Advertisers are aware that intimately knowing their audience is crucial to maximizing their return on investment. The same can be said about online criminals who have found unprecedented tools and metrics to distribute malicious software, or malware. The advertising industry is in a losing battle to keep the problem at bay.
The online advertising business has exploded in recent years and its newer model is opening up many opportunities for ill-intentioned actors. It is perhaps the only medium that allows for such granular targeting of your audience while also reaching out to millions of people at any given time, making it very attractive for cybercriminals.
Indeed, the underlying model for Web-based advertising, which grew to accommodate publishers and advertisers, was ill prepared for abuse from malicious ads that are part of a global phenomenon known as malvertising.
Malvertising is a powerful infection vector whereby an innocent-looking advertisement executes code in the victim’s browser without their explicit authorization or knowledge. This usually consists of a silent redirection to a malicious webpage that will attempt to exploit the user’s computer to deliver malware.
Some might say that considering the billions of ad impressions, malicious ads only represent a very small fraction of a ‘manageable’ problem. But this view may be simplistic and does not take into account that malvertising happens daily and affects some of the most popular websites that receive millions of visits.
The Web-based malware ecosystem is made of different groups: Those that buy or sell traffic, those that create or rent exploit toolkits and of course those that create the malware (banking Trojans, Ransomware, etc.) which infects machines.
Traffic filtering tools that better target potential victims by geographic location, operating system and browser types to name a few are a critical component to any malware campaign. That job is usually taken care of by Traffic Distribution Systems (TDS) that redirect visitors by turning on and off certain network nodes.
But the reality is that this model may not be as efficient, cheap and even—perhaps surprisingly—as trustworthy as the one offered by ad agencies whose goal is to make the best possible service to attract both publishers and advertisers.
Advertising agencies offer an incredibly powerful system that lets advertisers specify exactly what their target audience is. In essence, your ad could appear in front of a very wide audience or target specific business sectors and even individuals.
To use a metaphor, yesterday’s ad business could be compared to a hunter with a large shotgun (bulk sales) as opposed to today’s business, where advertisers are like snipers (targeted impressions), aiming at a well-identified group.
This per-impression model is also known as Real Time Bidding (RTB), a process where a publisher promotes various ad placements that advertisers check to see if it meets their profile and then bidding. Because this happens in milliseconds, advertisers typically set up daily or weekly budgets and the process is fully automated.
While not only more efficient, this method is also more cost effective for bad guys who can test a malware campaign on a small scale before a wider deployment. In fact, in many malvertising cases the winning bid for an impression is as low as 60 cents. If the victim is successfully infected, this cost represents nothing compared to the amount that can be made from a malware infection (hundreds to thousands of dollars through silent wire transfers, a ransom to decrypt files, etc.).
Third-party providers are a big headache for major ad networks and yet this is the norm. The advertising industry would be more secure if publishers were dealing with advertisers that hosted their own content instead of allowing third parties to own it.
When looking at a malvertising attack, the pattern is almost always the same: an impression on a site goes through several (sometimes a dozen) external parties before an ad is finally displayed. It is therefore almost impossible for the original ad network to know who the last advertiser involved in the distribution was.
This structure somehow works and is completely transparent to the end user who only sees an ad being displayed in her browser. But it just takes one malicious or compromised actor to bring the entire chain down.
While trust is crucial in the ad industry it is also its Achilles heel. Cybercriminals often set up fake ad agencies and cleverly operate by rotating legitimate ads and malicious ones at the right frequency to avoid detection.
Advertisers can easily (and anonymously) sign up to big networks and start bidding on ads using PayPal or a digital currency so that if they get caught, they can easily change identity and move on to the next agency in town.
The harsh reality of website security also applies to ad agencies which from time to time suffer compromises. It’s not surprising that malicious actors are interested in hacking ad servers to replace legitimate ad banners with their own.
While many ads are either text-based or images, a large portion is made of animated Flash files. This format is more engaging because of the video and sometimes sounds, which is why it is also popular. But as with many things in security, the more feature-rich a program is, the more vulnerabilities it can have.
Flash files are essentially small applications that run in the browser and take advantage of various programming languages, including JavaScript, which can be used for legitimate reasons but also for nefarious purposes.
A normal-looking Flash ad could be hiding a malicious script that silently redirects the browser to an exploit page attempting to infect the user’s computer automatically.
There are many challenges with identifying rogue Flash files. One of them is the fact that SWF (the Adobe Flash format) consists of ActionScript code that is compiled and therefore cannot be easily read without initial extraction. As with traditional malware, such code can be obfuscated in such ways that its intended payload is not clear to the naked eye or even a security scanner.
Testing ads prior to them being displayed is a monumental task. Ads will behave differently based on the user’s geo-location, operating system, cookies, etc. such that malicious behavior is only exhibited in specific circumstances. If this wasn’t enough, there are billions of ad impressions that happen in real time so scaling a validation system to match up with the volume is obviously costly.
Despite efforts from ad agencies to limit the problem and end users running various ad blockers, there does not seem to be one satisfactory and long-term solution to guaranteeing malware-free ads.
The ‘all or nothing’ approach employed by ad blocker software may be effective on a personal level but it simply cannot coexist with the desire and need of publishers to generate revenues from ads in order to keep offering new and free content.
At the same time, there needs to be better traceability and accountability within ad networks and ad agencies. The layered model is risky to begin with and offers an excuse to point the finger at someone else when something awry occurs.
There is a genuine interest for the advertising industry to fight malvertising, and not just an altruist concern to protect end users from malware infections. The fact that cybercriminals are also bidding on impressions is driving the overall prices up, giving false metrics, just like click-fraud does by wasting a lot of everyone’s money with fake activity.
While each party may seek its own solutions to safeguard its interest, the industry as a whole needs to act together and address the problems directly. After all, we should not give consumers another reason to hate ads.
Segura is a senior security researcher at Malwarebytes Labs, focusing on Web-based threats and scams. After spending over eight years cleaning malware off personal computers and compromised websites, he now focuses on studying cybercrime trends and new exploitation techniques.
