Home Online Advertising Fight Against Malvertising Drives Business, But Winning Is Tough

Fight Against Malvertising Drives Business, But Winning Is Tough

SHARE:

malvertisingimgMalvertising – or malicious online ads that spread code to commit ad fraud or access a user’s data – might not induce the same industry-wide concern of viewability and fraud, but it’s still an issue. An IAB report from November estimated the cost of malvertising attacks to be more than $200 million – And that’s only the immediate lost ad revenue, not counting money spent on products, third-party contracts or employees.

Some ad tech companies, like engage:BDR, see the benefits of jumping on the issue to win business and differentiate in a vast and confusing competitive landscape.

The pop news publisher First Slice Media recently moved its ad tech vendor to engage:BDR based in large part on “engage:BDR’s pitch on the impact of malvertising and fraud and their thoughts on an industrywide approach to a solution,” said CEO Branden Hampton.

Though First Slice’s malvertising problems cost relatively little compared to impact on user experience and site quality, it has been compromised on multiple occasions in recent weeks. It once had an ad, for instance, that auto-directed all visitors to an app-download page. Another time, a pop-up for an “adult offer” was injected by a plugin over the site page.

“We’re a small startup,” said Hampton, “so when we partner with engage, they’re practically our top-to-bottom solution.”

It isn’t just small sites that open the door for malicious ad code – many security researchers note that large publishers are more attractive dispersion vehicles.

Since this summer, for instance, cybersecurity researchers have identified malvertising attacks from Forbes, The Huffington Post, the Daily Mail and Yahoo.

That outsiders were necessary to identify fraudulent code within publisher ad-serving domains is also typical. Good malware is designed to go undetected, especially by the publisher or ad tech company involved.

One technique criminals use is “conditional triggering,” when an apparently clean ad passes a security check, but is designed to activate later, said Jérôme Segura, senior security researcher at the anti-malware shop Malwarebytes.

The malware itself sits on a cloud service, such as Amazon Web Services or CloudShare, and the malicious code that’s embedded in the ad-serving or delivery machines doesn’t always expose itself by calling the malware on the cloud.

“(Malvertising) campaigns are active for ten minutes during the day,” said Segura. “But for people testing the ad in their lab. If they’re not testing during that window, they’ll miss it.”

Late at night or on long weekends, when hands-on service isn’t available, malware scripts will ramp up their activity. Said engage:BDR co-founder and CEO Ted Dhanik. Once exposed, malware is easily expunged, but it’s difficult to respond to attacks immediately.

Like fruit flies, individual pieces of malware don’t need to have a long lifecycle to spread rampantly. By the time IT or security tech patches the breach, the script hhas likely infected new users, which is “a kind of malvertising conversion of its own,” said Elias Manousos, co-founder and CEO of the digital security firm RiskIQ.

Ad tech, in effect, becomes the gatekeeper. “We see people posing as small agencies that we have solid relationships with. And they’ll have very close emails to those who we’re accustomed to seeing,” said Dhanik. He also pointed to a recent case where malware tried to disguise itself as an engage:BDR ad serving domain, ebdr:6. In fact, engage:BDR’s regular ad-serving domains are named ebdr:1 through ebdr:4.

Dhanik said engage;BDR caught on to the trick when a regular buyer followed up about a different domain being called.

But as much as ad tech functions as a malware gatekeeper, it also is a facilitator, Segura said. Malware developers can take advantage of ad tech targeting systems to push its malicious code only to certain browsers, usually Internet Explorer. (Safari, Chrome, or Firefox might trigger a social engineering message: “Your computer is compromised, click here to clean it up!”)

Additionally, some malware campaigns are designed to affect IP addresses in certain locales, like North America, or even certain cities, like Chicago or Boston. “If you’re testing and not in a certain city, you won’t see the payload,” Segura said. “That’s really smart. That’s something they leverage through ad platforms: that ability to profile victims, not only with where they live but also by age bracket, estimate of average wage – to really customize the payload they want to distribute.”

These aren’t deceptions intended to be foolproof, only to remain up long enough to reach new site visitors with vulnerable browsers. Manousos said that advertisers wouldn’t think much of spending a few dollars pushing their message to a couple thousand users, but that’s all “a malvertising campaign” needs to ensure profitability and momentum.

It’s a more intimate threat, said Dhanik. It’s unnerving to see malicious coders with detailed knowledge of engage:BDR’s network and client communication.

Employees can be trained to recognize and monitor for phishing emails, First Slice can block certain installs or plugins, but the only viable solution available seems to be a costly, boots-on-the-ground defense.

Dhanik said the costs for engage:BDR represent 20% or more of overall revenue. The company maintains relationships with RiskIQ and MediaTrust, plus the time and effort spent on an internal fraud-detection solution. There are also the increased demands for senior sys admin and cybersecurity experts on hand.

Manousos compared ad tech anti-malvertising efforts to building a castle, meaning that it’s only effective if there are trained soldiers in place to defend it.

“If (malvertising) keeps growing like it has,” said Dhanik, “ then it will be cost prohibitive to some in the ecosystem.”

 

Must Read

San Jose, CA - June 1, 2023: Closeup of Georgia Pacific Angel Soft kinds of toilet paper on a shelf. Each roll is individually wrapped.

How Georgia-Pacific Rolled Out Its Own Programmatic Media Team

Georgia-Pacific spent years building an in-house media and measurement team, and ended up with a hybrid model that keeps digital execution inside while leaving TV and CTV to its agency.

This Marketing Consultancy Deciphers Consumers’ Brand Associations – And Doesn’t Believe In Segmentation

Triggers’ latest feature tracks how brand perceptions change over time by looking at consumer memories and subconscious associations.

With Match Rates Falling, Is Effective Attribution Just An Illusion?

Attribution isn’t all it’s cracked up to be. Just ask Cimin Ahmadi Cohen, founder and CEO of Idea Peddler, a full-service agency based in Austin Texas.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Google’s Meridian And Meta’s Robyn: A Gift To Measurement Or Trojan Horses?

Google and Meta are quietly rewriting the rules of ad measurement, and they’re doing it with open-source marketing mix modeling tools that many marketers don’t even realize they’re using.

This New Training Framework Gives Publishers A Say In How AI Uses Their Work

The SAIL initiative compensates publishers when AI scrapes their content and guarantees the outputs adhere to the same cultural standards they apply to their own coverage.

AI Is Spreading Inaccurate Information About Brands. This Tool Can Help Fix That

Brands can’t just focus on how often they show up in AI search. They also need to pay attention to accuracy – and know what to do when AI gets it wrong.