Malvertising: How the ad model makes crime pay
... and who's liable for all the money lost?
Feature The exploitation of online advertising networks by malware-flingers is expected to cause up to $1bn in damages by the end of this year, but despite ongoing regulatory efforts, it is not clear to whom the liability for these enormous losses will fall.
The increasingly sophistication with which online advertisers profile users has allowed those exploiting ad networks to hit victims with extraordinary cost-effectiveness. The way that ad networks sell impressions allows threats to target their payloads to recipients' earnings profile, to browser types, and to whether in-browser anti-virus solutions are active. These factors, coupled with a low barrier to entry for new customers, allows for criminals to reap high returns on their investments.
Delivering a presentation on the mechanics behind malvertising attacks, Malwarebytes' senior security researcher Jérôme Segura noted how advertising networks' mechanics were an important aspect of the return on investment for miscreants, allowing the the attack vector to expand.
In particular, it is real-time bidding (RTB) – enabling advertisers to purchase and sell advertising inventory through a programmatic and automated auction process – that provides criminals with their economic platform. With RTB, customers need only pay for the auctions which they win. This has obvious efficiency benefits for the advertisers, whose business provides much of the finance behind online businesses, however it also provides an opportune environment for threat actors to elbow their way in.
Malvertising campaigns can thus effectively target only those who will be vulnerable to the attack, which means that such attacks are "very cost-effective," according to Malwarebytes' CEO Marcin Kleczynski, to the degree that their "pay-per-impression rate is essentially pay-per-infection".
According to Malwarebytes, one malvertising campaign that ran from January to February this year was able to expose 6,000 web browsers to malware for an investment of just $5. Responsibility for the damages caused through this expanding attack vector, which are expected to reach $1bn this year, remains difficult to attribute.
Talking to The Register, Jérôme Segura stated that: "As security researchers, we are more accustomed to hearing accounts being 'suspended' or 'terminated' for malicious behaviour, rather than 'paused' when we deal with hosting companies or registrars. But things are a little different in the ad industry."
Often, the advertisers involved in a malvertising incident may not be the malicious actor themselves. Segura stated: "They may simply have resold to a third-party that abused their trust. For this reason, it would be unfair to terminate the top level advertiser because they did not 'knowingly' participate in the malvertising"
"Advertisers bring in money and it would be going against business sense to terminate them at their first offence," Segura noted, but acknowledged that there is no standard reaction from advertising networks when it comes to customers who have been implicated in malvertising. "Some networks will 'inform' their customer," stated Segura, "others will issue more severe warnings, but at the end of the day it's a business decision - especially when it comes to large customers bringing in a lot of revenue."