Malvertising: Three Things You Need To Know
BY Brian O’Kelley
Shortly before the winter holidays, the Interactive Advertising Bureau (IAB) and Ernst & Young issued a joint report estimating the annual cost associated with a triad of fraudulent practices: infringed content (also known as piracy), invalid traffic, and “malvertising.” Their findings were arresting: each year, the digital advertising industry loses approximately $8.2 billion to fraudulent activity — $2.4 billion to piracy, $4.6 billion to invalid traffic, and over $1.1 billion to malvertising. (In the interest of full disclosure, my company was one of the report’s sponsors.)
That figure should worry everyone. Lost ad dollars starve digital publishers of much-needed revenue and marketers of money intended to drive sales. Both phenomena result in diminished economic output and employment.
Fake Online Ads
Of the three practices, “malvertising” – the practice by which malware is delivered to computers or to networks of computers through fake online ads – is the most public-facing menace. (The portmanteau is itself knotty, as it suggests a malicious form of advertising. In fact, it represents one mechanism among many – including toolbars, adware, email, and website corruption – that bad actors use to infiltrate third-party computers.)
Once it infiltrates an end user’s browser, malware can serve a number of harmful purposes. It can inject spyware that allows bad actors to follow the end users’ key strokes and thereby copy login data for their financial accounts. It can introduce “ransomware” – viruses that lock a computer until its owner pays a bounty. It can load “nuisanceware” that interferes with the proper functioning of a computer or network – particularly useful in disrupting a company’s IT resources – or malware that either takes over a page or redirects the user to a domain that he or she does not wish to visit. Or, it can infect a computer with a bot, which consumes bandwidth and slows down Internet use; bots are often used to produce clicks against fake ad impressions on invisible websites, often without the end user’s knowledge.
For generalists trying to make sense of the issue, here are three things you need to know about “malvertising”:
Ad blocking isn’t the answer. In its report, the IAB estimated the amount of advertising dollars lost each year to ad blocking and further extrapolated from this figure the portion of blocked spend owing to concerns about malware: the total, $781 million.
The problem is, ads aren’t the only way to deliver malware. Email and messaging programs are also effective channels for malware. So are widely-trafficked, popular websites. Google estimates that upwards of 9,500 domains are infected each day. These attacks are especially prevalent in certain niche content sectors like piracy and pornography sites. But they find their way to mainstream domains as well. Often, malware – whether delivered through advertising or through a website – is at its most effective when end users fail to upgrade their software or use antiquated browsers.
The main takeaway: bad actors have a well-established track record of finding alternative avenues into your devices and networks. Ad blocking may close off one potential pathway for fraud, but it won’t solve the malware problem. What it will do is starve content producers of over $75 billion of funding for quality journalism, information, and entertainment. For anyone interested in preserving the cultural, economic and political virtues of the free internet, that is an outcome to be dreaded.
Control your supply chain. Granted that advertising is just one delivery channel for malware, nevertheless, malvertising is a real problem, and ad tech companies have a responsibility to address it.
Most credible digital ad platforms already incorporate powerful anti-malware systems. My company, AppNexus, built a sophisticated tool that we named Sherlock. As the moniker would suggest, Sherlock detects infected ads before they are served. Any exchange worth its salt should offer comparable technology.
We also attack the problem from the other side. Much if not most malvertising is used to manufacture botnets that produce clicks against fake ad impressions. Somewhere in the world, someone is making money by siphoning off ad dollars from credible marketers. If we can disrupt the supply of fraudulent impressions, we can disrupt fraudsters’ larger enterprise.
In the online advertising world, some of the most important actors are “networks” – effectively, market makers that buy, aggregate, and resell impressions on behalf of publishers. While some networks have been known to engage in sketchy practices, many furnish the market with essential liquidity, similar to the role that broker-dealers fulfill for the financial sector. But when networks engage in excessive arbitrage by packaging and reselling inventory multiple times, visibility into the quality of their inventory diminishes, creating an opening for bad actors to inject invalid impressions into the ecosystem. If this sounds eerily like the relationship between collateralized residential mortgages and the 2008-2009 financial crisis, that’s because it is.
Last year, AppNexus clamped down on arbitrage and encouraged networks to resell only inventory that they bought directly from publishers; in so doing, we cleaned our platform of invalid impressions. Weeks later, Facebook’s LiveRail exchange adopted similar policies. I fully expect other industry leaders to follow suit in 2016. After all, buyers will naturally direct spend on platforms that ensure the validity and quality of their inventory. Malvertising is a business. If we disrupt one of its most effective profit models, we go a long way toward removing its incentive base.
Viewability: A Silver Bullet? The traditional knock against digital advertising was that you never really knew if a human being saw your ad. To some degree, it’s a double standard: a marketer will never really know if I was looking at my TV when its commercial came on, or if I bothered to gaze at its billboard in Times Square. But to be sure, viewability is a problem. Some publishers load impressions on the extreme edges of their page, which end users are unlikely ever to scroll into frame. And, as we’ve seen, bad actors create placeholder websites with fraudulent impressions that are intended never to be viewed by a human being.
The industry has developed ways to address this legacy issue. Specifically, AppNexus and DoubleClick have developed technology that enables advertisers to “transact on viewability,” meaning, an advertiser is only charged for an impression after an end user has scrolled it into frame for a predetermined amount of time. DoubleClick only offers this feature to inventory on the Google Display Network, but I expect it will come under pressure to extend it to all of its third-party supply partners.
