As malicious attackers continue to target the online advertising ecosystem that drives today's Internet economy, increasing numbers of large online brands have been forced to find ways to stem the fraud of malvertising. Facebook made one such step today, announcing that it plans to offer big incentives to white hat hackers who find and report flaws in its advertising platform through the company's bug bounty program. Facebook says that for the rest of 2014 it will offer double bounties for vulnerabilities found in its advertising platform UI, API, analytics tools, and in the backend code that helps it target, deliver, bill, and measure ads.
"We hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them," Facebook said in a blog announcing the bounty increase.
The move can be seen as evidence that large Internet firms like Facebook understand the challenge they face as the criminals have found attacking advertising platforms to be highly profitable endeavors for a number of reasons.
"Ad platforms have been a major channel for real damage against both users and the companies that service them," says Dan Kaminsky, chief scientist for WhiteOps. "Malvertising pops up as a method for distributing malware, and the trend of click and impression fraud can bankrupt a firm while deeply enriching fraudsters."
While malvertising is often most associated with click fraud, some security researchers now believe it is gaining prevalence as a distribution method and may rival current exploit kits as a distribution method. Because of the way attackers abuse these platforms, some security experts wonder how effective simply doubling the bounty on flaws within Facebook's ad platform code will really be at solving the malvertising problem for Facebook customers and users.
"Today's malvertising campaigns are not due to flaws in any given ad bidding platform. The issue is that real-time ad bidding allows advertising bid winners to redirect to self-hosted content outside the control of the ad platform," explains Pat Belcher, head analyst of security analytics for Invincea. "Malvertisers are winning ad bids, redirecting visitors to exploit kits that are online for just a few minutes, and delivering malicious payloads to whomever they wish to target using the targeting capabilities of the real-time ad bidding platform providers."
Invincea reportedly also is seeing a rise in malvertising targeting defense contractors in cyber espionage attacks. The company plans to publish a report tomorrow on these attacks.
In this case, Facebook may simply be going through a CYA process, but the fundamental problems with how the platform works aren't necessarily going to be fixed.
"The problem with malvertising will continue, but at least Facebook can say it is not a flaw in their actual platform," Belcher says.
However, as Kaminsky explains, every step to thwart attackers offers some positive benefits.
"The fewer places for bad guys to hide, the better. And this has been a very profitable place for them to hide," he says.