What is malvertising?
The name “malvertising”, comes from combining two words: “malicious” and “advertising”. So far, so obvious. But what does that really mean? Well, fundamentally, malvertising involves an unscrupulous individual (read: criminal), posing as a legitimate advertiser, inserting a malicious or malware-infected advert into a legitimate ad network and ultimately, websites.
The first recorded instance of a malvertising ad campaign was detected back in 2007. It exploited a vulnerability in Adobe Flash and impacted several large platforms, including MySpace, Excite and Rhapsody. Since then, malvertising has really exploded, with attacks growing in complexity and scale. The first half of this year alone saw a spike of 260%, compared to the same period last year and in 2013 the Online Trust Alliance logged over 12 billion malvertisement impressions.
Malvertising isn’t something that is unique to smaller ad networks, it’s an industry-wide problem. In September of this year alone, AdWords was hit by a fake BSOD malvertising campaign and the Forbes website was found to be serving malware-infected ads.
There are two main types of malvertising campaign. Firstly, the more simple type: a malicious advertiser creates an ad campaign, with a creative that directs the user to a landing page. When clicked, that landing page then triggers the installation of some kind of unwanted software (virus, malware etc), either automatically or by prompting the user to click on something by deceiving them into thinking it’s legitimate.
The second, and more complex type, the type which has seen probably the most widespread impact in recent years, involves the ad creative itself containing some kind of malicious code. This code can exploit vulnerabilities in a user’s web browser, plugins and more to silently install almost anything, all without any interaction from the user. Last year, YouTube fell victim to a malvertising campaign where, essentially, you just needed to watch a video with an infected ad and the malware would be installed.
What is Adcash doing about malvertising?
Right now, we’re playing a cat-and-mouse game with the criminals that run these campaigns. But that’s not to say there’s nothing we can do. First and foremost, when campaigns are initially submitted to us for validation, we check them before allowing them to be displayed on our network. We have a rigorous validation process that ensures, at the submission stage, that all our campaigns are compliant.
All campaigns are validated by a person: someone will physically check that the campaign is compliant and that it is safe to run on our network. At the same time, the campaign is checked with a series of tools, both of our own creation and 3rd party systems.
The most challenging task that we’re facing at the moment is being able to dynamically and continuously monitor landing pages. Once an ad campaign has cleared the validation stage and is running on our network, the creative itself cannot be changed (unless the campaign itself is resubmitted) however a malicious advertiser can make changes to the landing page that mean it is no longer compliant.
Keeping a constant eye on those pages can be difficult, not least because of the huge number of sites involved, but also because of the myriad ways a site could, potentially, be changed. Right now, we’re partnered with GeoEdge and use the Google Safe Browsing API to help with that task. The GeoEdge malvertising detection platform allows us to scan a vast number of ad campaigns, in real-time and automates the campaign deactivation process. If GeoEdge detects a malvertising campaign, it puts a stop to it and alerts as of the source, so that we can take the appropriate action.
Right now, we’re looking into yet more tools and options to help us keep malvertisements off our network.
How can you avoid malvertising?
There’s been a lot of chatter about ad blockers in the online ad industry lately, particularly in the context of using it as a means of protection from malvertising, malware, virus infections and potentially all manner of issues. Which leads us to a difficult crossroad: obviously we want users to have the very best experience online, people take their online experience very seriously (in fact, here in Estonia, where we’re based, Internet access is actually a human right and has been since the early 2000’s), but at the same time online advertising is what we do.
And some people may claim that the only way to ensure complete protection from these attacks is through adblockers, but this misses the fundamental issue at the heart of most, if not all, malvertising campaigns: software security flaws. It’s these flaws that allow the attackers to carry out their criminal activities.
Using an ad blocker only pours fuel on the fire: they’ll block all the ads, regardless of their legitimacy, meaning the publishers, the people creating the content you enjoy reading and watching, lose revenue. But those vulnerabilities are still there. If there’s an unpatched security flaw that a criminal group can exploit, chances are that they will. Whether that’s by ads or other means.
Keeping your software patched and up-to-date, running some anti-malware software and regularly updating your antivirus library is the best way to avoid falling prey to these kind of attacks.
What can you do if you think you’ve found a malvertisement on our network?
If you’re an Adcash publisher and you suspect that a malvertisement has been displayed on your site, tell us! You can get in touch with the team and they will immediately stop the campaign and launch an investigation to determine the source.
At Adcash, we promote a culture of full disclosure; we will actively investigate reports of malvertising appearing on our network, whether that comes from an internet user who suspects something, a white-hat or a security firm. If you have any information that could help us, you can send an email to [email protected] and we will work to resolve the issue as quickly as possible.
What do you think about malvertising? Is there something more we and other ad networks can do to help tackle it? If you have any thoughts or feelings on this subject, as always, let us know in the comments below.