Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/19/2016
11:00 AM
Kaiying Fu
Kaiying Fu
Commentary
50%
50%

Malvertising Trends: Dont Talk Ad Standards Without Ad Security

How malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly - and what online publishers and security leaders need to do about it.

The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?

When Forbes readers were hit by a malvertising campaign earlier this year, site legitimacy was proven to be no guarantee for safe content. Appealing to the goodwill of visitors to disable their ad blockers meant exposing them to malware. Visitors have every reason not to comply. Maybe they would in the beginning—because security isn’t easy to market—but not for long.

Excite site owners about performance boosts, sell them the regulatory compliance benefits. Those in the information security industry know "too-good" security isn’t the sexiest part of a product and that safety is low on the list of concerns for both site owners and their visitors. But the malvertising threat is only going to grow because malware has found a sweet spot in ad networks. Will site owners and their visitors find themselves standing in different camps when the situation blows? What will more aesthetic ads do to protect visitors really?

Ransomware Trends Lead the Way
Trends in ransomware point towards adaptations to malvertising as a recurring means of evolution. From the powerful profiling capabilities of ad server networks to weak security in the machine-to-machine real-time bidding ad placement system and, of course, flash vulnerabilities that can be exploited in rich media ads, malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly.

Fired without a Trigger
The introduction of rich media ads allowed for drive-by attacks to be triggered without any visitor interaction. A popular threat vector is video ads, with their complex codes that are harder to screen for malware. While the original VAST video standard relied on XML and avoided the use of Javascript, the new VPAID format exposes viewers to script injections and other vulnerabilities Adobe Flash is notoriously fraught with. Unfortunately, static ads aren’t a failsafe either. Discovered by Proofpoint in late July, AdGholas was the first malvertising campaign to employ steganography by embedding executable Javascript code within an image’s metadata.

Benign Before Non-Targets (Fingerprinting)
It is not uncommon for malware writers to build in checks for virtualization to avoid detection by security analysts. A white paper released earlier in March by Malwarebytes and GeoEdge reported that Internet Explorer’s XMLDOM ActiveX control contains a vulnerability exploited by Angler Exploit Kits to check for the presence of security products and residential IP addresses. However, this technique has been developed to be coded into ad banners directly, rather than encrypted on exploit kit landing sites. This means non-targets are served benign ads so that malvertising campaigns can run undetected for long periods of time.

Impervious to Signature-based Security
Malvertising campaigns involving fileless infections like the Kovter can easily avoid detection by regular antivirus software. This family of malware executes malicious code from browser or system memory rather than from files downloaded onto the hard drive. From posing as Adobe Flash, Firefox, and then Chrome updates, the fraudulent use of digital certificates has also boosted the success of Kovter exploits as they tended to slip pass signature-based endpoint solutions.

What Needs to Be Done
Ad server networks are in prime position to provide oversight and weed out malware ads early. According to a report by the Permanent Subcommittee on Investigations, however, ads typically pass through 5 to 6 intermediaries before reaching their audience. At any point within the chain, malicious ads could replace legitimate ads. In fact, ads are able to appear completely legitimate during ad-screening processes by delaying their payload delivery using the fingerprinting technique.

Although the programmatic nature of the ad-placement ecosystem also makes it vulnerable to infiltration, the fact remains that millions of advertisements have to be selected and served, in less time than the milliseconds taken for a webpage to load. Fortunately, live ad verification solutions exist to help ad networks monitor campaigns that get corrupted along the way. 

Major publishers are in a unique position to pressure ad servers to abide by higher ad-screening standards. Publishers that deploy Web application firewalls should also avoid whitelisting their ad servers, instead choosing to work exclusively with ad servers who abide by strong security protocols. The average site owner hoping to encourage visitors to disable ad-blocking can also do so by assuring visitors of steps they’ve taken to provide better ad experiences that also take cybersecurity into consideration. If you're asking someone to let down their guard, tell them also that you've got their back.

Part of raising ad security standards could include restricting display-ad offerings to static types. Utilizing steganography in malvertising remains a novelty and also a sophisticated technique. Hence, having restrictions against HTML5 or Flash ads could vastly reduce the effectiveness of many out-of-the-box exploit kits purchased off the dark Web.

Rolling out global standards is a great step forward. But to fail to address the cybersecurity holes plaguing the digital advertising industry at this point is to put a ticking time bomb on this positive development. What’s needed for the online content ecosystem is ad security, not ad blockers, and that can only be achieved if relevant parties act quickly.

Kaiying Fu is a security community specialist at Cloudbric - a cloud based Security-as-a-Service (SECaaS) developed by Penta Security Systems. Together with the Cloudbric team, Kaiying strives to help the 99% of unprotected site owners become shielded from malicious web ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Simmon Luis
50%
50%
Simmon Luis,
User Rank: Apprentice
12/20/2019 | 9:27:07 AM
buckelist
highly informative post thank you this helps me a lot 
stephnienewyear
50%
50%
stephnienewyear,
User Rank: Apprentice
11/25/2019 | 1:35:47 AM
posting on comment
Adveriseing change a lot for couple of years. many factors works just the opposite. nice article Thank You for this one https://statusquoteswishes.com
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:05:18 AM
Re: Google teaming with . . . HA!
Your posts are simply wonderful. Please keep writing.Thank you.
Puzzle Games
bell621iran
50%
50%
bell621iran,
User Rank: Apprentice
4/2/2019 | 9:04:39 AM
Nice Post
Really really wonderful articles and their good points.Thank you very much.
Arcade Games
amirkhan1
50%
50%
amirkhan1,
User Rank: Apprentice
1/30/2019 | 5:49:12 AM
Re: Google teaming
Great, thank you for sharing these cool and useful videos. I enjoyed the videos you shared because it provided a lot of knowledge for me.

 
Kolina
50%
50%
Kolina,
User Rank: Apprentice
7/20/2018 | 11:06:00 AM
Re: Google teaming with ... HA!
I have the same fillings about Google's work on this.. Great written
AlexxelA1234
50%
50%
AlexxelA1234,
User Rank: Apprentice
8/6/2017 | 7:41:20 AM
Re: Google teaming with . . . HA!
This article is such a nice and interesting one, I'm very satisfied with the provided contents. I hope more excellent articles would be posted in your website. Thank you so much for this and keep sharing.
192.168.0.1
[URL="https://19216801.mobi/"]192.168.0.1[/URL]
<a href="https://19216801.mobi/">192.168.0.1</a>
[URL=https://19216801.mobi/]192.168.0.1[/URL]
twardejablko123
50%
50%
twardejablko123,
User Rank: Apprentice
11/29/2016 | 6:14:46 AM
ling fluent
I think that technology and internet progress is so fast that secourity programs cant handdle all of taht. Ane new technology should be released with secourity program.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/21/2016 | 11:18:37 AM
Re: Google teaming with . . . HA!
It's all very depressing.  I miss the days when the very worst thing that could happen to you with ads was winding up in pop-up hell.

Actually, you know what I really miss?  Pre-WWW, when it was all dialup BBSes and Usenet.
Maia2920
50%
50%
Maia2920,
User Rank: Apprentice
10/21/2016 | 8:04:27 AM
Re: Google teaming with . . . HA!
Indeed. I agree with you and I think this principle applies in any fild of interest. But is true that online world requires standards through security.
Page 1 / 2   >   >>
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.