Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:06 PM
Connect Directly

Facebook Doubles Bug Bounties For Ad-Related Flaws

Is it a sign that online brands are treating malvertising more seriously?

As malicious attackers continue to target the online advertising ecosystem that drives today's Internet economy, increasing numbers of large online brands have been forced to find ways to stem the fraud of malvertising. Facebook made one such step today, announcing that it plans to offer big incentives to white hat hackers who find and report flaws in its advertising platform through the company's bug bounty program. Facebook says that for the rest of 2014 it will offer double bounties for vulnerabilities found in its advertising platform UI, API, analytics tools, and in the backend code that helps it target, deliver, bill, and measure ads.

"We hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them," Facebook said in a blog announcing the bounty increase.

The move can be seen as evidence that large Internet firms like Facebook understand the challenge they face as the criminals have found attacking advertising platforms to be highly profitable endeavors for a number of reasons.

"Ad platforms have been a major channel for real damage against both users and the companies that service them," says Dan Kaminsky, chief scientist for WhiteOps. "Malvertising pops up as a method for distributing malware, and the trend of click and impression fraud can bankrupt a firm while deeply enriching fraudsters."

While malvertising is often most associated with click fraud, some security researchers now believe it is gaining prevalence as a distribution method and may rival current exploit kits as a distribution method. Because of the way attackers abuse these platforms, some security experts wonder how effective simply doubling the bounty on flaws within Facebook's ad platform code will really be at solving the malvertising problem for Facebook customers and users.

"Today's malvertising campaigns are not due to flaws in any given ad bidding platform. The issue is that real-time ad bidding allows advertising bid winners to redirect to self-hosted content outside the control of the ad platform," explains Pat Belcher, head analyst of security analytics for Invincea. "Malvertisers are winning ad bids, redirecting visitors to exploit kits that are online for just a few minutes, and delivering malicious payloads to whomever they wish to target using the targeting capabilities of the real-time ad bidding platform providers."

Invincea reportedly also is seeing a rise in malvertising targeting defense contractors in cyber espionage attacks. The company plans to publish a report tomorrow on these attacks.

In this case, Facebook may simply be going through a CYA process, but the fundamental problems with how the platform works aren't necessarily going to be fixed.

"The problem with malvertising will continue, but at least Facebook can say it is not a flaw in their actual platform," Belcher says.

However, as Kaminsky explains, every step to thwart attackers offers some positive benefits.

"The fewer places for bad guys to hide, the better. And this has been a very profitable place for them to hide," he says.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered in UniFi Protect G3 FLEX Camera Version UVC.v4.30.0.67.Attacker could send a huge amount of TCP SYN packet to make web service's resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
An issue was discovered on 4GEE ROUTER HH70VB Version HH70_E1_02.00_22. Attackers can use slowhttptest tool to send incomplete HTTP request, which could make server keep waiting for the packet to finish the connection, until its resource exhausted. Then the web server is denial-of-service.
PUBLISHED: 2021-06-18
Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file".
PUBLISHED: 2021-06-18
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.