Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/19/2016
11:00 AM
Kaiying Fu
Kaiying Fu
Commentary
50%
50%

Malvertising Trends: Don’t Talk Ad Standards Without Ad Security

How malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly - and what online publishers and security leaders need to do about it.

The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?

When Forbes readers were hit by a malvertising campaign earlier this year, site legitimacy was proven to be no guarantee for safe content. Appealing to the goodwill of visitors to disable their ad blockers meant exposing them to malware. Visitors have every reason not to comply. Maybe they would in the beginning—because security isn’t easy to market—but not for long.

Excite site owners about performance boosts, sell them the regulatory compliance benefits. Those in the information security industry know "too-good" security isn’t the sexiest part of a product and that safety is low on the list of concerns for both site owners and their visitors. But the malvertising threat is only going to grow because malware has found a sweet spot in ad networks. Will site owners and their visitors find themselves standing in different camps when the situation blows? What will more aesthetic ads do to protect visitors really?

Ransomware Trends Lead the Way
Trends in ransomware point towards adaptations to malvertising as a recurring means of evolution. From the powerful profiling capabilities of ad server networks to weak security in the machine-to-machine real-time bidding ad placement system and, of course, flash vulnerabilities that can be exploited in rich media ads, malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly.

Fired without a Trigger
The introduction of rich media ads allowed for drive-by attacks to be triggered without any visitor interaction. A popular threat vector is video ads, with their complex codes that are harder to screen for malware. While the original VAST video standard relied on XML and avoided the use of Javascript, the new VPAID format exposes viewers to script injections and other vulnerabilities Adobe Flash is notoriously fraught with. Unfortunately, static ads aren’t a failsafe either. Discovered by Proofpoint in late July, AdGholas was the first malvertising campaign to employ steganography by embedding executable Javascript code within an image’s metadata.

Benign Before Non-Targets (Fingerprinting)
It is not uncommon for malware writers to build in checks for virtualization to avoid detection by security analysts. A white paper released earlier in March by Malwarebytes and GeoEdge reported that Internet Explorer’s XMLDOM ActiveX control contains a vulnerability exploited by Angler Exploit Kits to check for the presence of security products and residential IP addresses. However, this technique has been developed to be coded into ad banners directly, rather than encrypted on exploit kit landing sites. This means non-targets are served benign ads so that malvertising campaigns can run undetected for long periods of time.

Impervious to Signature-based Security
Malvertising campaigns involving fileless infections like the Kovter can easily avoid detection by regular antivirus software. This family of malware executes malicious code from browser or system memory rather than from files downloaded onto the hard drive. From posing as Adobe Flash, Firefox, and then Chrome updates, the fraudulent use of digital certificates has also boosted the success of Kovter exploits as they tended to slip pass signature-based endpoint solutions.

What Needs to Be Done
Ad server networks are in prime position to provide oversight and weed out malware ads early. According to a report by the Permanent Subcommittee on Investigations, however, ads typically pass through 5 to 6 intermediaries before reaching their audience. At any point within the chain, malicious ads could replace legitimate ads. In fact, ads are able to appear completely legitimate during ad-screening processes by delaying their payload delivery using the fingerprinting technique.

Although the programmatic nature of the ad-placement ecosystem also makes it vulnerable to infiltration, the fact remains that millions of advertisements have to be selected and served, in less time than the milliseconds taken for a webpage to load. Fortunately, live ad verification solutions exist to help ad networks monitor campaigns that get corrupted along the way. 

Major publishers are in a unique position to pressure ad servers to abide by higher ad-screening standards. Publishers that deploy Web application firewalls should also avoid whitelisting their ad servers, instead choosing to work exclusively with ad servers who abide by strong security protocols. The average site owner hoping to encourage visitors to disable ad-blocking can also do so by assuring visitors of steps they’ve taken to provide better ad experiences that also take cybersecurity into consideration. If you're asking someone to let down their guard, tell them also that you've got their back.

Part of raising ad security standards could include restricting display-ad offerings to static types. Utilizing steganography in malvertising remains a novelty and also a sophisticated technique. Hence, having restrictions against HTML5 or Flash ads could vastly reduce the effectiveness of many out-of-the-box exploit kits purchased off the dark Web.

Rolling out global standards is a great step forward. But to fail to address the cybersecurity holes plaguing the digital advertising industry at this point is to put a ticking time bomb on this positive development. What’s needed for the online content ecosystem is ad security, not ad blockers, and that can only be achieved if relevant parties act quickly.

Kaiying Fu is a security community specialist at Cloudbric - a cloud based Security-as-a-Service (SECaaS) developed by Penta Security Systems. Together with the Cloudbric team, Kaiying strives to help the 99% of unprotected site owners become shielded from malicious web ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:05:18 AM
Re: Google teaming with . . . HA!
Your posts are simply wonderful. Please keep writing.Thank you.
Puzzle Games
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:04:39 AM
Nice Post
Really really wonderful articles and their good points.Thank you very much.
Arcade Games
amirkhan1
50%
50%
amirkhan1,
User Rank: Apprentice
1/30/2019 | 5:49:12 AM
Re: Google teaming
Great, thank you for sharing these cool and useful videos. I enjoyed the videos you shared because it provided a lot of knowledge for me.

 
Kolina
50%
50%
Kolina,
User Rank: Apprentice
7/20/2018 | 11:06:00 AM
Re: Google teaming with ... HA!
I have the same fillings about Google's work on this.. Great written
AlexxelA1234
50%
50%
AlexxelA1234,
User Rank: Apprentice
8/6/2017 | 7:41:20 AM
Re: Google teaming with . . . HA!
This article is such a nice and interesting one, I'm very satisfied with the provided contents. I hope more excellent articles would be posted in your website. Thank you so much for this and keep sharing.
192.168.0.1
[URL="https://19216801.mobi/"]192.168.0.1[/URL]
<a href="https://19216801.mobi/">192.168.0.1</a>
[URL=https://19216801.mobi/]192.168.0.1[/URL]
twardejablko123
50%
50%
twardejablko123,
User Rank: Apprentice
11/29/2016 | 6:14:46 AM
ling fluent
I think that technology and internet progress is so fast that secourity programs cant handdle all of taht. Ane new technology should be released with secourity program.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/21/2016 | 11:18:37 AM
Re: Google teaming with . . . HA!
It's all very depressing.  I miss the days when the very worst thing that could happen to you with ads was winding up in pop-up hell.

Actually, you know what I really miss?  Pre-WWW, when it was all dialup BBSes and Usenet.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/21/2016 | 8:04:27 AM
Re: Google teaming with . . . HA!
Indeed. I agree with you and I think this principle applies in any fild of interest. But is true that online world requires standards through security.
twardejablko123
50%
50%
twardejablko123,
User Rank: Apprentice
10/20/2016 | 9:22:16 AM
Re: product-club IT
Adveriseing change a lot for couple of years. many factors works just the opposite. nice article Thank You for this one
ted90
50%
50%
ted90,
User Rank: Guru
10/20/2016 | 5:08:13 AM
192.168.1.1
good job guys, thanks for the useful and interesting information!
Page 1 / 2   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...