Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

Your Threat Intelligence Isn't Working

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

Ecommerce can be bad for your financial health

Compromised Landing Pages

Compromised landing page allows unauthorized collection of credit card information. 

A holiday weekend will prove more memorial for some visitors to several ecommerce sites. Customers wishing to purchase athletic gear or sign up for a competition risked having their credit card information collected by an unauthorized third party.

Detecting the infection

In the United States, Memorial Day signals the start of summer and the three-day holiday weekend kicks off with numerous large-scale promotions and sales campaigns pitching outdoor-related goods and services. Consequently, the digital advertising ecosystem usually experiences a jump in campaigns to drive traffic to ecommerce sites—a ripe opportunity to leverage.

The Media Trust team detected extraneous JavaScript code executing on the payment landing page for several medium-sized, sports-oriented ecommerce websites.

First detected in the early afternoon of Saturday, May 28, legitimate advertising creative directed users to legitimate ecommerce sites which happened to be compromised. The “angular” domain (angular.club) injected superfluous JavaScript throughout the sites to collect information input by a user, such as race registration or financial details associated with a purchase.

Memorial Day Sales

Diagnosing the financial headache

The angular domain injected UTF-8 encoded script throughout the entire ecommerce site and obfuscated itself by adopting the name of the site into its script, i.e., angular.club/js/site-name.js. Searching on the root domain “angular.club” redirects to “AngularJS.org”, a valid Google JavaScript framework and another attempt at misdirection to hide the true intention.

It’s likely the bad actor penetrated the content management system (CMS) or website theme template in order to ensure the code executed on all pages, especially the payment landing page.

Compromised JavaScript

Example of JavaScript

This code collects a range of financial and personally identifiable information (PII) including billing name, address, email, telephone number, credit card number, expiration date, and CVV.

The information is then sent to another server unassociated with the ecommerce site owner. The host of the angular domain and the web service that collects the credit card information are owned by the same entity, whose host server is in Germany and registered to someone in Florida.

Per The Media Trust team, there is no valid coding reason for this JavaScript to be on the website. The script’s sole purpose is to inject a block of code into the web page to collect credit card information and send it to another server where it can be used for future use—purchase online goods, sold on the dark web, used to buy domains to launch additional attacks, etc.

Assessing the health of the ecommerce site

The ecommerce site operators removed the code from there sites late on Tuesday, May 31. Frankly, the damage was already done.

During a strong promotional period, several small- to medium- sized ecommerce sites did not realize their expected traffic. Due to the malicious nature of the landing page associated with these campaigns, The Media Trust alerted our ad tech clients to block the serving of the ads. In one instance, seven different creative supporting more than 200 ad impressions did not execute. In addition, one of the campaigns promoted an event with an expiration date of Wednesday, June 1.

Prescribing the cure

The Internet can be a scary place, full of bad actors looking to make a quick buck by preying on the good nature of others—consumers and website properties alike. Holiday periods are when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. And, ecommerce is especially vulnerable due to the direct impact to revenue.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Continuous website monitoring will alert you to an anomalous or unexpected behavior of third-party vendors and first-party, website operator code. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

website security blindspot

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

  • How many third-party vendors executing on your website?
  • How did they get on the site, i.e., were they called by another vendor?
  • Can you identify all activity performed by each vendor?
  • What department authorized and takes ownership of these vendors and their activity?
  • How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
  • What is the impact of individual vendor activity on website performance?
  • What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.

 

Did malvertising kill the video star?

Video Malware Vector

Large-scale video malware attack propagates across thousands of sites

Malware purveyors continue to evolve their craft, creatively using video to launch a large-scale malvertising attack late last week. Video has been an uncommon vector for malware, though its use is on the rise. What’s different is the massive reach of this particular attack and the ability to infect all browsers and devices. Much like The Buggles decried about video changing the consumption of music, this intelligent malware attack used video to orchestrate mayhem affecting 3,000 websites—many on the Alexa 100. Is this the future?