Other platforms will have to catch up in order to survive, and I expect that some will. It will take some time, but viewable transactions will inevitably become the new currency in digital advertising. When that occurs, malvertising will suffer a major, though not necessarily a fatal, blow. If money only changes hands when a real human being views a real ad, how can bad actors continue to profit? To be sure, some will try to replicate viewability in the same way they imitate human click traffic. But as viewability technology improves, this process will become cumbersome – too cumbersome, we hope, to hold out a profit incentive.
Solving for the problem of malvertising will not eliminate the larger threat of malware, let alone the macro challenges of cyber fraud and terrorism. But it will block a major delivery system for malicious technology. It’s incumbent on all actors in the ad tech ecosystem to do their part.
Four Steps You Can Take To Protect Yourself Against Malvertising
Malvertising is a serious threat to your online security. It comes in several forms but at it’s most insidious it gives no warning when it arrives and all you have to do to get infected is visit a website. You don’t have to click anything, you don’t have to mouse over anything, you don’t have to interact with the website in any way. All you have to do is open a webpage and a malvertising-infected ad will launch a drive-by download that can put your computer in a world of hurt.
What kind of webpage carries this nasty stuff? The New York Times NYT -0.43%, the London Stock Exchange , AOL AOL +%, MSN, Yahoo YHOO -0.41%!, Spotify, The Onion, the BBC, the Weather Network and the NFL have all unknowingly spread malvertising.
How does malvertising work?
Malvertising is a carrier that doesn’t threaten your computer directly. Instead, a malvertising-infected ad opens up a channel to criminal servers that launch an attack. The servers download exploit kits that analyze your system for security vulnerabilities and install malware that targets any security flaws that are found. Security vulnerabilites are most often found in browsers, browser plug-ins, and operating systems. Java and Adobe’s Flash are the usual suspects.
The malware can be spyware, a keylogger, anything that benefits cybercriminals at your expense. According to Malwarebytes , a company that sells security software, it’s estimated that 70% of recent malvertising attacks are delivering ransomware. Ransomware can range from pop-up windows that tell you to follow a link to save yourself from a virus, to code that encrypts your files or locks up your system and demands payment in return for a key that will unencrypt your files or return control of your computer to you.
How do ads infected with malvertising get on reputable websites?
Malvertsing code is often hidden in iframes. Iframes are HTML elements that allow a document (such as an ad) to appear inside another document (the main content) on a webpage. Ads on webpages appear in iframes because the ad in the iframe can be changed without affecting the rest of the page.
Malvertising gets on reputable, high-traffic websites by gaming the system that places ads on the internet. Advertisers place ads with ad networks and the networks serve the ads to individual websites. The advertisers bid in real time for ad placement. The ad networks handle the bidding process and serve the winners’ ads.
The cybercriminals that run malvertising schemes either place their own ads with ad networks or run their own networks. They run clean ads for as long as it takes to develop a reputation that is good enough to allow them to place ads on high-traffic websites. Once they have access to the high-traffic sites, they insert malvertising code in iframes that carry their ads.
What can you do about it?
Here are four steps you can take to protect yourself against malvertising.
1. Install an antivirus program that will identify and neutralize exploit kits. If your antivirus program can’t handle exploit kits, install a program like Malwarebytes’ Anti-Exploit. These programs do not keep malvertising out of your computer. Instead, they monitor browser and plug-in operation and block exploit kits that are probing for security vulnerabilities.
2. Uninstall browser plug-ins you don’t use and set the rest to click-to-play. Browser plug-ins, especially Java and Adobe’s Flash, are usually the most vulnerable elements in your system. Check which plugs-ins you have installed and delete any that you do not use. Set the plug-ins you want to keep or are unsure about to click-to-play. With click-to-play enabled, you will get a message or an icon on the screen when you load a webpage that wants to load a plug in. You can decide on a case-by-case basis whether or not you want the plug-in to run. In many cases you can do whatever you came to the website to do without running the plug-in. In some cases it can be a hassle if the website won’t give you what you want without the plug-in. It’s a small price to pay, however, when compared to the catastrophes that malware can bring. How-To Geek has an excellent guide that walks you through the process of enabling click-to-play on Chrome, Internet Explorer, Firefox, Safari and Opera.
3. Make sure your browsers, plug-ins and operating systems are kept up-to-date. Out-of-date browsers, plug-ins and operating systems almost always contain security vulnerabilities and if those vulnerabilities are there, the exploit kits will find them. The simplest way to minimize these problems is to keep your software up-to-date.
4. Install an ad blocker but before you do it, be aware that ad blockers are controversial. On the one hand, they will stop a lot of malvertising although they won’t eliminate all of it. On the other hand, many ad blockers block a lot more than ads and they can break a website by blocking necessary content such as the check-in screen on an airline’s website. In addition, most websites live on ad revenue and widespread adoption of ad blockers will put them out of business. Some websites (including Forbes) limit or prevent access to content if an ad blocker is detected. These sites request that users whitelist the site in their ad blocker. Sometimes, the ad blockers block the request.
Malvertising is dangerous and it’s use is on the increase because it can be very effective. You will continue to be exposed to malvertising-infected ads unless you completely abandon the internet. You can, however, take action to combat malvertising by following the steps outlined above.
Thanks for Your Support
Thanks Forbes and for reading Malvertising
IMAGE: HelpNetSecurity “Malvertising campaign hits MSN.com, NY Times, BBC, AOL”