Malvertising – or malicious online ads that spread code to commit ad fraud or access a user’s data – might not induce the same industry-wide concern of viewability and fraud, but it’s still an issue. An IAB report from November estimated the cost of malvertising attacks to be more than $200 million – And that’s only the immediate lost ad revenue, not counting money spent on products, third-party contracts or employees.
Some ad tech companies, like engage:BDR, see the benefits of jumping on the issue to win business and differentiate in a vast and confusing competitive landscape.
The pop news publisher First Slice Media recently moved its ad tech vendor to engage:BDR based in large part on “engage:BDR’s pitch on the impact of malvertising and fraud and their thoughts on an industrywide approach to a solution,” said CEO Branden Hampton.
Though First Slice’s malvertising problems cost relatively little compared to impact on user experience and site quality, it has been compromised on multiple occasions in recent weeks. It once had an ad, for instance, that auto-directed all visitors to an app-download page. Another time, a pop-up for an “adult offer” was injected by a plugin over the site page.
“We’re a small startup,” said Hampton, “so when we partner with engage, they’re practically our top-to-bottom solution.”
It isn’t just small sites that open the door for malicious ad code – many security researchers note that large publishers are more attractive dispersion vehicles.
Since this summer, for instance, cybersecurity researchers have identified malvertising attacks from Forbes, The Huffington Post, the Daily Mail and Yahoo.
That outsiders were necessary to identify fraudulent code within publisher ad-serving domains is also typical. Good malware is designed to go undetected, especially by the publisher or ad tech company involved.
One technique criminals use is “conditional triggering,” when an apparently clean ad passes a security check, but is designed to activate later, said Jérôme Segura, senior security researcher at the anti-malware shop Malwarebytes.
The malware itself sits on a cloud service, such as Amazon Web Services or CloudShare, and the malicious code that’s embedded in the ad-serving or delivery machines doesn’t always expose itself by calling the malware on the cloud.
“(Malvertising) campaigns are active for ten minutes during the day,” said Segura. “But for people testing the ad in their lab. If they’re not testing during that window, they’ll miss it.”
Late at night or on long weekends, when hands-on service isn’t available, malware scripts will ramp up their activity. Said engage:BDR co-founder and CEO Ted Dhanik. Once exposed, malware is easily expunged, but it’s difficult to respond to attacks immediately.
Like fruit flies, individual pieces of malware don’t need to have a long lifecycle to spread rampantly. By the time IT or security tech patches the breach, the script hhas likely infected new users, which is “a kind of malvertising conversion of its own,” said Elias Manousos, co-founder and CEO of the digital security firm RiskIQ.
Ad tech, in effect, becomes the gatekeeper. “We see people posing as small agencies that we have solid relationships with. And they’ll have very close emails to those who we’re accustomed to seeing,” said Dhanik. He also pointed to a recent case where malware tried to disguise itself as an engage:BDR ad serving domain, ebdr:6. In fact, engage:BDR’s regular ad-serving domains are named ebdr:1 through ebdr:4.
Dhanik said engage;BDR caught on to the trick when a regular buyer followed up about a different domain being called.
But as much as ad tech functions as a malware gatekeeper, it also is a facilitator, Segura said. Malware developers can take advantage of ad tech targeting systems to push its malicious code only to certain browsers, usually Internet Explorer. (Safari, Chrome, or Firefox might trigger a social engineering message: “Your computer is compromised, click here to clean it up!”)
Additionally, some malware campaigns are designed to affect IP addresses in certain locales, like North America, or even certain cities, like Chicago or Boston. “If you’re testing and not in a certain city, you won’t see the payload,” Segura said. “That’s really smart. That’s something they leverage through ad platforms: that ability to profile victims, not only with where they live but also by age bracket, estimate of average wage – to really customize the payload they want to distribute.”
These aren’t deceptions intended to be foolproof, only to remain up long enough to reach new site visitors with vulnerable browsers. Manousos said that advertisers wouldn’t think much of spending a few dollars pushing their message to a couple thousand users, but that’s all “a malvertising campaign” needs to ensure profitability and momentum.
It’s a more intimate threat, said Dhanik. It’s unnerving to see malicious coders with detailed knowledge of engage:BDR’s network and client communication.
Employees can be trained to recognize and monitor for phishing emails, First Slice can block certain installs or plugins, but the only viable solution available seems to be a costly, boots-on-the-ground defense.
Dhanik said the costs for engage:BDR represent 20% or more of overall revenue. The company maintains relationships with RiskIQ and MediaTrust, plus the time and effort spent on an internal fraud-detection solution. There are also the increased demands for senior sys admin and cybersecurity experts on hand.
Manousos compared ad tech anti-malvertising efforts to building a castle, meaning that it’s only effective if there are trained soldiers in place to defend it.
“If (malvertising) keeps growing like it has,” said Dhanik, “ then it will be cost prohibitive to some in the ecosystem.”