Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/19/2016
11:00 AM
Kaiying Fu
Kaiying Fu
Commentary
50%
50%

Malvertising Trends: Dont Talk Ad Standards Without Ad Security

How malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly - and what online publishers and security leaders need to do about it.

The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?

When Forbes readers were hit by a malvertising campaign earlier this year, site legitimacy was proven to be no guarantee for safe content. Appealing to the goodwill of visitors to disable their ad blockers meant exposing them to malware. Visitors have every reason not to comply. Maybe they would in the beginning—because security isn’t easy to market—but not for long.

Excite site owners about performance boosts, sell them the regulatory compliance benefits. Those in the information security industry know "too-good" security isn’t the sexiest part of a product and that safety is low on the list of concerns for both site owners and their visitors. But the malvertising threat is only going to grow because malware has found a sweet spot in ad networks. Will site owners and their visitors find themselves standing in different camps when the situation blows? What will more aesthetic ads do to protect visitors really?

Ransomware Trends Lead the Way
Trends in ransomware point towards adaptations to malvertising as a recurring means of evolution. From the powerful profiling capabilities of ad server networks to weak security in the machine-to-machine real-time bidding ad placement system and, of course, flash vulnerabilities that can be exploited in rich media ads, malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly.

Fired without a Trigger
The introduction of rich media ads allowed for drive-by attacks to be triggered without any visitor interaction. A popular threat vector is video ads, with their complex codes that are harder to screen for malware. While the original VAST video standard relied on XML and avoided the use of Javascript, the new VPAID format exposes viewers to script injections and other vulnerabilities Adobe Flash is notoriously fraught with. Unfortunately, static ads aren’t a failsafe either. Discovered by Proofpoint in late July, AdGholas was the first malvertising campaign to employ steganography by embedding executable Javascript code within an image’s metadata.

Benign Before Non-Targets (Fingerprinting)
It is not uncommon for malware writers to build in checks for virtualization to avoid detection by security analysts. A white paper released earlier in March by Malwarebytes and GeoEdge reported that Internet Explorer’s XMLDOM ActiveX control contains a vulnerability exploited by Angler Exploit Kits to check for the presence of security products and residential IP addresses. However, this technique has been developed to be coded into ad banners directly, rather than encrypted on exploit kit landing sites. This means non-targets are served benign ads so that malvertising campaigns can run undetected for long periods of time.

Impervious to Signature-based Security
Malvertising campaigns involving fileless infections like the Kovter can easily avoid detection by regular antivirus software. This family of malware executes malicious code from browser or system memory rather than from files downloaded onto the hard drive. From posing as Adobe Flash, Firefox, and then Chrome updates, the fraudulent use of digital certificates has also boosted the success of Kovter exploits as they tended to slip pass signature-based endpoint solutions.

What Needs to Be Done
Ad server networks are in prime position to provide oversight and weed out malware ads early. According to a report by the Permanent Subcommittee on Investigations, however, ads typically pass through 5 to 6 intermediaries before reaching their audience. At any point within the chain, malicious ads could replace legitimate ads. In fact, ads are able to appear completely legitimate during ad-screening processes by delaying their payload delivery using the fingerprinting technique.

Although the programmatic nature of the ad-placement ecosystem also makes it vulnerable to infiltration, the fact remains that millions of advertisements have to be selected and served, in less time than the milliseconds taken for a webpage to load. Fortunately, live ad verification solutions exist to help ad networks monitor campaigns that get corrupted along the way. 

Major publishers are in a unique position to pressure ad servers to abide by higher ad-screening standards. Publishers that deploy Web application firewalls should also avoid whitelisting their ad servers, instead choosing to work exclusively with ad servers who abide by strong security protocols. The average site owner hoping to encourage visitors to disable ad-blocking can also do so by assuring visitors of steps they’ve taken to provide better ad experiences that also take cybersecurity into consideration. If you're asking someone to let down their guard, tell them also that you've got their back.

Part of raising ad security standards could include restricting display-ad offerings to static types. Utilizing steganography in malvertising remains a novelty and also a sophisticated technique. Hence, having restrictions against HTML5 or Flash ads could vastly reduce the effectiveness of many out-of-the-box exploit kits purchased off the dark Web.

Rolling out global standards is a great step forward. But to fail to address the cybersecurity holes plaguing the digital advertising industry at this point is to put a ticking time bomb on this positive development. What’s needed for the online content ecosystem is ad security, not ad blockers, and that can only be achieved if relevant parties act quickly.

Kaiying Fu is a security community specialist at Cloudbric - a cloud based Security-as-a-Service (SECaaS) developed by Penta Security Systems. Together with the Cloudbric team, Kaiying strives to help the 99% of unprotected site owners become shielded from malicious web ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Simmon Luis
50%
50%
Simmon Luis,
User Rank: Apprentice
12/20/2019 | 9:27:07 AM
buckelist
highly informative post thank you this helps me a lot 
stephnienewyear
50%
50%
stephnienewyear,
User Rank: Apprentice
11/25/2019 | 1:35:47 AM
posting on comment
Adveriseing change a lot for couple of years. many factors works just the opposite. nice article Thank You for this one https://statusquoteswishes.com
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:05:18 AM
Re: Google teaming with . . . HA!
Your posts are simply wonderful. Please keep writing.Thank you.
Puzzle Games
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:04:39 AM
Nice Post
Really really wonderful articles and their good points.Thank you very much.
Arcade Games
amirkhan1
50%
50%
amirkhan1,
User Rank: Apprentice
1/30/2019 | 5:49:12 AM
Re: Google teaming
Great, thank you for sharing these cool and useful videos. I enjoyed the videos you shared because it provided a lot of knowledge for me.

 
Kolina
50%
50%
Kolina,
User Rank: Apprentice
7/20/2018 | 11:06:00 AM
Re: Google teaming with ... HA!
I have the same fillings about Google's work on this.. Great written
AlexxelA1234
50%
50%
AlexxelA1234,
User Rank: Apprentice
8/6/2017 | 7:41:20 AM
Re: Google teaming with . . . HA!
This article is such a nice and interesting one, I'm very satisfied with the provided contents. I hope more excellent articles would be posted in your website. Thank you so much for this and keep sharing.
192.168.0.1
[URL="https://19216801.mobi/"]192.168.0.1[/URL]
<a href="https://19216801.mobi/">192.168.0.1</a>
[URL=https://19216801.mobi/]192.168.0.1[/URL]
twardejablko123
50%
50%
twardejablko123,
User Rank: Apprentice
11/29/2016 | 6:14:46 AM
ling fluent
I think that technology and internet progress is so fast that secourity programs cant handdle all of taht. Ane new technology should be released with secourity program.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/21/2016 | 11:18:37 AM
Re: Google teaming with . . . HA!
It's all very depressing.  I miss the days when the very worst thing that could happen to you with ads was winding up in pop-up hell.

Actually, you know what I really miss?  Pre-WWW, when it was all dialup BBSes and Usenet.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/21/2016 | 8:04:27 AM
Re: Google teaming with . . . HA!
Indeed. I agree with you and I think this principle applies in any fild of interest. But is true that online world requires standards through security.
Page 1 / 2   >   >>
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).