In this series, I will discuss where malware in the advertising industry -- malvertising -- hides, how it is detected, and best practices of how to defend against malvertising attacks. This post is the first installment in the series and will expose the hidden places that malware can hide to successfully infiltrate your computer or mobile.
Malware is classified as malicious software that can infiltrate a user's computer and harness its system. The impact on the user can be quite harmful, like in the case of identity theft, or more innocuous and not felt by the user, as in the case of ad injection or click fraud. Types of malware include viruses, worms, trojan horses, adware, spyware, ransomware, and scareware.*
*For a full explanation of each type of malware, check out our blog, The Ultimate Guide to Malware & Other Online Security Threats.
Malware is occurring on publishers’ sites without their knowledge. Since sites sell their media through programmatic, 3rd party demand partners, and exchanges, it has become almost impossible to control the ads that are served – not without outside help anyway. In addition, hackers target specific sites and companies and insert malware through server or infrastructure hacks.
Symantec discusses in their Internet Security Threat Report that malvertising has reached “new heights”. Cyphort Labs reports a 325% increase in malvertising from 2013 to 2014, and asserts that it is only continuing to increase, affecting overs tens of millions of people from popular, well-respected domains.
Here’s the first BIG reveal: It’s all about URL inspection. You can attribute malware to scripts and executable codes, but when it comes down to it, malvertising comes through the URL.
URLs that are embedded in a page or come with a server response after a user interacts with the page may lead to a malicious site, or alternatively, download malicious code.
Pre-Click, Post-Click, and Everywhere In-Between
Malware insertion processes are highly sophisticated with a wide scope of insertion techniques. Many people think that if they don’t click on a suspicious site or download a deceptive file, they won’t get infected. However, users do not have to actively click, there are scenarios where malvertising runs pre-click. Examples of pre-click malware include being embedded in main scripts of the page or drive-by-downloads. Malware can also auto-run, as in the case of auto redirects, where the user is automatically taken to a different site, which could be malicious.
Malware can also be found in the delivery of an ad – where a clean ad that has no malware pre or post click (in its build and design) can still be infected whilst being called. Malicious code can hide undetected and the user has no idea what's coming their way.
A publisher can fully trust their direct partner (often the "premium" partners) to do their utmost to insert clean campaigns. However, with the use of programmatic RTB, third-party demand partners, and the hacker environment that shows no signs of slowing down, one can never know when they will be hit with malware.
So where specifically can malware hide?
In the Delivery Path - There are two delivery pathways to serve an ad:
The first pathway is known as the “ad calls”, where the platform or exchange pushes the served ad to the user’s screen (this is the pre-click pathway). These ad calls can go through many third parties, one of which may insert a malicious code. Then the user gets infected without doing anything.
The second delivery path is post-click. When the user clicks on the ad, a series of URLs are called to get to the final landing page. A malicious code can be inserted from one of the third parties involved in that delivery path.
Within a Pixel - A tracking pixel can be embedded in a variety of places, including a banner and on a landing page. Pixels are usually found in ad calls; they are small pieces of code used to send data in a query string. Typically, one will “shoot a pixel” to mark a certain interaction of a user. In the case of malware, the pixel transfers data to the ‘receiver’ who responds by sending malware (for example, pop-up/under).
Within a Video - There is a popular misconception that video ads can't deliver malware. Many believe that the video player protects against malware, however, this is not the case. Take a typical standard video type, for example, a VAST video ad; this video ad contains pixels from third parties and one of those embedded pixels contains malicious code. So once the user allows the video ad to load and play, they become infected. Alternatively, there could be a malicious post-click URL as the end of the video ad. In addition, a flash file (.swf) itself can inject an iframe into the page and this iframe will download the malware onto the user’s computer. The user does not even have to click on the video (as demonstrated by recent events).
On the Landing Page - A malicious URL could appear in the final landing page. It could be that the landing page itself, as well as the pathway is clean, but there are items within the page for the user to click on which contain malicious code. One of the reasons this is so alarming is the user might consider themselves safe by this point, only to find that they became infected because they clicked on an (infected) element within the page.
Within a Polite Banner - Malicious code could be found in the URL tags of a polite banner. (A polite banner is a pre-roll ad for a flash file that takes a couple of seconds to load.) Meaning, the actual flash ad is clean, but the ‘polite’ ad that keeps the user busy while it is loading, contains malicious code. Again, the user needs to take no action to become infected.
As you can see, there are many places for malware to lurk unseen and many scenarios that can cause the user to be infected. It may seem overwhelming and unmanageable, but security teams work day and night to control the flow of malware within the online environment.
To find out what exact techniques the security experts use to detect malware, look out for my next blog!