HTML5: A Safe Haven for Malware?

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Mobile Redirects Targeting iOS Devices.

In the digital marketing and media world, the user experience is king. HTML5 has played a key role in enabling developers to deliver a richer yet smoother user experience and, as everyone presumed, without the security risks frequently associated with plugins like Flash. In fact, over the past five years, developers, along with publishers and browser providers, have staged a mass exodus from Flash technology into HTML5, which seemed to promise greater security and more advanced web app features. In 2015, when the Interactive Advertising Bureau updated its digital advertising guide with best practices for using HTML5, they cited security as the chief reason behind publishers’ adoption of HTML5.

Over the past two months, The Media Trust malware team has discovered numerous malware incidents which call into question HTML5’s mantle of security.  The malware, which has produced at least 21 separate incidents affecting dozens of globally recognized digital media publishers and at least 15 ad networks, uses JavaScript commands in order to hide within HTML5 creative and avoid detection. The scale of the infection marks a turning point for HTML5’s presumed security and demonstrates the advances malware developers have made in exploiting the open standards’ basic functionality to launch their attack.

HTML5’s Cloak and Dagger

HTML5 renders multimedia content—images, videos, audio—and runs on any computer and mobile device.  The very same attributes that enable it to render popular formats without external plugins also can be used to break apart malware into chunks, making it hard to detect, and reassemble those pieces when certain conditions are met. The malware incidents recently identified by The Media Trust carried out their attacks by infecting HTML5 ads.

The screenshot below illustrates the malware’s behavior through the call chain. When a user views the media publication’s webpage, the JavaScript checks the device for key criteria, namely (1) whether the device is iOS and (2) whether the user is connected via their carrier. When the device meets these criteria, the JavaScript inserts the malicious code into the website (see line 20). The malware is reassembled and issues a separate call which automatically redirects to a new domain that serves a pop-up soliciting input of personal information. Meanwhile, the JavaScript puts together the ad’s various components (see lines 48 through 56).

Figure 1: Call Chain of 2018 HTML Malware Phishing Via an Ad

HTML5 malware are by no means new. In 2015, just as the retreat from Flash began in earnest, researchers discovered several techniques to convert HTML5 into a safe haven for malware. Their techniques used APIs, which in turn employed the same obfuscation-deobfuscation JavaScript commands in delivering drive-by malware. In 2016, tech support scammers used an HTML5 bug to freeze computers and obtain unsuspecting users’ phone numbers. One year later, The Media Trust identified a small number of HTML5 malware delivered pell-mell through a few online publishers. This year’s incidents are different because they require no interaction with the victim and are targeting devices known to make detecting malware even more challenging.

It is important to note that throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions.

HTML5 Malware in the GDPR Era

In this instance, the HTML5 malware was designed to entice victims to enter their information in response to a pop-up ad and is quickly coursing through the digital marketing and media world, waiting for individuals with the right devices to trigger the collection of personally identifiable information. Thwarting this malware will be more urgent than ever as the European General Data Protection Regulation (GDPR) is applied to organizations around the world—regardless of where they are located–that collect personal information on EU citizens. The GDPR, which is poised to penalize infringing organizations as much as four percent of their annual revenues, is merely a precursor to what appears to be a growing trend around the world towards greater online privacy.  Public weariness with hacking and with platform providers sharing user data with their partners has spiked distrust even in brands whose reliability and transparency were previously believed to be unassailable.

What steps should organizations take? First, they should continuously scan in real-time their digital assets for vendors and code. Second, organizations should share and clearly written policies and enforce privacy clauses with their vendors as part of creating a compliance culture within their digital ecosystem. GDPR can impose penalties on an organization and their data processing partner even if the partner is entirely at fault.  Third, they need to lay out an expeditious process that details how they will respond to a breach or to any unauthorized vendor activity. That process should include the immediate termination of any vendor that continues to break policy or clauses after being put on notice. Finally, companies should have quick access to information in case they are required to respond to a regulatory review.

