetheless.

The point being that the dynamic nature of targeted advertising makes it perfectly possible to only serve your infected payload to certain site visitors, and incrementally harder, therefore, to reproduce the attacks or detect that they are happening.

Perhaps it should come as no surprise, then, that RiskIQ researchers recently found that malvertising increased by a staggering 260% in the first half of 2015 when compared to the previous year. RiskIQ spoke of 450,000 reported ads within that six month period alone.

If this were a one-off spike it would be worrying enough, but other research reports have shown 300% increases 2013 to 2014 (according to Cyphort) and 200% 2012 to 2013 (according to the Online Trust Alliance) for example. This trend shows no sign of abating.

This is hardly surprising as it is a big money business, just like genuine advertising itself. Unfortunately for the world of advertising, it’s also having a negative impact that could see serious revenue losses for both those who serve ads and broker them, and the online sites and services that rely on them to monetize their business.

How so? Well, anything that drives people to not only stop clicking on advertised links, but block them from appearing in their browsers at all is going to hit your bottom line if you make your money either directly or indirectly through advertising. The growth of ad blockers is not something you can ignore.

With an estimated 200 million people actively doing just that, using ad blocking software, and costing the online advertising industry billions in lost revenue each year, that’s the kind of negative impression it can do without.

Increased awareness, post-Snowden, of privacy issues has already led people to question if they are happy with being tracked online and adverts served up according to where they have been and what they have looked at. Throw in the threat of those adverts actually being malicious and, well, it’s not rocket science is it?

So how do you, or more to the point the online advertising industry, go about mitigating against the malvertising threat? The answer, unfortunately, isn’t as straightforward as it may at first appear. “There are still ad networks out there who have yet to take the problem seriously,” says RiskIQ VP, Ben Harknett. “They continue to sign partnerships with minimal checks and have not invested in the tooling necessary to inspect partner ads and their related links for malware.”

Malvertising will remain a problem until two things happen according to Harknett: first, publishers must exert sufficient pressure on ad networks to tighten up lax practices that allow malicious campaigns to get into the ad ecosystem in the first place. Second, ad networks need to improve their detection and response capabilities.

Of course, it’s easy to throw the due diligence line into the mix but harder to apply in the real world where advertising space is often sold via a mix of intermediaries. “Unless all of the parties in the supply chain adhere to the same levels of vetting and security checking,” Tom Williams, Lead Investigative Consultant at Context Information Security told IT Security Thing, “there is always the chance that malicious adverts will get through.”

The biggest problem with malvertising rests with browser and plug-in settings

Williams believes that the only effective way to tackle the malvertising threat is “through a collaborative approach between the advertising community, cyber-security industry, ad networks, publishers and end users.”

There’s no doubting that for any solution to have more than a snowball in hell’s hope of achieving anything will have to be capable of stopping threats at multiple points in the kill chain. Courtesy of the growing nature of evasion, stealth and variation employed in the malicious code used by threat actors in this sector, Carl Leonard ,who is Principle Security Analyst for Raytheon|Websense, recommends that to “ensure they steer clear of bogus partners, advertising networks must make an effort to vet their customers, and perform regular checks on the content they are serving.”

What this means, in real world terms, is for the companies that employ ad agencies and brokers to choose their partners carefully. “Check for a history of malicious ads served up by those ad partners in the past,” Leonard advises, “and perform scans of their website code.”

At the end of the day though, according to Alert Logic’s ‘cyber security evangelist’ Paul Fletcher, advertising networks and brokers can only do so much. The biggest problem with malvertising rests with browser and plug-in settings, he told IT Security Thing.

“Delivering dynamic content to every browser (and version level) and a variety of plug-ins (like Java or Flash) and their version level is a difficult task,” Fletcher warns, continuing, “malicious attackers know that browser and plug-in security is more of a user responsibility and users act differently to pop-ads etc.”

Advertising networks and brokers could do more to protect their customers, truth be told, but each user would need to help fix the issue and that costs money. A lot of money. Alternatively, they could build in browser and plug-in intelligence directly into their code, Fletcher reckons, and not run if the browser and plug-in settings don’t meet a certain standard. “However, the way to fix the problem is to prompt the user to update their settings,” Fletcher told us, which he admits is counterintuitive to good user behaviour (clicking on a link to update plugins) or “not deliver the marketing content,” which is counterintuitive to advertising practice.

Ultimately then, malvertising remains problematical because of zero-day threats to browser-based plug-ins and the fact that many, or perhaps most, end users don’t update their browsers and plug-ins in a timely manner.

“Organisations should maintain a minimum baseline for browser versions and plug-ins,” Fletcher concludes, “and have a process to identify and remeditate out of compliance browsers and include browser and plug-in settings in their patch management system.”

