Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Upstart Takes Aim At Malvertising Attacks

Dasient provides telemetry on infected Web ads, unveils new service to shorten life of malvertisements

When The New York Times started serving up infected ads from its website late last year, the security industry dubbed the new attack "malvertising" and added it to the list of threats faced by users.

Despite the attention, however, the attacks didn't stop. Gizmodo, TechCrunch, and WhitePages.com are just some of the publishers that have been hit since last year, and many ad networks and other experts say they aren't sure how widespread the problem has become -- or how to stop it.

An emerging security company now says it has answers on both fronts. In an announcement issued today, Dasient offered details on the scope of the malvertising problem, as well as a new service designed to help publishers and ad networks reduce the damage done by infected ads.

Dasient says it has built a "telemetry" system that uses behavioral-based technology to detect and monitor malvertising on the Web. The service helps ad networks and publishers pinpoint the sources of the infections, enabling them to shorten the life of bad ads on the Web.

"We can identify when a malvertisement is being served, and when we do detect it, we can provide a full trace of all the places that the ad traversed," says Neil Daswani, one of Dasient's three founders. The publisher or the ad network can then decide whether to immediately shut off traffic from the network that is serving the ad or take the time to identify the offending ads and eliminate them, he says.

Perhaps just as important, the Dasient technology provides a window to help the industry view the scope of the problem. The company estimates that approximately 1.3 million malicious ads are viewed per day, and that the average life of a malvertisement is about 7.3 days.

Fifty-nine percent of malvertising attacks are manifested as drive-by downloads that the user never sees, according to Ameet Ranadive, another one of Dasient's founders. The other 41 percent are expressed as scareware -- fake security messages that pop up on the user's screen and encourage the person to download new software to fight a detected infection.

Malvertisements are introduced in one of two fashions, according to the two founders. In one scenario, the attacker opens a new advertising account using valid names and credit information stolen from a company or individual and then replaces vetted ads with infected ads after the account is active. In the other scenario, an attacker breaks into the account of a current advertiser and then uses its credentials to introduce infected ads.

"A big part of the problem is the scope and complexity of the way online ads are distributed," Daswani says. "There are so many new ads being posted all the time, there's no way for the ad networks to manage all of them, so the advertisers themselves often are given the ability to post new creative themselves.

"Once the ad is posted, there is a lot of complexity in the way publishers and ad networks interact to ensure that every ad slot gets filled," Daswani observes. Some publishers contract with multiple ad networks, and many ad networks contract with other ad networks to optimize ad distribution and maximize revenue, he notes.

These complex interactions between advertisers, publishers, and ad networks can make finding an infected ad "like finding a needle in a haystack," Daswani says. Dasient's service is designed to track the bad ads as they cross a variety of domains, making it easier to identify them and stop the stream.

"The average lifetime of a malvertisement is 7.3 days," Ranadive says. "What we're trying to do is bring that number down, which reduces the threat and makes it less attractive for the bad guys."

The new service could also help ad networks and law enforcement to identify the source that uploaded the malvertisement in the first place, Daswani says. "Some networks, like Google, have a zero-tolerance policy that allows them to take an advertiser out of the network if they introduce an infected ad," he notes.

The service is available now and can be combined with Dasient's Web anti-malware service (WAM), which was introduced earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...