INFOGRAPHIC: Data Protection and Privacy Regulations

Your customer’s digital experience is powered by a range of third-party services not controlled by enterprise IT–ad blocker, advertising, analytics, content recommendation, data management, payments, social widgets, video players, and so much more. Increasingly, these services are proving to be a source of regulatory violations.

Download: Data Protection Infographic

GDPR: The Pandora’s Box is Open for Enterprise Websites

Authored by Chris Olson, CEO & Co-Founder, The Media Trust

This article originally appeared in Website Magazine in September 2017

Compliance officers need to rein in the regulatory risks associated with their digital properties. The European Union’s General Data Protection Regulation (GDPR) is a conversation starter for most companies looking to control compliance, reputational and revenue risks. However, while focus has been on identifying data elements–customer, partner and employee–held by the organization, most have overlooked the data collection activities occurring via the company’s websites and mobile apps. Just as with Pandora’s box, there’s a slew of GDPR-driven evil emitting from your digital properties. 

Digital vendors and the GDPR

The internet is a highly-dynamic environment and most websites require a host of third-party providers to render content on a consumer’s browser. In fact, enterprises tend to find two to three times more external code on their websites than expected. The purpose of this code is to provide or enable services–data management platforms, image or video hosting, marketing analytics, content delivery, customer identification, payment processing, etc.–required to deliver the website experience. However, most enterprises are not aware of the full depth of their reliance on these vendors and therefore do not fully examine the code executing in their own digital environment. This results in “Digital Shadow IT”, which is rampant on most enterprise digital properties since a majority of third-party contributed code executing on the consumer browser operates outside IT infrastructure.

True, third-party digital vendors power today’s robust and feature-rich websites and apps; the downside, however, is that their code execution goes largely unchecked, enabling unauthorized and unmonitored data tracking. This applies to not only known third-party vendors, but also other vendors with whom they are associated—frequently an external provider needs to call a fourth, fifth and sixth party to help execute its requested service. This essentially means that not only do organizations need to get their own house in order, they need to ensure their digital vendors do so as well.

Reliance on web application security tools (appsec) to holistically monitor website and app code is misguided since current web appsec tools are inadequate in capturing third-party code execution. Additionally, security and compliance professionals aren’t fully aware of the amount of consumer data collection activity that takes place–such as cookie drops, pixel fires, device ID fingerprint collection, and more. When GDPR goes live in May 2018, Ignorantia juris non excusat (ignorance of the law excuses not) will not be a valid defense when confronted with a data privacy violation. It comes as little surprise that around 86% of organizations worldwide are concerned about GDPR noncompliance.

What goes online stays online

One of GDPR’s key requirements centers around personal online behavior data—specifically information collected from an individual’s digital activity, i.e., websites visited, links clicked, forms submitted, etc.–and imposes restrictions on its safe transfer outside the European Union to other businesses or legal entities. Organizations will need a clear understanding of whose data is being collected, what data is being collected, what it is used for, and, if the data subject resides within the EU, where this information is being transferred and confidence that it is adequately protected!

Thanks to the density of code executing behind today’s websites and mobile apps this data inventory task is easier said than done.

Data documentation is much harder than companies anticipate, particularly for media and ecommerce websites offering digital display advertising space. Ultimately companies will need to ensure each of their advertising partners do not engage in activity which could put their organization or customer data in violation of GDPR.

Let’s not forget that recent website security breaches also demonstrate that third-parties are often the weakest link in the security chain. While an organization may employ rigorous security controls around physical vendors and contracted partners, they fail to extend the same rigor to their digital counterparts. Gartner predicts that by 2020, 33% of attacks experienced by enterprises will be as a result of shadow IT resources. Based on this evidence it is no wonder the GDPR focuses so heavily on third-party relationships. Clearly, when it comes to unchecked third-party code on websites and mobile apps, it isn’t just compliance risks but significant security risks that enterprises need to consider. How do firms control something they enable but don’t see and can ill-afford to ignore?