Paul Ducklin, senior security advisor at Sophos, recently conducted research into the malvertising threat which supports the ‘out of date’ argument; and not just from the advertising target, but the advertisers themselves. Sophos revealed that 15,000 users had provided real-world experience feedback on encounters with compromised ad servers.

Focusing on malware detections reported as Mal/Iframe-AR that targeted servers running the Revive Adserver toolkit, SophosLabs found that sysadmins who replied to warnings from the vendor about being infected were running old versions, which are vulnerable to SQL injection attack.

That many were running version 3.0.1 is worrying in the extreme as this was superseded way back in 2013, and yet it’s still in place and still being compromised courtesy of slack updating policies by sites using it. As Ducklin points out, “every time someone’s anti-virus pops to warn them that your ad network just tried to infect them, your reputation is taking a blow. And if you are serving ads for a customers’ websites under contract, your customers’ reputation takes a blow as well: expect them to be unhappy!”

Cybercriminals will go to great lengths to convince ad networks and brokers that they’re legitimate

Gavin Reid, VP of threat intelligence at Lancope, is in no doubt that ad providers need to provide better verification before pushing content out. “They also should partner with companies that provide early detection to remove malicious ads quickly,” he told IT Security Thing, adding, “lastly, large web content providers should push-back and only do business with ad providers that take these steps to stop their services being abused.”

Maybe Reid has a point there, after all the ad networks could only allow code (like Javascript or Flash) from their own servers, and then only after it has been verified. We are talking about an industry where redirects from unknown third parties are the norm, and such redirects are piss easy to exploit.

One thing that Adrian Crawley, director of Northern Europe at Radware, is sure of is that content providers simply are not doing enough to avoid and mitigate the malicious advertising problem. “In many cases the applications need to be managed and controlled much better,” Crawly insists, concluding, “media owners need to get better equipped for dealing with the security risks and if an ad is served up on the site then they need to take some responsibility.”

Industry-wide responsibility taking, be that with the content provider or advertising networks, is not going to be easy to find it seems to us or Bitdefender Chief Security Strategist, Catalin Cosoi, for that matter. “Considering that malvertising campaigns are still a popular mass infection vector,” Cosoi pointed out to IT Security Thing, “it’s safe to assume that some advertising networks are more permissive than others.”

Cosoi explains that, for instance, while some advertisers have raised the acceptance bar for advertisement placement, “others are still allowing low open enrolment, lower fees, and less customer background scrutiny.” The truth of the matter is that cybercriminals will go to great lengths to convince ad networks and brokers that they’re legitimate. “They make use of valid (but stolen) credit card information and other personal information, such as social security numbers to establish validity,” Cosoi went on, “sometimes, they even display legitimate ads for a while, only to switch them with malicious ones after a certain amount of time.”

Let’s not forget hijacked servers, often belonging to small advertising networks, which end up being used by the attackers to disseminate malicious ads as well. It’s not all bad news though, as Cosoi reminds us. “Some advertising networks have already stated drafting best practices and various filtering mechanism aimed at weeding out cybercriminals,” he concludes, “one of which is setting higher fees.”

Some might consider this practice rather questionable, if it’s aimed at discouraging cybercriminals from applying (as they’ll get a really low return on investment) perhaps it’s not such a bad idea. It might also be a red herring though, used to help offset online advertising revenue losses as much as anything else.

We will leave the last words to Jérôme Segura, Senior Security Researcher at Malwarebytes who rather specialises in getting to grips with the threat actors and technologies behind the malvertising menace. “To put it bluntly,” Segura said, speaking to IT Security Thing, “there are some advertising players that are doing okay, and others that have become regular malware delivery platforms.” According to Segura, the root of the problem lies with business practices, which no security scanner or ad validation technology can completely mitigate.

Namely, a low barrier to entry, lack of knowledge of who buyers and sellers are and relative anonymity an advertiser can have. “The other part of the problem is the lack of accountability in a business where impressions can change hands dozens of times before an ad is finally displayed in a user’s browser,” Segura insists, “even if the top ad network has strong security guidelines, as you go down the chain of resellers you often find a weak link, sometimes a party who got abused by a rogue advertiser, or sometimes an actor that might easily turn a blind eye on deceptive or malicious adverts.”

One thing is for sure, overall the current situation is quite bleak and we certainly have not made any progress if we look back at the last five years or so that the malvertising problem has really been going on for. “There needs to be better transparency between ad networks and security outfits to share data about incidents,” Segura told us, “of course, many ad networks would rather handle problems privately to protect their public image. But in some ways, this has led to a lack of accountability and no real change to their business and security practices.”

Considering that malvertising is increasing and delivering potent payloads such as ransomware to innocent victims, is it okay to treat it as a cost of doing business or should it be a frontal issue to be dealt with regardless with significant changes? “Consumers have already voiced their opinion on this,” warns Segura, “with their increased adoption of ad blockers…”