Charting the infection

The Media Trust team detected a surge in the appearance of the ad-based attack late Thursday night and immediately alerted our client base to the anomalous behavior of the malware-serving domain (brtmedia.net). As it unfurled, the team tracked the creative approach to obfuscation. (See image)

First, the domain leveraged the advertising ecosystem to drop a video player-imitating swf file on thousands of websites. The file identified the website domain—to purposefully avoid detection by many large industry players—and then injected malicious javascript into the website’s page. Imitating a bidding script, the “bidder.brtmedia” javascript determined the video tag placement size (i.e., 300×250) and called a legitimate VAST file. As the video played, the browser was injected with a 1×1 tracking iframe which triggered a “fake update” or “Tripbox” popup which deceptively notified the user to update an installed program. (In the example below, the user is instructed to update their Apple Safari browser). Unsuspecting users who clicked on the fake update unwittingly downloaded unwanted malware to their device.

The compromise continued unabated for hours, with The Media Trust alerting clients to attempts to infect their websites. This issue was resolved when brtmedia finally ceased delivery, but only after tainting the digital experience for thousands of consumers.

video-borne malware infection

Process flow for video-borne malware infection

The devil in the artistic details

The use of video as a malware vector is increasing. As demonstrated above, video and other rich media provide avenues for compromising the digital ecosystem, impacting both ads and websites.

The clever design and inclusion of multiple obfuscation attempts allowed this attack to propagate across some of the largest, most heavily-trafficked sites. As The Media Trust clients realized, the best defense against this kind of attack is through continuous monitoring of all ad tags and websites, including mobile and video advertising.

Ad Ops can rest a bit easier with malware resolution strategies

Sharing of malware incident information proving a success

Ad Ops can rest easy

The continuous threat of malware in the advertising ecosystem keeps many advertising operations professionals awake at night. The speed at which ads are bought and served and the number of players involved comes at a steep price—vulnerability to malware. For years, The Media Trust has tackled this vulnerability head on by detecting malware in our clients’ digital ecosystems and providing the critical details that allow the malware to be located and shut down. Impacted clients then communicated these details with the specific partner serving the infected ad. This daisy-chain process involves a series of communications with upstream partners, a process that can take up to 72 hours while the malicious ad continues to circulate.

To minimize the daisy-chain effect, The Media Trust introduced Media Scanner’s Resolution Services, an information sharing service that provides for simultaneous communication of malware alert details among partners. Announced in April, Media Scanner’s Resolution Services has proven to be a resounding success with 20 digital publishers and more than 20 ad tech partners enrolled in just under six months.

Reaping what you sow

Media Scanner’s Resolution Services is a SaaS-based service that provides real-time information sharing with upstream and downstream business partners about malicious ads detected in a client’s advertising operation. As part of the Media Scanner product family, this solution is available as a complimentary add-on to existing clients with significant ad tag volume.

Designed for publishers, ad networks, ad exchanges, demand platforms and paid-content engines, the service’s continuous, real-time information sharing compresses cycle times for malware detection, notification and remediation from several days to mere seconds, drastically reducing infected tags’ ability to harm site visitors and the site’s brand reputation. By compressing this cycle time, companies can speed incident remediation, protect revenue by ensuring ad tags stay active and strengthen business relationships.

Real-time, actionable malvertising intelligence delivers a host of benefits to the entire digital ecosystem.

  • Revenue continuity: By sharing malware incident data with the upstream party serving the malware, bad ads are removed more quickly thereby allowing ad tags to remain active and generating revenue.
  • Improved incident response: By allowing Media Scanner to send an alert to clients and their mutually-impacted business partners, everyone realizes a shorter cycle time to resolve the issue across the entire advertising value chain.
  • Streamlined incident handling: Once an anomalous ad tag is detected and confirmed, The Media Trust automatically notifies all impacted partners throughout the advertising ecosystem, which ensures the ad can be removed and then permanently blocked.
  • Enhanced security posture: 24/7 access to information on malicious ad tags improves not only the health of a publisher’s advertising operation, but also strengthens their organization’s security posture, bridging the gap across ad ops, sales, marketing, site operations and security teams.
  • Strengthened relationships among partners: Real-time communication and cooperation generates a positive network externality that improves the overall health of the entire online and mobile advertising ecosystems and severely limits malware’s success rate.

In the past few months, this solution simultaneously communicated hundreds of malware incidents to impacted publishers and their authorized ad tech partners, greatly accelerating the termination of malware, removing hours—sometimes days—from the cycle. This increased speed of malware incident resolution exponentially improves the level of protection across the greater online and mobile advertising ecosystem. But more can be done.

