GeoEdge on Twitter
GeoEdge on Linkedin

© Copyright 2016 GeoEdge Ltd.  |  All rights reserved  |  Privacy Policy  |  Terms of Service

GeoEdge on Twitter

Why Video Ads Were Exploited this Holiday Season

January 6, 2016

’Twas the season for a spike in malvertising!

Because of the holiday season, bad actors, who typically make their money by slipping malicious ads onto popular websites, swarmed the Internet with malvertising. With events like Black Friday producing over 3 billion dollars in spending, holiday time is always prime time for bad actors. Many publishers are not equipped to detect malvertising – and don’t realize that it can be injected through video ads – on display and mobile.  

Malvertising Trends of Video Ads
Video ads are very popular targets as they are predicted to take 79% of consumer traffic in 2018. This makes it a very attractive medium for bad actors and we are seeing more malvertising activity in video ads: 

1. Obfuscation of publishers: There is a relative ease with which bad actors are able to insert a malicious ad into the online ad chain. The malicious ads usually specify its target demographic, and with the help of the ad network, platform, or exchange, will find its marks, anonymously.  The huge volume of ads flowing through our ad distribution system makes it very hard to spot ads that are laced with malicious code – and even harder to spot the individuals who placed the ads into the system in the first place. The automated nature has made it easier for hackers to infiltrate legitimate websites with malicious ads, but hackers are also being cleverer in how they build and hide malicious code in their malvertisements.

2. Increased Vulnerability: Video ads were originally served using a modified version of XML (a markup language) known as Video Ad Serving Template, VAST. This standard avoided the use of JavaScript, which can potentially allow malicious exploits. VAST was then extended to add new functionality, in the form of support for rich interactive media (executable ad unit). Unfortunately, VPAID interrupted the security of VAST and introduced a vulnerability in the model through the use of Adobe Flash, a well known conduit for malware because of many inherent software vulnerabilities that can be exploited.

3. Attack of the killer ads: Massive attacks are starting to take place that are both sophisticated and complex. A recent example was the campaign. The incident involved a number of parts that came together to perform the hack. Starting with utilizing the ad network to insert a fake .swf file onto thousands of legitimate websites. The file tricked the website domain to believe it was legitimate and avoid detection. Once in situ it was able to insert malicious code into the web page, where it ran a bidding script and ultimately called a VAST file, playing the video. During play, the video, then was able to open a ‘Tripbox’ which is a popup message encouraging a user to update software, for example a browser. If the user ‘clicked to update’ they allowed the malicious program to run and install itself on their computer, job done. This sneaky, complex, yet elegant malvertising attack could be used to infect devices with all sorts of sinister malware including the dreaded ransomware, which extorts money from individuals and companies with great success.

4. Specialist botnets: Botnets such as Xindi are being developed by hacker groups that specifically target video ads. Xindi, like many other pieces of malware works by exploiting vulnerability – in this case in the Internet advertising open standard protocol, OpenRTB. The protocol was designed to accommodate the use of real time bidding (RTB) within the online ad industry.  A number of ad exchanges use OpenRTB including a version supported by Google DoubleClick ad network. Xindi uses a number of different methods to deliver its payload, including drive-by-downloads and may have infected up to 8 million PC’s.


Once infected the botnet works to create fake views of ads, aka impression fraud. The malware’s basic mode of operation is to send a request to the supply side platform or SSP. It does this entirely silently, as you would expect a botnet to do.  The hack works because of this flaw on OpenRTB,. The flaw, known as vulnerability CVE- -2015-7266, allows Xindi to effectively collect multiple ad markups that are left un-rendered and held in a queue. They are then, in one fell swoop, replayed and the notifications sent out. The OpenRTB flaw allows this collection status and sudden burst process because it doesn't control maximum time limits that would otherwise prevent the delayed release of the fraudulent ads.

5. Businesses Are Also at Risk: These kinds of tricks of the trade are making detection and prevention of malvertising difficult for all parties involved in the delivery of an ad. Most companies have higher security than the typical user, but with hackers using stealth techniques such as obfuscation and using complex malware delivery processes, they are circumventing normal security measures.

If an employee is browsing a website from his company computer and they happen upon a malicious ad, then they can be infected – thereby infecting the whole corporate system or network. When that infection spreads, the main site of the company could be infected, among many other possibilities.  

What Can You Do?
At the end of the day, publishers and platforms don’t want to be the medium in which users have become infected, their brand and reputation become damaged through these events. Everyone needs their own system of ad security and verification to stop these malicious ads. They also need an ad technology system that is agile and powerful enough to be able to detect malware as they are each packaged in different ways. Utilizing a solution, like GeoEdge that does the heavy lifting when it comes to malvertising detection, will pay off in the end.

Please reload

Please reload

Browse Posts By Tags
Popular Posts
Please reload