You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

To mock or not to mock?

Avoiding fraudulent advertising campaign verification is critical for publishers

ad-mockup

That is the question frequently asked by media publishers trying to meet advertiser demands related to digital campaign success. The industry’s intense focus on viewability and transparency issues associated with ad fraud hijacks the limelight from another vital area of interest for advertisers: Are campaigns actually running as contracted?

What the advertiser wants, the advertiser gets

To justify the millions (and millions!) of dollars spent promoting products, advertisers rightfully demand proof that their campaigns execute as promised.

From expected ad rendering on the page to accurate targeting by geography and behavior profiles, advertisers want to know that the right ad has been served in the right way in the right location on the right page to the right demographic. In fact, when considering the average spend of a large-scale national campaign flight, many advertisers will assert they deserve to know their campaign is performing as promised.

Authenticated ad inventory yields benefits

The advertising ecosystem is a dynamic environment processing millions of ads covering billions in spend at any one time. Considering that 5% of display and mobile ads are served incorrectly at launch and countless more break during flight, publishers need to actively monitor and protect their ad-generated revenue channels.[i]

Authenticated ad inventory helps publishers secure ad revenue by avoiding pre-planned delivery overages to compensate for anticipated discrepancies. In addition, it also reduces the frequency of misfiring campaigns, thus minimizing instances of “make good” campaigns.

Ad verification is more than good looks

Reputable publishers recognize the value of their high-quality inventory and demonstrate it by providing proof of ad delivery according to established terms. This is a complicated prospect in an age of large-scale campaigns incorporating ads of varying formats (i.e., HTML5, pre/mid/post-roll video, native, etc.) through multiple platforms (i.e., display, tablet, smartphone, gaming consoles, etc.) across increasingly granular targeting segments.

A Photoshopped “mock-up” or full-page capture of the ad on a screen is a start, but it isn’t enough. Presenting a “mock-up” of how an ad should look could be considered fraudulent as it’s not a true representation of how an ad performs across all formats, devices and geographies. In fact, several industries (Tier 2 automotive, pharmaceutical, etc.) and countries (especially those in Latin America) regulate advertising-based billing processes and require third-party verified screenshots upon invoice presentation.

Beyond the visual of “how” an ad looks on a device, publishers must prove that each ad is delivered as contracted with the advertiser. Continuous monitoring of campaigns at launch and throughout flight will quickly detect errors associated with targeting, creative and device-specific issues that impede optimal campaign execution.

Authentication of possibly hundreds of ad combinations—by size, format, device and geography—is used by publishers to substantiate inventory value and by advertisers to audit and measure campaign ROI.

Consider this

To verify accurate ad placement, execution and targeting, a publisher must consider these five factors:

1.    Legitimacy: Screenshots of ads in a live environment truthfully demonstrate that an ad is delivered to the right target. A “mock-up” or “test page” may display how an ad appears on a site, but in reality it provides a false sense of security for how the ad is actually executing. It also infers that the ad will render the same across all devices, OS, formats and geographies.

2.    Accuracy: Mock-ups can’t prove ad placement as many ad units only occur behind paywalls or require an IP address in order to serve the correct messaging to the individual user.

3.    Automation: Imagine scaling the manual process of verifying ads across the overwhelming number of devices, browsers, user profiles, formats, sizes and geo-locations. Without automation, the task is almost impossible. Leverage technology to streamline the process.

4.    Costs: Carefully consider the total cost of ownership when deciding between an in-house or outsourced process. While in-house resources are easier to control, it is difficult to secure funding and keep the staff engaged. On the flip side, outsourcing requires integration, training, probable coordination with targeting vendors, and continuous oversight which could ultimately be more costly than anticipated—not to mention the complications of managing a remote team, in a case of choosing a non-local entity if a non-native entity is selected.

5.    Quality Assurance: Reliance on mock-up designs to certify campaign execution will not catch errors that occur at launch or throughout the campaign flight.

Ad verification is a complex, yet critical endeavor for publishers looking to highlight inventory value. Don’t mock it.

 

[i] The Media Trust analysis of millions of ad campaigns verified over the course of 10 years.

Is Your Threat Intelligence Certified Organic?

Certified _Organic_Threat_Intelligence

7 questions to ask before choosing a web-based threat intelligence feed.

It should come as no surprise that CISOs are under ever-increasing pressure, with many facing the prospect of losing their jobs if they cannot improve the strength of the enterprise security posture before breaches occur. And, occur they will. Consider these figures—recent studies report that web-based attacks are one of the most common types of digital attacks experienced by the average enterprise, costing $96,000 and requiring 27 days to resolve a single incident. Furthermore, there is a definite positive correlation between both the size of the organization and the cost of the cyber attack and additional correlation between the number of days taken to resolve an attack and the cost of the attack—the larger the organization or days required to remediate, the higher the cost.

