CSO Blog: Web-based Malware Not up to Code

Article first published to CSO Blog via IDG Contributor network on November 20, 2017

Cyber security concept shieldRead article

Enterprises not actively managing this third-party digital risk face significant harm in the current regulatory environment around data compliance.

Recent website attacks shattered the misconception that only disreputable or typically blacklisted websites such as gambling, or porn suffered from poor security, but this isn’t true. Throughout 2017, the media reported security incidents occurring on numerous well-known, highly-trafficked websites like Equifax, State of Ohio, hundreds of U.S. public school systems and numerous embassies and government entities around Washington, DC

Continue reading

 

MarTech Today: Companies are afraid of everyone’s website but their own

iStock_000001511231_Small

Article appeared in MarTech Today, Nov. 16, 2017

Read article

The Media Trust CEO: Most of what happens on your web site is not controlled by you

And this third-party code, says Chris Olson, results in dozens of cookies for each user, security vulnerabilities and performance hits.

 

PODCAST: Malvertising and Fake News

fake-news

The front page of a newspaper with the headline “Fake News” which illustrates the current phenomena. Front section of newspaper is on top of loosely stacked remainder of newspaper. All visible text is authored by the photographer. Photographed in a studio setting on a white background with a slight wide angle lens.

Charles Tendell from The Charles Tendell show interviews Chris Olson, CEO of The Media Trust, about fake news and its presence in the digital ecosystem.

Listen now

Fake news and the spread of disinformation has been tied to influencing the 2016 U.S. national election via the use of fake accounts (organic) & digital advertising (synthetic/paid) promotion channels. The primary drivers are:

  • Programmatic ad buying, enables serving of millions of ads every minute
  • Targeting tools accurately & dynamically serve ads to client-defined target markets
  • 3rd party service providers, which websites rely on for a myriad of different service providers and technologies to serve ads to their site visitors

The key to addressing fake news is driving transparency into the inner workings of the digital ecosystem. This requires media and other website operators to:

  • Know your customer, aka advertising buyer or content contributor
  • Communicate your digital asset policy to these customers; political ads, data privacy, security
  • Analyze their activity and evaluate compliance with your digital asset policy
  • Block and resolve non-compliant activity by going to the source of the violation

The Honest Truth about The Honest Ads Act

Building transparency with a little upfront disclosure

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

Red, white, and blue vote buttons background

The fake news furor and potential Russian involvement in the U.S. 2016 general election is reaching a fever point with multiple congressional hearings, and, digital advertising is in the crosshairs. Like many challenging discussions about digital advertising, transparency is at the heart of the issue.

Digital compliance for political ads

The proposed Honest Ads Act, a bipartisan effort to govern digital advertising according to the same rules followed by traditional broadcast media regarding political advertising, and is the one tangible fallout from the investigations.

The act calls for all politically-oriented digital ads to be declared at purchase, clearly labeled in the creative, and available for consumer access via a searchable interface. Among other things, the buyer must disclose their contact information, candidate and/or campaign, ad flight duration, number of impressions/views, and targeting criteria. The platform must collect this information and retain it for at least four years. It applies to digital platforms with at least 50 million unique visitors a month for the preceding 12-month period that have political ad buyers who spend at least $500 within a calendar year.

In a nutshell, it requires publishers know their ad buyers, ensure ads comply with (regulatory) policies and provide consumer access to these ads and any associated targeting criteria. Sounds familiar?

Transparency starts with the buyer

As The Media Trust announced a few short months ago, our Digital Vendor Risk Management (DVRM) platform provides real-time visibility and insight into non-compliant activity and threats operating in an enterprise website and mobile app environments. More than a risk management framework, DVRM operationalizes client-specific digital asset policies, continuously evaluates digital partner compliance, and actively facilitates the resolution of violating behavior.

The crux of this solution is the ability to identify and manage an enterprise’s digital ecosystem participants, from ad tech up to the source buyer, and authorize their presence. In addition to privacy regulation and escalating security concerns, the Honest Ads Act is just another reason why enterprises need to know their partners.

DVRM – A simple solution to a complex problem

Applying a political lens to DVRM it’s evident that the platform is already satisfying most of the requirements to enable transparency and accountability. Advertising supply chain partners register via an online portal; ads are uploaded and continuously scanned according to targeting criteria; client-specific policy violations are flagged; and, ads are stored for historical reference.

Self-regulation forces a new digital approach

Major platforms have announced their approaches to address congressional concerns and hopefully stave off the vote, let alone passage, of the Honest Ads Act. However, this self-regulation will need to extend to others meeting the requirement threshold, like ecommerce and media publishers.

Regardless of Honest Ads going to vote, changes are in the air. As an industry that has largely grown via self-regulation, the signals are obvious. It is incumbent upon the industry to embrace these changes, especially with the DVRM platform as an easy way to codify and operationalize your policies.

PODCAST: How do we fix the internet?

Check out Charles Tendell’s interview of Chris Olson, CEO of The Media Trust, about the challenges of website security and the risk contributed by third-party code.

Listen here.

The world is a digital economy; however, there is a general lack of awareness for how to secure the highly-dynamic digital environment which requires a continuous security approach. The onus is on mobile app developers & website operators to ensure their assets are safe. The key to managing risk requires:

  • Knowing your digital vendors/partners
  • Identifying & authorizing their activity
  • Communicating your policy & establishing responsibility
  • Evaluating vendor compliance with your policy

 

This podcast was recorded on October 24, 2017

Webinar: Thriving Through GDPR

Turning Regulatory Obstacles into Opportunities

AdMonsters - Webinar 2017-1026

Watch today: https://www.admonsters.com/gdpr-webinar-recording/

Or, Access GDPR Webinar recording

Understanding and complying with the EU’s General Data Protection Regulation is a challenge for any enterprise with consumer-facing websites and apps, especially Media publishers.

