Malware menaces poison ads as Google, Yahoo! look away
Booming attack vector offers mass malware distribution, stealthy targeting
The industry's top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.
The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.
Craig Spiezle (@craigspi) has spent a career in the advertising and marketing business, most recently as product privacy and security-focused product director with Microsoft, before joining the Online Trust Alliance as president. He paints a picture of an advertising sector that has lost control of its ability to know its ad space buyers, since moving from intimate discussion between client and customer to an automatic and instantaneous online machine.
"There is no friction or circuit breaker to vet the ads. It wasn't that long ago that you would come to me on a first-party basis, and we would take pixels, and now there is no insight anymore, and the publishers have no impact on this because they need to take ads to stay in business," says Spiezle.
And this opaqueness leads to reoffending, Bilogorskiy says, noting that more than a third of malvertising-affected websites are re-offenders, which implies that advertising companies lack an "effective proactive prevention solution" to the problem.
For its part, Google has pushed its Safe Browsing initiative, born in 2006, that it badges as a user's often "last line of defence". It is tasked with stopping Chrome users from being hit with malware served by ad injectors and "ad networks lacking strict quality guidelines", but makes no note of attacks made through its flagship DoubleClick platform.
Bilogorskiy says AOL is another big ad network name he sees exploited in the malvertising game, operating a network reaching 199 million unique visitors a month and a whopping 88.8 percent of US internet users.
Meanwhile, ad giants have joined forces to protect their revenue under the Trustworthy Accountability Group to better blacklist robot web crawlers that generate fake banner clicks.
The biggest-name news websites and web properties have been hosed: The New York Times, Reuters, Yahoo!, and Bloomberg are just a few. Yahoo! and Google's fragile ad networks have also seen their news and YouTube assets popped.
This month, Australian telco Telstra was found serving exploit kits through malvertising, while industry sources say in unconfirmed reports that Foxtel was last week doing the same.
News sites are so vulnerable because they tend to pull in and display a lot of un-vetted third-party content. Browser script blockers register up to 30 of these sources, of which only a few are required for the sites to run. Any of these has the potential capability to hose visitors.
The most capable malvertisers foist exploit kits like Angler and Nuclear, which identify the best vulnerabilities – from Adobe Flash to Internet Explorer – to compromise website visitors. Cisco says (PDF) 40 percent of users who encounter these exploit kits are compromised by them.
Angler’s "success" can be attributed partly to its simple but well-constructed web landing pages. Cisco researchers suggest that the exploit kit’s authors may be relying on data science to create computer-generated landing pages that resemble normal webpages and easily dupe users.
It is difficult to pick a winner for the most damaging malvertising case, but Yahoo!'s malvertising breach this month had the potential to expose any of the site's pool of 6.9 billion monthly visitors.
Earlier this month the Huffington Post was, for at least the fourth time this year, hit with malvertising that redirected users to exploit kits in an attack launched through AOL's adtech.de ad platform.
In July, a malvertising campaign potentially netted some 10 million visitors in 10 days with attacks across popular Asian web sites. Those attacks were also launched through adtech.de.
These examples are very much a drop in the ocean of attacks. Readers looking for further evidence of the carnage should search the web for malvertising attacks over the last six, twelve, and 24 months to see what is surely the tip of the iceberg of publicly-reported malvertising breaches.
Malvertising traffic for sale in this underground ad. Credit: Kafeine.
However users do not have to be completely hacked in order for criminals to make bank. Cisco this year was surprised by what it says is an "extensive" operation involving professional and sophisticated code to foist browser add-ons onto users' machines by way of malvertising operations.
It also notes that adware is a popular piece of kit to foist as it generates illegitimate ads that like add-ons are harder to detect than exploit kits and bring in long-term money through pay-per-install and ad-click models.