An eye to the future

Ad tech providers want to get into the game and initiate this program with their buying partners, attesting to the true value of Media Scanner’s Resolution Services. The Media Trust is now working with ad tech clients to share incidents with authorized agency media buyers and trading desks—a critical step to tackling malware as it enters the advertising environment. Malvertising will never be eradicated, but, limiting its ability to rapidly propagate throughout the digital ecosystem helps everyone rest a bit easier.

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Malware Alert

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.

Leaving the light on…and exposing visitors to malware

Hotel websites are vulnerable to malware and data leakage

Hotel website security

The hotel industry is poised for continued growth in 2015, coming off a stellar 2014 which saw occupancy rise to levels not seen in more than 20 years. With the World Tourism Organization projecting more than 1.4 billion international journeys in the year 2020, you can bet that hotel websites will play a central role in fulfilling these travel needs.

What are hotels doing to secure a share of this volume? Many incorporate video, add feedback collection and recommendation features, leverage blogs, or enhance the content management system. These various services provide for a more interactive and engaging website, as well as enable the site to be optimized. But, did you know that they also represent an entry point for malware and data leakage that can expose a customer’s personally identifiable information?

Yes, hotel ecommerce sites are rife with third-party vendors. As outlined in our recent blog post, brand and ecommerce site managers are not doing enough to protect the online and mobile environment FOR their customers. And hotel websites are no different. In fact, current industry rumors point to a manipulation of an account-checking tool used by a major hotel chain. The compromised tool, in concert with stolen passwords, allowed fraudsters to open new accounts and transfer rewards points which were then exchanged for gift cards. So that got The Media Trust thinking about other website vulnerabilities faced by hotels.

In early December, The Media Trust analyzed the 34 top hotel websites, as listed in STORES magazine’s annual “2013 Top 250 Global Hotels” report published in January 2014. Analysis involved the scanning of all public-facing website pages and the capture of all third-party vendors, domains and cookies present on each hotel’s site.

Over a seven-day period, The Media Trust’s Media Scanner scanned each hotel’s website homepage and major sections 250 times a day—a total 1,750 scans across each site. Each scan executed the web page as if being viewed by a typical consumer, and collected and analyzed all third-party code, content and text for security, latency and data leakage issues. Leveraging our presence in more than 500 global locations, The Media Trust replicated a true user experience as if a real consumer visited the website, and therefore did not have the ability to collect actual visitor data.

The results were interesting. The average site utilized 47 different domains, 31 vendors and 65 cookies; however, some outlier hotel sites used as many as 134 domains and 148 cookies.

                                      Average       High

            Domains:             47              134
Vendors:              31                57
Cookies:              65              148

What does this mean? That’s a good question. In theory, low numbers are preferred from a manageability perspective as each domain, vendor or cookie represents an access point to or action on a site—the fewer utilized in site operation, the fewer to manage. However, the reality is that a sizeable number of third-party vendors, domains and cookies are found on most sites as they provide the interactive and engaging functionality executing on browsers.

This functionality comes at a cost. Each third-party vendor represents an access point that could be compromised and serve malware; or, redirect visitors to another, possibly malicious, website or app; or, secretly collect website visitor (first-party) data. In addition, each third party can call dozens of fourth or fifth parties which exponentially increases the risk to site visitors.

Browser cookies provide essential site functions, including the ability to navigate without repeating data entry such as destination, travel dates and room requirements. However, the process of dropping the cookie can easily be compromised by an unauthorized party piggybacking on the cookie. In addition, some third-party vendors drop cookies to collect website visitor/first-party data without website owner/operator knowledge. Known as “data leakage”, these cookies track valuable user behavior—data about guests, their interests and travel periods—which can be resold into the online ecosystem for customer targeting by competitors or industry partners. If that data includes personally identifiable information (PII) the website owner/operator could be subject to data privacy violations. With state attorneys general and the federal government cracking down on PII, hotels must be mindful of public-facing website properties and what is executing on visitor browsers.

Hotel websites are vulnerable to data leakage and malware, and this vulnerability opens the door to litigation and significant brand damage. For these reasons website owner/operators need to thoroughly identify, approve and monitor third-party vendors and their activities at all times.

The big question is: How are the major hotel chains managing their public-facing websites to protect their customers?

What’s on your website? And what’s it doing there?

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.

 

SEA attack is no surprise

Ecommerce website losses estimated in the millions of dollars.

Boom! There it is. As expected, someone took advantage of the holiday season to make a statement, and hacking into media and corporate brand websites is one way to get the world’s attention.