In this AdMonsters webinar, public policy consultant Nick Stringer details steps Ad/Revenue Operations teams should take to comply with GDPR and presents other looming regulatory issues

Parked Domains, pantry moths, and you

Enterprise digital ecosystems are ripe for compromise via long-forgotten domains.

Parked domains have little security

In a span of just 30 days, Equifax morphed from a reputable credit bureau to the latest victim of cybercrime. Sadly, Equifax is just one in a slew of recent website compromises. In fact, the past 12 months bore witness to the malicious use of consumer-facing websites belonging to embassies, national banks, popular brands, premium digital publications, and government organizations. Comparing these incidents with The Media Trust’s historic malware attack data reveals an uncanny commonality – parked domains.

Parked domains are pests

Pantry moths are like parked domainsYes, parked domains are a security problem. Let’s take the real-world example of pantry moths as an analogy. Imagine hoarding supplies in your kitchen pantry due to forecasts like historical storms, end of the world, etc. Alas, the event turns out to be not so epic and life moves on unaffected. Except now, you have a cartload of forgotten excess supplies sitting in your pantry, attracting pantry moths, their larvae (gross), and other pests. Translate this to the digital world: companies buy domains for various purposes such as marketing campaigns, testing advertising code, domain squatting prevention, or holding for future use. Unfortunately, life happens; companies do not renew domain ownership, forget to manage them, campaigns end, or the company may go out of business. This leaves these domains ripe for compromise, as it’s the perfect opportunity for a bad actor to either buy a legitimate-looking link or stealthily infect it to load malicious code.

“We detect parked domains in more than 10% of web-based incidents and have recorded a steady increase in parked domains in the consumer internet,” stated Patrick Ciavolella, Head Malware Desk and Analytics, The Media Trust. “Saying parked domains are a cause for concern, is an understatement. Malicious parked domains in a large corporation’s digital ecosystem can not only damage an enterprise’s reputation but can inflict widespread harm on consumers.”

By putting Equifax’s second website compromise under the scanner, we can better understand how parked domains are exploited by bad actors. 

Equifax Case File

The user experience: When users visited certain credit reporting service page(s) on Equifax’s website, they were automatically redirected to a malicious domain or page. This landing page falsely alerted users to an outdated program (Adobe Flash) and prompted a download of an update, which when clicked, would eventually deliver a malicious exploit kit to user devices. Sounds like a typical and simple website-level malware attack, but what happened behind the screens points to an interesting revelation about parked domains.
Parked domains are dangerous

Behind the screens: After entering the credit report discounts assistance page, there were at least five rapid auto-redirects (no user interaction required) that delivered users to the malicious domain (Centerbluray.info), which hosted the Fake Flash Update alert. This fake online asset appeared legitimate and even used Adobe’s logo to trick users. Once the user clicked on this fake prompt, malicious toolbars or exploit kits were delivered to the devices.

Culprit: Centerbluray.info was the domain hosting malicious code, but the multiple redirect links that navigated to this malicious page were all parked domains. “Our Malware Desk blacklisted Centerbluray.info well before the Equifax incident and detected it in at least six different web-based malware incidents. In every case, parked domains were used to navigate to the final malicious domain,” added Patrick.

Parked Domains FAQs:
Parked Domains FAQs

  1. Wait, so a parked domain via a third-party vendor running code on my website can affect my website?
    Yes. Today’s websites and mobile apps are inundated with unmonitored third-party vendors that contribute code (content management systems, video hosting, data management platforms, marketing analytics, social media widgets, and more) to the rendering of digital content. Often, these third-parties will bring fourth and fifth party code into the mix, increasing the probability of a parked domain’s presence in your enterprise digital ecosystem.
  2. Can my own parked domain be compromised?
    Yes. The Karmic forces of the internet are strong. Without caution and care, your own parked domains are vulnerable to compromise. Let’s not forget that parked domains are still affiliated with your digital assets. Now would be a good time to ask your teams—marketing, sales, product, operations—about all the domains your company has ever purchased.
  3. Can my current website security solution detect these parked domains?
    Sigh, if only! For the most part, website appsec only monitors owned and operated code, which is an increasingly small part of today’s website and mobile app code. Also, most website security solutions do not comprehensively monitor outside the firewall, which is exactly where your users are! Without real-time monitoring of executing code, you would not know if your website has been compromised unless users complain or, even worse, you read about it in the paper.
  4. So what can I do?
    Based on the incidents detected in the broader digital ecosystem and managed by The Media Trust, here’s what Patrick recommends:
    “When it comes to your own domains, renew them or cancel the ones that are not in use; please cancel through the appropriate channels. Once canceled, the domain code needs to be completely removed from your website and mobile app codebase. Where it makes sense, sign up for an auto-renewing domain. Remember, when it comes to third-party parked domains, the only way to detect and manage them is through continuous, real-time monitoring of code rendering on user devices.
  5. Ok, since you brought up pantry moths – how does one get rid of those annoying pests?
    Ah! Clean out your pantry. Get rid of the old dry supplies as they are probably infested by moths and larvae (gross). When you eventually do buy fresh supplies, freeze it first before transferring to storage containers and use the supplies as quickly as you can.