Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/16/2014
04:06 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Facebook Doubles Bug Bounties For Ad-Related Flaws

Is it a sign that online brands are treating malvertising more seriously?

As malicious attackers continue to target the online advertising ecosystem that drives today's Internet economy, increasing numbers of large online brands have been forced to find ways to stem the fraud of malvertising. Facebook made one such step today, announcing that it plans to offer big incentives to white hat hackers who find and report flaws in its advertising platform through the company's bug bounty program. Facebook says that for the rest of 2014 it will offer double bounties for vulnerabilities found in its advertising platform UI, API, analytics tools, and in the backend code that helps it target, deliver, bill, and measure ads.

"We hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them," Facebook said in a blog announcing the bounty increase.

The move can be seen as evidence that large Internet firms like Facebook understand the challenge they face as the criminals have found attacking advertising platforms to be highly profitable endeavors for a number of reasons.

"Ad platforms have been a major channel for real damage against both users and the companies that service them," says Dan Kaminsky, chief scientist for WhiteOps. "Malvertising pops up as a method for distributing malware, and the trend of click and impression fraud can bankrupt a firm while deeply enriching fraudsters."

While malvertising is often most associated with click fraud, some security researchers now believe it is gaining prevalence as a distribution method and may rival current exploit kits as a distribution method. Because of the way attackers abuse these platforms, some security experts wonder how effective simply doubling the bounty on flaws within Facebook's ad platform code will really be at solving the malvertising problem for Facebook customers and users.

"Today's malvertising campaigns are not due to flaws in any given ad bidding platform. The issue is that real-time ad bidding allows advertising bid winners to redirect to self-hosted content outside the control of the ad platform," explains Pat Belcher, head analyst of security analytics for Invincea. "Malvertisers are winning ad bids, redirecting visitors to exploit kits that are online for just a few minutes, and delivering malicious payloads to whomever they wish to target using the targeting capabilities of the real-time ad bidding platform providers."

Invincea reportedly also is seeing a rise in malvertising targeting defense contractors in cyber espionage attacks. The company plans to publish a report tomorrow on these attacks.

In this case, Facebook may simply be going through a CYA process, but the fundamental problems with how the platform works aren't necessarily going to be fixed.

"The problem with malvertising will continue, but at least Facebook can say it is not a flaw in their actual platform," Belcher says.

However, as Kaminsky explains, every step to thwart attackers offers some positive benefits.

"The fewer places for bad guys to hide, the better. And this has been a very profitable place for them to hide," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.