03:40 PM

Upstart Takes Aim At Malvertising Attacks

Dasient provides telemetry on infected Web ads, unveils new service to shorten life of malvertisements

When The New York Times started serving up infected ads from its website late last year, the security industry dubbed the new attack "malvertising" and added it to the list of threats faced by users.

Despite the attention, however, the attacks didn't stop. Gizmodo, TechCrunch, and WhitePages.com are just some of the publishers that have been hit since last year, and many ad networks and other experts say they aren't sure how widespread the problem has become -- or how to stop it.

An emerging security company now says it has answers on both fronts. In an announcement issued today, Dasient offered details on the scope of the malvertising problem, as well as a new service designed to help publishers and ad networks reduce the damage done by infected ads.

Dasient says it has built a "telemetry" system that uses behavioral-based technology to detect and monitor malvertising on the Web. The service helps ad networks and publishers pinpoint the sources of the infections, enabling them to shorten the life of bad ads on the Web.

"We can identify when a malvertisement is being served, and when we do detect it, we can provide a full trace of all the places that the ad traversed," says Neil Daswani, one of Dasient's three founders. The publisher or the ad network can then decide whether to immediately shut off traffic from the network that is serving the ad or take the time to identify the offending ads and eliminate them, he says.

Perhaps just as important, the Dasient technology provides a window to help the industry view the scope of the problem. The company estimates that approximately 1.3 million malicious ads are viewed per day, and that the average life of a malvertisement is about 7.3 days.

Fifty-nine percent of malvertising attacks are manifested as drive-by downloads that the user never sees, according to Ameet Ranadive, another one of Dasient's founders. The other 41 percent are expressed as scareware -- fake security messages that pop up on the user's screen and encourage the person to download new software to fight a detected infection.

Malvertisements are introduced in one of two fashions, according to the two founders. In one scenario, the attacker opens a new advertising account using valid names and credit information stolen from a company or individual and then replaces vetted ads with infected ads after the account is active. In the other scenario, an attacker breaks into the account of a current advertiser and then uses its credentials to introduce infected ads.

"A big part of the problem is the scope and complexity of the way online ads are distributed," Daswani says. "There are so many new ads being posted all the time, there's no way for the ad networks to manage all of them, so the advertisers themselves often are given the ability to post new creative themselves.

"Once the ad is posted, there is a lot of complexity in the way publishers and ad networks interact to ensure that every ad slot gets filled," Daswani observes. Some publishers contract with multiple ad networks, and many ad networks contract with other ad networks to optimize ad distribution and maximize revenue, he notes.

These complex interactions between advertisers, publishers, and ad networks can make finding an infected ad "like finding a needle in a haystack," Daswani says. Dasient's service is designed to track the bad ads as they cross a variety of domains, making it easier to identify them and stop the stream.

"The average lifetime of a malvertisement is 7.3 days," Ranadive says. "What we're trying to do is bring that number down, which reduces the threat and makes it less attractive for the bad guys."

The new service could also help ad networks and law enforcement to identify the source that uploaded the malvertisement in the first place, Daswani says. "Some networks, like Google, have a zero-tolerance policy that allows them to take an advertiser out of the network if they introduce an infected ad," he notes.

The service is available now and can be combined with Dasient's Web anti-malware service (WAM), which was introduced earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.