Early yesterday morning at 6:38 a.m. EST, The Media Trust was the first security company to detect a pop-up screen stating the Syrian Electronic Army (SEA) had hacked a website, first in mobile and then online environments. The ongoing, 24/7 scanning of more than 25,000 websites through our Media Scanner services allowed us to quickly detect the hack and prepare our clients for battle.

Upon detection of this pop-up message, The Media Trust’s Malware Team immediately analyzed the code and determined it stemmed from a call made by Gigya, a customer management platform used by more than 700 leading brands. The Malware Team immediately contacted affected clients so they could quickly remove and then block the malicious file, thereby helping clients avoid the time-consuming hassle of tracking down the issue’s source.

This was an indirect attack, because it compromised the DNS server at gigya.com, which is hosted by GoDaddy. The SEA did not gain access to the Gigya servers; instead they redirected Gigya’s Internet traffic to its own servers and then served a file called “socialize.js” which displayed the SEA’s message.

As with their past attacks, the SEA targeted media outlets and focused exclusively on websites and was not related to any ad content. The SEA attack did not distribute malware and was designed as an effective publicity stunt. Yet, what’s to stop them from doing something worse the next time? And, let’s be honest, even without the presence of malware, a message on an ecommerce site stating that it has been hacked, even for a few hours, results in lost transactions – those few hours translate into millions of dollars of unrecoupable revenue.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. As The Media Trust cautioned in last week’s blog post, the holiday season is when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Keep in mind that The Media Trust’s Media Scanner detected this attack before Gigya. Do you want to know about your website being comprised so you can take action before the world knows? Think about it.

Ecommerce: Are you ready for the 2014 holidays?

It’s the most wonderful time of the year…for ecommerce.

For many, the cooler temperatures and shorter days signal the start of holiday shopping, and the 2014 holiday season is expected to witness a 15.5% increase in ecommerce sales. Mobile transactions will constitute a third of that number generated, with the average consumer spending $248 online. For others, the increased volume of online shopping serves as a tempting target for web-based attacks in the form of malware, and consumers are the innocent participants.

Malware attacks skyrocket during the holiday season. This makes sense when you consider that more than 25% of total U.S. annual online sales are expected to occur in November and December.With more than $6.5 billion in ecommerce sales expected this year, you can bet the online ecosystem will be targeted.

Much like retailers stock the shelves, ecommerce sites load up with images, product descriptions and advertisements promoting this season’s must-have items and offering discounts in preparation to cash in on the uptick in website visitors. However, this super-sized volume also attracts those looking to make a quick buck by taking advantage of your customers and their online shopping activities. They hijack your ads or third-party content to deliver nefarious code that auto installs on your site visitor’s device. Often, due to fraudsters’ ever-increasing sophistication, these ads or images don’t even require user action. The process of simply serving the impression of an infected ad, image or product review can set the malware wheels in motion.

The Media Trust has had a front-row seat to these activities for the past few years, witnessing the doubling and sometimes tripling of attacks via web-based advertisements or “malvertising” from November through January. The attacks typically kick into high gear on the Wednesday before the U.S. Thanksgiving holiday, a time when many employees charged with supporting and maintaining your website are at home enjoying the long weekend. The staff required to keep the website operational focus only on functionality and often don’t notice the anomalous, third-party code piggybacked to their ads and third-party content.

What’s the worst that can happen? Your website and/or ads become a flashpoint for a major attack, infecting thousands of your customers or potential customers with harmful malware. Typically, the malware downloads an exploit kit onto a customer’s device and mines for system weaknesses to leverage, like passwords or access to personal bank accounts. Sometimes, the hijacked content redirects valuable customers to a fraudulent site, resulting in lost revenue. In either scenario, your customers experience a negative interaction with your brand.

The reality is that your public-facing ecommerce site, quite possibly the bread and butter of your business, can serve as a prime purveyor of malware to your customers. The only way to prevent such attacks is to monitor all ad tags and website code executing on the browser or app, including your own code and that of third parties, data management platforms, advertising re-targeters, analytic firms and sales platforms. Continuous, 24/7 monitoring ensures the detection and analysis of all unknown or anomalous ads and third-party code served to the site, and real-time detection enables ecommerce operators to quickly remove and then block the suspicious or malicious ad tag or code before any damage to site visitors or brand occurs.

Brand protection, revenue security and site performance–those are the best holiday gifts to give and receive.