Limiting the risks

The odds are stacked against enterprise website operators, but creating a holistic digital vendor risk management program is a step in the right direction. The first step is documenting a few basic facts about your specific digital environment by asking website teams the following:

1. How many third-party vendors execute on websites and mobile apps?
2. What are the names of these vendors?
3. What exactly are they doing, i.e., intended purpose and also any additional, out-of-scope activity?
4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website and mobile app performance?
6. What are the risks to data privacy?
7. What is my business’s exposure to regulatory risk via vendor behavior?
8. Is my organization maintaining encryption throughout the code execution chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. Have Data Compliance policies been communicated to digital vendors?

Once these questions are successfully (or satisfactorily) answered, they should be revisited on a regular basis. Continuous monitoring of the digital environment helps create a compliance mechanism that alerts you to violations.

Organizations must then, of course, strive to document how their third-party partners handle this same data—another GDPR requirement. This information is critical to ensuring customer data is not being put at risk at any time regardless of data holder. In effect, both your organization and your third parties need to develop, communicate and enforce the policies, processes and technologies necessary to support all digital-related aspects of GDPR, from consumer online behavior data collection, use, storage and transfer.

When the regulation comes into force, enterprises that look at this as a key opportunity to protect user/ consumer data, and their own brand, could establish a competitive advantage. The end result should also translate to fewer breaches, less opportunities for cybercriminals, and a much safer cyberspace. The internet’s Pandora’s box may have been opened, but it doesn’t have to spread evil into the world.

Eyeota announces partnership with The Media Trust

Bringing world-class protection solutions to online publishers in Asia Pacific and Europe.

SINGAPORE, July 7, 2014 – Eyeota, the world’s largest international audience data marketplace, today announced a partnership with The Media Trust, a global leader in monitoring and protecting the online and mobile advertising ecosystems, to provide world-class transparency, verification and protection tools to Eyeota’s publishers and data providers across the globe.

With a physical presence in 500 global cities located across six continents, The Media Trust’s proprietary website and ad tag scanning technology provides continuous, non-stop protection against malware, web and mobile anomalies, site performance issues and data leakage, which can lead to lost revenue and privacy violations. Both collectively and individually these can and do harm the customer experience, negate a publisher’s ability to monetize its own audience data, lead to possible privacy violations and damage the publisher’s and data provider’s reputation and, ultimately, revenue. More than 400 publishers, ad networks, exchanges, agencies and corporate enterprises from across the online and mobile ad ecosystems use The Media Trust’s suite of continuous, non-stop detecting, inspecting, alerting and verification services to protect their website.

“As audience-based ad targeting is becoming the norm, publishers have realized their data is their number one asset. Publishers are exposed daily to data theft, data skimming and data leakage. Eyeota has partnered with The Media Trust to bring the best protection, transparency and verification tools to publishers across the globe. The Media Trust is the world leader in data and malware protection for publishers. More than 75% of the top publishers in the United States use their solutions to monitor, protect and shield their data.” Said Kevin Tan, CEO, Eyeota.

He added, “Given the inherent complexity of online ad serving, publishers need continuous, 24/7 monitoring of all ad tags and tools running on their sites, as well as real-time alerts on any unauthorized tracking of website visitors. This partnership not only brings a comprehensive suite of services to our publishers, but it also demonstrates the importance Eyeota continues to place on publishers and the job of protecting their online assets. The Media Trust offers best-in-class solutions, and we are very pleased to announce this partnership.”

Chris Olson, chief executive officer and co-founder of The Media Trust said, “Partnering with Eyeota in international markets was a natural decision. Not only is Eyeota the trusted leader in third-party monetization and management solutions for publishers worldwide, but their publisher-centric focus demonstrates they understand publishers’ challenges and needs as well as the value of their data.”

The Media Trust monitoring and protection solutions will be available worldwide on the Eyeota platform beginning immediately.

For more information please contact:

Eyeota: Laura Keeling – lkeeling@eyeota.com, Telephone: +65 9117.3718

The Media Trust: Ellen Donovan – ellen@themediatrust.com, Telephone +1 404.374.7822