Enter, Threat Intelligence

CISOs increasingly embrace threat intelligence as a means to enhance their digital security posture. In the past three years, organizations have significantly raised their spending on threat intelligence, allocating almost 10% of their IT security budget to it, and this number is expected to grow rapidly through 2018. And, this budget allocation appears to be well spent as organizations report enhanced detection of cyber attacks—catching an average 35 cyber attacks previously eluding traditional defenses.

Not all threat intel feeds are created equal

Sure, threat intelligence feeds are increasingly accepted and adopted as an essential element in the enterprise security strategy. In fact, 80 percent of breached companies wish they had invested in threat intelligence. But even as the use of third-party threat intelligence feeds increase, IT/security teams are realizing that not all threat intelligence feeds are created equal.

To begin with, there are several types of threat intelligence feeds based on web-based threats or email threats, and feeds that scan the dark web, among others. While not discounting the value of the various types of feeds, CISOs need to understand why web-based threat intelligence is the first among equals. Web-based malware target the enterprise network and the endpoints through day-to-day internet use by employees–internet critical to their day-to-day office functions. A truly valuable threat intelligence feed will help CISOs achieve their end goal of keeping their organization safe and blocking confirmed bad actors.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Checklist for Choosing the Right Threat Intelligence

Ask these seven questions to determine if the web-based threat intelligence feed(s) you choose are “certified organic” enough to provide tangible goodness and value to the health of your enterprise security posture:

1.    Is the data original source?

Our previous post, Your Threat Intelligence Isn’t Working, discussed the pitfalls of using compiled third-party sources in a threat intel feed—more data isn’t necessarily good data! The time-consuming process of managing duplicates and false positives cripples the performance of most information security teams to the point that many alerts are ignored. Protect cherished resources—budget and time—by choosing an original source threat intelligence feed.

2.    How is the data collected?

While original source threat intelligence minimizes false positives and duplicates, how the data is collected maximizes the tangible value of the feed. Web-based malware is typically delivered through mainstream, heavily-trafficked websites, either via ads or third-party code such as data management platforms, content management systems, customer identification engines, video players and more. Hence, the threat intelligence feed needs to source the data by replicating typical website visitors. This means continuously (24*7*365) scanning the digital ecosystem across multiple geography, browser, devices, operating system and consumer behavior, using REAL user profiles. Unless the engine that gathers the threat intelligence behaves like real internet users (who are the targets of web-based malware), the quality of the “internet threat” data is questionable at best.

3.     Is the threat intelligence dynamic?

Threat intelligence should be a living (frequently updated), constantly active data source. The data in the threat intelligence feed needs to adapt to reflect the rapidly transforming malware landscape. The engine behind the feed should both track and detect malware in real-time, while also accounting for the changing patterns of attack. Even the algorithms driving the machine learning needs to be dynamic and continuously reviewed.

4.     Does it prevent AND detect threats?

As the adage goes, an ounce of prevention is worth a pound of cure, and this holds true in the cyber security space. However, reliance on prevention isn’t practical or realistic. Prevention boils down to deployed policies, products, and processes which help curtail the odds of an attack based on known and confirmed threats. What about unknown or yet to be confirmed threats?

Threat hunting is becoming a crucial element in the security posture. It refers to the detection capabilities stemming from a combination of machine generated intel and human analysis to actively mine for suspicious threat vectors. Does your threat intelligence account for both indicators of compromise (IOC) and patterns of attack (POA)? The goal of threat hunting is to reduce the dwell time of threats and the intensity of potential damage. The threat intelligence feed should allow you to act on threats patterns before they become overt.

5.     How is the data verified?

Just as the automation or machine learning behind the threat intelligence feed should simulate a real user for data collection, human intervention is important for data verification. Without the element of human analysis, data accuracy should be questioned. Otherwise, you run the risk of experiencing increased false positives.

6.     Is the information actionable?

Malware is malware, and by its definition it is “bad”. You do not need an extensive payload analysis of threat data. You do, however, need information about the offending hosts and domains, so that compromised content can be blocked, either manually or via Threat Intelligence Platform (TIP). The granularity of the data can also save CISOs from the politics of whitelisting and blacklisting websites. As a bonus, real-time intelligence will enable you to unblock content when it is no longer compromised.

7.     Does it offer network-level protection?

While CISOs still debate over an optimal endpoint security solution, web-based threats attack at the enterprise network. Frankly, stopping malware at the endpoint is too late! The threat intelligence you choose must offer network-level protection and deter web-based threats from propagating to endpoints in the first place.

Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

Your Threat Intelligence Isn't Working

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

Ecommerce can be bad for your financial health

Compromised Landing Pages

Compromised landing page allows unauthorized collection of credit card information. 

A holiday weekend will prove more memorial for some visitors to several ecommerce sites. Customers wishing to purchase athletic gear or sign up for a competition risked having their credit card information collected by an unauthorized third party.

Detecting the infection

In the United States, Memorial Day signals the start of summer and the three-day holiday weekend kicks off with numerous large-scale promotions and sales campaigns pitching outdoor-related goods and services. Consequently, the digital advertising ecosystem usually experiences a jump in campaigns to drive traffic to ecommerce sites—a ripe opportunity to leverage.

