Malvertising Trends: Don’t Talk Ad Standards Without Ad Security

How malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly – and what online publishers and security leaders need to do about it.

Kaiying Fu, Community Manager, Cloudbric

October 19, 2016

5 Min Read

The launching of AdBlock Plus’ new Acceptable Ads Platform is indicative of how the conversation on ad governance has strayed off-course. There are reasons why people want ad-block, and reasons why they need it. But by allowing display ads that conform to their supposed guidelines, AdBlock Plus negated its own security benefit. Loath to support ad-blocking as a means of dealing with bad ads, Google has teamed up with other giants in the media and advertising industry to develop new global ad standards. Don’t get me wrong, this is all good. But aren’t we forgetting that bad ads also include malware ads?

When Forbes readers were hit by a malvertising campaign earlier this year, site legitimacy was proven to be no guarantee for safe content. Appealing to the goodwill of visitors to disable their ad blockers meant exposing them to malware. Visitors have every reason not to comply. Maybe they would in the beginning—because security isn’t easy to market—but not for long.

Excite site owners about performance boosts, sell them the regulatory compliance benefits. Those in the information security industry know "too-good" security isn’t the sexiest part of a product and that safety is low on the list of concerns for both site owners and their visitors. But the malvertising threat is only going to grow because malware has found a sweet spot in ad networks. Will site owners and their visitors find themselves standing in different camps when the situation blows? What will more aesthetic ads do to protect visitors really?

Ransomware Trends Lead the Way
Trends in ransomware point towards adaptations to malvertising as a recurring means of evolution. From the powerful profiling capabilities of ad server networks to weak security in the machine-to-machine real-time bidding ad placement system and, of course, flash vulnerabilities that can be exploited in rich media ads, malvertising marries the strengths and weaknesses of the complex digital advertising ecosystem perfectly.

Fired without a Trigger
The introduction of rich media ads allowed for drive-by attacks to be triggered without any visitor interaction. A popular threat vector is video ads, with their complex codes that are harder to screen for malware. While the original VAST video standard relied on XML and avoided the use of Javascript, the new VPAID format exposes viewers to script injections and other vulnerabilities Adobe Flash is notoriously fraught with. Unfortunately, static ads aren’t a failsafe either. Discovered by Proofpoint in late July, AdGholas was the first malvertising campaign to employ steganography by embedding executable Javascript code within an image’s metadata.

Benign Before Non-Targets (Fingerprinting)
It is not uncommon for malware writers to build in checks for virtualization to avoid detection by security analysts. A white paper released earlier in March by Malwarebytes and GeoEdge reported that Internet Explorer’s XMLDOM ActiveX control contains a vulnerability exploited by Angler Exploit Kits to check for the presence of security products and residential IP addresses. However, this technique has been developed to be coded into ad banners directly, rather than encrypted on exploit kit landing sites. This means non-targets are served benign ads so that malvertising campaigns can run undetected for long periods of time.

Impervious to Signature-based Security
Malvertising campaigns involving fileless infections like the Kovter can easily avoid detection by regular antivirus software. This family of malware executes malicious code from browser or system memory rather than from files downloaded onto the hard drive. From posing as Adobe Flash, Firefox, and then Chrome updates, the fraudulent use of digital certificates has also boosted the success of Kovter exploits as they tended to slip pass signature-based endpoint solutions.

What Needs to Be Done
Ad server networks are in prime position to provide oversight and weed out malware ads early. According to a report by the Permanent Subcommittee on Investigations, however, ads typically pass through 5 to 6 intermediaries before reaching their audience. At any point within the chain, malicious ads could replace legitimate ads. In fact, ads are able to appear completely legitimate during ad-screening processes by delaying their payload delivery using the fingerprinting technique.

Although the programmatic nature of the ad-placement ecosystem also makes it vulnerable to infiltration, the fact remains that millions of advertisements have to be selected and served, in less time than the milliseconds taken for a webpage to load. Fortunately, live ad verification solutions exist to help ad networks monitor campaigns that get corrupted along the way. 

Major publishers are in a unique position to pressure ad servers to abide by higher ad-screening standards. Publishers that deploy Web application firewalls should also avoid whitelisting their ad servers, instead choosing to work exclusively with ad servers who abide by strong security protocols. The average site owner hoping to encourage visitors to disable ad-blocking can also do so by assuring visitors of steps they’ve taken to provide better ad experiences that also take cybersecurity into consideration. If you're asking someone to let down their guard, tell them also that you've got their back.

Part of raising ad security standards could include restricting display-ad offerings to static types. Utilizing steganography in malvertising remains a novelty and also a sophisticated technique. Hence, having restrictions against HTML5 or Flash ads could vastly reduce the effectiveness of many out-of-the-box exploit kits purchased off the dark Web.

Rolling out global standards is a great step forward. But to fail to address the cybersecurity holes plaguing the digital advertising industry at this point is to put a ticking time bomb on this positive development. What’s needed for the online content ecosystem is ad security, not ad blockers, and that can only be achieved if relevant parties act quickly.

Related Content:


About the Author(s)

Kaiying Fu

Community Manager, Cloudbric

Kaiying Fu is a security community specialist at Cloudbric - a cloud based Security-as-a-Service (SECaaS) developed by Penta Security Systems. Together with the Cloudbric team, Kaiying strives to help the 99% of unprotected site owners become shielded from malicious web attacks. By offering insights into the experiences of small and mid-sized businesses, she hopes to expand the cybersecurity landscape traditionally dominated by enterprises.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights