Malvertising: Is this the beginning of the end?

Decoding TAG malware scanning guidelines for tactical use 

Note: View webinar at https://www.themediatrust.com/videos.php 

The advertising industry’s crackdown on malvertising has begun. TAG’s recently-released malware scanning guidelines clearly state that every player in the digital advertising ecosystem has a role in deterring, detecting and removing malware.

However, these guidelines need to be translated into action plans. As with many cross-industry initiatives, the TAG guidelines serve several different groups across the digital ecosystem while also introducing security concepts to advertising/marketing professionals. The use of words such as: interdict, cloaking, checksum, and eval(), may baffle many ad ops professionals just like defining “creative” as a payload may baffle security teams.

The good news is that The Media Trust’s existing malware clients are already 100% compliant with the guidelines. Other ad ops teams at agencies, ad tech providers, and publishers, will need to translate the best practices into tactical actions in order to bring their operations into compliance.

What is clear: Scanning is in your future

Every entity that touches or contributes code to the serving of an ad plays a role in malware deterrence – this much is clear. Agencies, ad tech providers and publishers alike are, therefore, expected to proactively and repeatedly review their ads for malware.

Specifically, the guidelines state that:

1.    Ads and their associated landing pages must be scanned for malware
2.    Scanning should be performed before an ad is viewed by the end consumer
3.    If initial scanning detects malware, then the ad must be rescanned until malware-free

Read between the lines: Reap what you sow

The complexities of the digital ecosystem make it almost impossible to explicitly state what each player in the advertising ecosystem should do. Typically, the amount of scanning required is directly proportional to the risk of serving a malware-infected ad or directing to a malware-infected landing page. While there are some directional tips, the guidelines also present a few abstract recommendations:

• Scanning frequency

Ad formats, demand types, consumer reach and access to an ad as it traverses from advertiser to publisher, affect the frequency of recommended scanning.

For instance, a publisher with a campaign using hosted, static ads, targeting a small number of impressions does not have as robust a scanning requirement as a publisher running campaigns with rich media served programmatically. And, an ad contaminated by malware needs to be scanned more frequently than one that doesn’t set off alarm bells during the initial scan. And, an ad that changes mid-flight—modifying targeting, increasing number of impressions, introducing rich media—requires additional scanning.

• Proof of scanning

Claiming an ad is scanned is not sufficient. As a best practice, all parties should document proof of scanning and this proof should contain creative id, tag specifications, date of initial and subsequent scans and scanning results. In addition, each party in the advertising value chain should establish a point of contact for reporting malware and communicate it to their upstream and downstream partners. 

• Know your partner

A critical factor that informs rescanning cadence is the provider’s confidence in their upstream partner(s). Long-standing relationships with reputable, responsive partner(s) infers a reduced likelihood of malicious activity, as opposed to a newly-formed partnership with a one-man shop based in a foreign country. And, the provider should also track and document if their partner adheres to the scanning guidelines, too.

Look ahead: This is just the beginning

The guidelines clearly set the stage for optimizing ad quality and its resulting effect on the user experience, with an emphasis on security. A 100% malware-free advertising experience can’t be guaranteed, but everyone agrees it can be greatly improved. Future steps will undoubtedly address data privacy, ad behavior and more.

While these guidelines provide the impetus to tackle malvertising, it’s a safe bet that industry leaders will push to make them standard a la TAG Certified Against Fraud and Certified Against Piracy programs. And, in order to standardize, a certification and evaluation or audit process will be needed.  

Stay tuned.

Learn more
The Media Trust hosted three informative webinars presenting specific direction to publishers, ad tech providers and agency/buyers. To view, visit https://www.themediatrust.com/videos.php

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.