The Media Trust team detected extraneous JavaScript code executing on the payment landing page for several medium-sized, sports-oriented ecommerce websites.

First detected in the early afternoon of Saturday, May 28, legitimate advertising creative directed users to legitimate ecommerce sites which happened to be compromised. The “angular” domain (angular.club) injected superfluous JavaScript throughout the sites to collect information input by a user, such as race registration or financial details associated with a purchase.

Memorial Day Sales

Diagnosing the financial headache

The angular domain injected UTF-8 encoded script throughout the entire ecommerce site and obfuscated itself by adopting the name of the site into its script, i.e., angular.club/js/site-name.js. Searching on the root domain “angular.club” redirects to “AngularJS.org”, a valid Google JavaScript framework and another attempt at misdirection to hide the true intention.

It’s likely the bad actor penetrated the content management system (CMS) or website theme template in order to ensure the code executed on all pages, especially the payment landing page.

Compromised JavaScript

Example of JavaScript

This code collects a range of financial and personally identifiable information (PII) including billing name, address, email, telephone number, credit card number, expiration date, and CVV.

The information is then sent to another server unassociated with the ecommerce site owner. The host of the angular domain and the web service that collects the credit card information are owned by the same entity, whose host server is in Germany and registered to someone in Florida.

Per The Media Trust team, there is no valid coding reason for this JavaScript to be on the website. The script’s sole purpose is to inject a block of code into the web page to collect credit card information and send it to another server where it can be used for future use—purchase online goods, sold on the dark web, used to buy domains to launch additional attacks, etc.

Assessing the health of the ecommerce site

The ecommerce site operators removed the code from there sites late on Tuesday, May 31. Frankly, the damage was already done.

During a strong promotional period, several small- to medium- sized ecommerce sites did not realize their expected traffic. Due to the malicious nature of the landing page associated with these campaigns, The Media Trust alerted our ad tech clients to block the serving of the ads. In one instance, seven different creative supporting more than 200 ad impressions did not execute. In addition, one of the campaigns promoted an event with an expiration date of Wednesday, June 1.

Prescribing the cure

The Internet can be a scary place, full of bad actors looking to make a quick buck by preying on the good nature of others—consumers and website properties alike. Holiday periods are when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. And, ecommerce is especially vulnerable due to the direct impact to revenue.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Continuous website monitoring will alert you to an anomalous or unexpected behavior of third-party vendors and first-party, website operator code. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

website security blindspot

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

  • How many third-party vendors executing on your website?
  • How did they get on the site, i.e., were they called by another vendor?
  • Can you identify all activity performed by each vendor?
  • What department authorized and takes ownership of these vendors and their activity?
  • How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
  • What is the impact of individual vendor activity on website performance?
  • What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.

 

Did malvertising kill the video star?

Video Malware Vector

Large-scale video malware attack propagates across thousands of sites

Malware purveyors continue to evolve their craft, creatively using video to launch a large-scale malvertising attack late last week. Video has been an uncommon vector for malware, though its use is on the rise. What’s different is the massive reach of this particular attack and the ability to infect all browsers and devices. Much like The Buggles decried about video changing the consumption of music, this intelligent malware attack used video to orchestrate mayhem affecting 3,000 websites—many on the Alexa 100. Is this the future?

Charting the infection

The Media Trust team detected a surge in the appearance of the ad-based attack late Thursday night and immediately alerted our client base to the anomalous behavior of the malware-serving domain (brtmedia.net). As it unfurled, the team tracked the creative approach to obfuscation. (See image)

First, the domain leveraged the advertising ecosystem to drop a video player-imitating swf file on thousands of websites. The file identified the website domain—to purposefully avoid detection by many large industry players—and then injected malicious javascript into the website’s page. Imitating a bidding script, the “bidder.brtmedia” javascript determined the video tag placement size (i.e., 300×250) and called a legitimate VAST file. As the video played, the browser was injected with a 1×1 tracking iframe which triggered a “fake update” or “Tripbox” popup which deceptively notified the user to update an installed program. (In the example below, the user is instructed to update their Apple Safari browser). Unsuspecting users who clicked on the fake update unwittingly downloaded unwanted malware to their device.

The compromise continued unabated for hours, with The Media Trust alerting clients to attempts to infect their websites. This issue was resolved when brtmedia finally ceased delivery, but only after tainting the digital experience for thousands of consumers.

video-borne malware infection

Process flow for video-borne malware infection

The devil in the artistic details

The use of video as a malware vector is increasing. As demonstrated above, video and other rich media provide avenues for compromising the digital ecosystem, impacting both ads and websites.

The clever design and inclusion of multiple obfuscation attempts allowed this attack to propagate across some of the largest, most heavily-trafficked sites. As The Media Trust clients realized, the best defense against this kind of attack is through continuous monitoring of all ad tags and websites, including mobile and video advertising.