There’s another saying in the security community, Curran said: “If you want to be secure online, don’t buy a computer – and if you do buy a computer, don’t plug it in.”
Although the Trustworthy Accountability Group, an industrywide fraud-fighting coalition comprised of the IAB, ANA and 4As, hasn’t made an official comment on the Internet of Things, malware is one of its major focus areas.
“Criminals promulgate malware through malicious piece of code, often through advertising, and then take over people’s computers and create botnets,” said TAG President and CEO Mike Zaneis. “From there they can generate fraudulent traffic at whatever levels they want and start pushing traffic to websites they own that have pirated content on it.”
In theory, there’s no reason this sort of activity will be limited to the realm of online advertising.
“One scary scenario is that somebody could buy a zero-day exploit for a particular type of home router, for example, that’s installed across the US,” said Forensiq chief scientist Mike Andrews. “And if they have the right network card, software on a desktop computer and a connection to the Internet, it’s possible to scan billions of IP addresses to find those devices and then, at a rate of maybe a million a day, they can go and install a headless browser to commit ad fraud that way and make a lot of money."
Curran put it more bluntly: “In the future, when toasters are connected to the Internet, how do you know they won’t be running a spam botnet?”
Of course, it’s well known that fraudsters follow the money, which makes IoT-based fraud a future-facing scenario. But Alex Calic, CRO of The Media Trust, says his team has noticed “some early activity that makes us think the bad guys are testing what’s possible through those platforms.”
The Media Trust operates a malware monitoring network. Although the bulk of its business is around keeping an eye on the web, connected TVs and gaming consoles are also part of its purview.
“Smart TVs have apps on them and they’re a great playground for criminals to expand what they do,” Calic said. “As the ad tech ecosystem becomes more mature and capable and becomes better at targeting TVs and devices with advertising, you’ll start seeing the proliferation of malware.”
There are two basic types of security intrusions, Calic said. One is when people try to hack into a specific network or platform. The other involves using third-party code to get into those environments.
“Ad tech is the greatest third-party code there is – sign up for self-serve and you can get malware through the ecosystem pretty quickly,” Calic said. “Ad tech will lead the malware guys into those new environments. It’s simpler than a brute force attack.”