Adcash Answers – Let’s Talk About Malvertising

What is malvertising?

Malvertising, or malicious and advertising. involves an imposter posing as a legitimate advertiser, inserting a malicious or malware-infected advert into a legitimate ad network, and ultimately a website.

The first recorded instance of a malvertising ad campaign was detected back in 2007. It exploited a vulnerability in Adobe Flash at the time and impacted several large platforms, including MySpace, Excite, and Rhapsody. Since then, malvertising has increased tenfold, with attacks growing in complexity and scale. The first half of this year alone saw a spike of 260%, compared to the same period last year and in 2013 the Online Trust Alliance logged over 12 billion malvertisement impressions.

Malvertising isn’t something that is unique to smaller ad networks, it’s an industry-wide problem. In September of this year alone, AdWords was hit by a fake BSOD malvertising campaign and the Forbes website was found to be serving malware-infected ads.

There are two main types of malvertising campaign. Firstly, the more simple type: a malicious advertiser creates an ad campaign, with a creative that directs the user to a landing page. When clicked, that landing page then triggers the installation of some kind of unwanted software (a virus, malware, etc), either automatically or by prompting the user to click on something by deceiving them into thinking it’s legitimate.

The second, and more complex type, the type which has seen probably the most widespread impact in recent years, involves ad creative containing some kind of malicious code. This code installs corrupted software and can exploit vulnerabilities in a user’s web browser, plugins, and more, all without any interaction from the user.

What is Adcash doing about malvertising?

Right now, we’re playing a cat-and-mouse game with the criminals that run these campaigns. But that’s not to say there’s nothing we can do. First and foremost, when campaigns are initially submitted to us for validation, we check them before allowing them to be displayed on our network. We have a rigorous validation process that ensures, at the submission stage, that all our campaigns are compliant.

All campaigns are validated by a person: someone will physically check that the campaign is compliant and that it is safe to run on our network. At the same time, the campaign is checked with a series of tools, both of our own creation and 3rd party systems.

The most challenging task that we’re facing at the moment is being able to dynamically and continuously monitor landing pages. Once an ad campaign has cleared the validation stage and is running on our network, the creative itself cannot be changed (unless the campaign itself is resubmitted) however a malicious advertiser can make changes to the landing page and doctor it in a way where it is no longer compliant to the Adcash standards.

Keeping a constant eye on those pages can be difficult, not least because of the huge number of sites involved, but also because of the myriad ways a site could, potentially, be changed. Right now, we’re partnered with GeoEdge and use the Google Safe Browsing API to help with that task. The GeoEdge malvertising detection platform allows us to scan a vast number of ad campaigns, in real-time and automates the campaign deactivation process. If GeoEdge detects a malvertising campaign, it puts a stop to it and alerts us to the source it’s coming from, so that we, in turn, can take the appropriate action.

Right now, we’re looking into more tools and options to help us keep malvertisements off our network.

How can you avoid malvertising?

There’s been a lot of talk about ad blockers in online advertising lately, particularly in the context of using it as a means of protection from malvertising, malware, virus infections, and potentially all manner of issues. Which leads us to a difficult crossroad: obviously we want users to have the very best experience online, people take their online experience very seriously (in fact, here in Estonia, where we’re based, Internet access is actually a human right and has been since the early 2000s).

Some people may claim that the only way to ensure complete protection from these attacks is through adblockers, but this misses the fundamental issue at the heart of the problem. Software security is, at times, flawed. It’s these flaws that allow the attackers to carry out their criminal activities unnoticed.

Using an adblocker only pours fuel on the fire. All ads will get blocked, regardless of their legitimacy, meaning the publishers, the people creating the content you enjoy reading and watching, lose revenue. But those vulnerabilities are still there. If there’s an unpatched security flaw that a criminal group can exploit, chances are they will. Whether that’s by online advertising or other means.

Keeping your software up-to-date, running anti-malware software, and regularly updating your antivirus library is the best way to avoid falling prey to these kinds of attacks.

What can you do if you think you’ve found a malvertisement?

If you’re an Adcash publisher and you suspect that a malvertisement has been displayed on your site, tell us! You can get in touch with the team and they will immediately stop the campaign and launch an investigation to determine the source.

At Adcash, we promote a culture of full disclosure. We will actively investigate reports of malvertising appearing on our network.

If you have any information that could help us, you can send an email to [email protected] and we will work to resolve the issue as quickly as possible.

What do you think about malvertising? Is there something more we and other ad networks can do to help tackle it? If you have any thoughts or feelings on this subject, as always, let us know in the comments below.