Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Kaiying Fu
Kaiying Fu

Malvertising Trends: Dont Talk Ad Standards Without Ad Security

How malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly - and what online publishers and security leaders need to do about it.

The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?

When Forbes readers were hit by a malvertising campaign earlier this year, site legitimacy was proven to be no guarantee for safe content. Appealing to the goodwill of visitors to disable their ad blockers meant exposing them to malware. Visitors have every reason not to comply. Maybe they would in the beginning—because security isn’t easy to market—but not for long.

Excite site owners about performance boosts, sell them the regulatory compliance benefits. Those in the information security industry know "too-good" security isn’t the sexiest part of a product and that safety is low on the list of concerns for both site owners and their visitors. But the malvertising threat is only going to grow because malware has found a sweet spot in ad networks. Will site owners and their visitors find themselves standing in different camps when the situation blows? What will more aesthetic ads do to protect visitors really?

Ransomware Trends Lead the Way
Trends in ransomware point towards adaptations to malvertising as a recurring means of evolution. From the powerful profiling capabilities of ad server networks to weak security in the machine-to-machine real-time bidding ad placement system and, of course, flash vulnerabilities that can be exploited in rich media ads, malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly.

Fired without a Trigger
The introduction of rich media ads allowed for drive-by attacks to be triggered without any visitor interaction. A popular threat vector is video ads, with their complex codes that are harder to screen for malware. While the original VAST video standard relied on XML and avoided the use of Javascript, the new VPAID format exposes viewers to script injections and other vulnerabilities Adobe Flash is notoriously fraught with. Unfortunately, static ads aren’t a failsafe either. Discovered by Proofpoint in late July, AdGholas was the first malvertising campaign to employ steganography by embedding executable Javascript code within an image’s metadata.

Benign Before Non-Targets (Fingerprinting)
It is not uncommon for malware writers to build in checks for virtualization to avoid detection by security analysts. A white paper released earlier in March by Malwarebytes and GeoEdge reported that Internet Explorer’s XMLDOM ActiveX control contains a vulnerability exploited by Angler Exploit Kits to check for the presence of security products and residential IP addresses. However, this technique has been developed to be coded into ad banners directly, rather than encrypted on exploit kit landing sites. This means non-targets are served benign ads so that malvertising campaigns can run undetected for long periods of time.

Impervious to Signature-based Security
Malvertising campaigns involving fileless infections like the Kovter can easily avoid detection by regular antivirus software. This family of malware executes malicious code from browser or system memory rather than from files downloaded onto the hard drive. From posing as Adobe Flash, Firefox, and then Chrome updates, the fraudulent use of digital certificates has also boosted the success of Kovter exploits as they tended to slip pass signature-based endpoint solutions.

What Needs to Be Done
Ad server networks are in prime position to provide oversight and weed out malware ads early. According to a report by the Permanent Subcommittee on Investigations, however, ads typically pass through 5 to 6 intermediaries before reaching their audience. At any point within the chain, malicious ads could replace legitimate ads. In fact, ads are able to appear completely legitimate during ad-screening processes by delaying their payload delivery using the fingerprinting technique.

Although the programmatic nature of the ad-placement ecosystem also makes it vulnerable to infiltration, the fact remains that millions of advertisements have to be selected and served, in less time than the milliseconds taken for a webpage to load. Fortunately, live ad verification solutions exist to help ad networks monitor campaigns that get corrupted along the way. 

Major publishers are in a unique position to pressure ad servers to abide by higher ad-screening standards. Publishers that deploy Web application firewalls should also avoid whitelisting their ad servers, instead choosing to work exclusively with ad servers who abide by strong security protocols. The average site owner hoping to encourage visitors to disable ad-blocking can also do so by assuring visitors of steps they’ve taken to provide better ad experiences that also take cybersecurity into consideration. If you're asking someone to let down their guard, tell them also that you've got their back.

Part of raising ad security standards could include restricting display-ad offerings to static types. Utilizing steganography in malvertising remains a novelty and also a sophisticated technique. Hence, having restrictions against HTML5 or Flash ads could vastly reduce the effectiveness of many out-of-the-box exploit kits purchased off the dark Web.

Rolling out global standards is a great step forward. But to fail to address the cybersecurity holes plaguing the digital advertising industry at this point is to put a ticking time bomb on this positive development. What’s needed for the online content ecosystem is ad security, not ad blockers, and that can only be achieved if relevant parties act quickly.

Kaiying Fu is a security community specialist at Cloudbric - a cloud based Security-as-a-Service (SECaaS) developed by Penta Security Systems. Together with the Cloudbric team, Kaiying strives to help the 99% of unprotected site owners become shielded from malicious web ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
10/20/2016 | 9:22:16 AM
Re: product-club IT
Adveriseing change a lot for couple of years. many factors works just the opposite. nice article Thank You for this one
User Rank: Guru
10/20/2016 | 5:08:13 AM
good job guys, thanks for the useful and interesting information!
Kaiying Fu
Kaiying Fu,
User Rank: Author
10/20/2016 | 2:40:08 AM
Re: Google teaming with . . . HA!
Thanks for the feedback. I'm all for increasing the effectiveness of ad spending, but whether Google benefits from rebuilding confidence in the advertising industry or not, isn't much of a concern.

Parties aspiring to set global ad standards need to have their eye on the future -- ad security is what consumers may not yet, but will soon, perceive as vital to their interests.

With the advertising industry trying to come up with ways to deal with rocketing ad blocking adoption rates, there might be some misguided optimism. The Coalition for Better Ads, which Google is a part of, aims to improve ad experiences for consumers through developing data-driven ad standards. How does their attempt at improving ad quality go beyond the daily duties of regular marketers besides the global scale?

Consumers being repulsed by a brand's ad vs consumers faced with ransomware from a brand's ad

Do we now see who should be concerned about website security?



Community Specialist at Cloudbric
User Rank: Strategist
10/19/2016 | 12:48:31 PM
Google teaming with . . . HA!
Thanks for a very helpful and well written article. I agree with your premise that standards are needed, and that when we are being overrun by the enemy, there needs to be a more direct action, certainly one more fruitful than "Google posturing maneuvers" to avoid appearing to do anything that would negatively affect their ad revenue. And, honesty, the notion that Google is helping anyone do anything other than increasing ad revenue is very hard to take seriously.
<<   <   Page 2 / 2
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, C...
PUBLISHED: 2021-05-07
The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK v...
PUBLISHED: 2021-05-07
Proofpoint Enterprise Protection (PPS/PoD) before 8.17.0 contains a vulnerability that could allow an attacker to deliver an email message with a malicious attachment that bypasses scanning and file-blocking rules. The vulnerability exists because messages with certain crafted and malformed multipar...
PUBLISHED: 2021-05-07
VMware vRealize Business for Cloud 7.x prior to 7.6.0 contains a remote code execution vulnerability due to an unauthorised end point. A malicious actor with network access may exploit this issue causing unauthorised remote code execution on vRealize Business for Cloud Virtual Appliance.
PUBLISHED: 2021-05-07
LivingLogic XIST4C before 0.107.8 allows XSS via feedback.htm or feedback.wihtm.