Upstart Takes Aim At Malvertising Attacks
Dasient provides telemetry on infected Web ads, unveils new service to shorten life of malvertisements
When The New York Times started serving up infected ads from its website late last year, the security industry dubbed the new attack "malvertising" and added it to the list of threats faced by users.
Despite the attention, however, the attacks didn't stop. Gizmodo, TechCrunch, and WhitePages.com are just some of the publishers that have been hit since last year, and many ad networks and other experts say they aren't sure how widespread the problem has become -- or how to stop it.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- Optimize Your SQL Environment for Performance & Flexibility
An emerging security company now says it has answers on both fronts. In an announcement issued today, Dasient offered details on the scope of the malvertising problem, as well as a new service designed to help publishers and ad networks reduce the damage done by infected ads.
Dasient says it has built a "telemetry" system that uses behavioral-based technology to detect and monitor malvertising on the Web. The service helps ad networks and publishers pinpoint the sources of the infections, enabling them to shorten the life of bad ads on the Web.
"We can identify when a malvertisement is being served, and when we do detect it, we can provide a full trace of all the places that the ad traversed," says Neil Daswani, one of Dasient's three founders. The publisher or the ad network can then decide whether to immediately shut off traffic from the network that is serving the ad or take the time to identify the offending ads and eliminate them, he says.
Perhaps just as important, the Dasient technology provides a window to help the industry view the scope of the problem. The company estimates that approximately 1.3 million malicious ads are viewed per day, and that the average life of a malvertisement is about 7.3 days.
Fifty-nine percent of malvertising attacks are manifested as drive-by downloads that the user never sees, according to Ameet Ranadive, another one of Dasient's founders. The other 41 percent are expressed as scareware -- fake security messages that pop up on the user's screen and encourage the person to download new software to fight a detected infection.
Malvertisements are introduced in one of two fashions, according to the two founders. In one scenario, the attacker opens a new advertising account using valid names and credit information stolen from a company or individual and then replaces vetted ads with infected ads after the account is active. In the other scenario, an attacker breaks into the account of a current advertiser and then uses its credentials to introduce infected ads.
"A big part of the problem is the scope and complexity of the way online ads are distributed," Daswani says. "There are so many new ads being posted all the time, there's no way for the ad networks to manage all of them, so the advertisers themselves often are given the ability to post new creative themselves.
"Once the ad is posted, there is a lot of complexity in the way publishers and ad networks interact to ensure that every ad slot gets filled," Daswani observes. Some publishers contract with multiple ad networks, and many ad networks contract with other ad networks to optimize ad distribution and maximize revenue, he notes.
These complex interactions between advertisers, publishers, and ad networks can make finding an infected ad "like finding a needle in a haystack," Daswani says. Dasient's service is designed to track the bad ads as they cross a variety of domains, making it easier to identify them and stop the stream.
"The average lifetime of a malvertisement is 7.3 days," Ranadive says. "What we're trying to do is bring that number down, which reduces the threat and makes it less attractive for the bad guys."
The new service could also help ad networks and law enforcement to identify the source that uploaded the malvertisement in the first place, Daswani says. "Some networks, like Google, have a zero-tolerance policy that allows them to take an advertiser out of the network if they introduce an infected ad," he notes.
The service is available now and can be combined with Dasient's Web anti-malware service (WAM), which was introduced earlier this year.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.