How new ad formats are opening the door to new threats

The nemesis of the office IT professional is no longer spam email. Today, it’s advertising.

How did digital ads become the next biggest threat to web security? New formats like video and native pull together a ton of different assets to create a single user’s experience. Hitching a ride on any one of those assets is a simple feat for malicious code.

The rise of what’s now referred to as “malvertising” sits at the confluence of these new formats and the new ways to serve them like header bidding (which makes use of tags that are just as vulnerable). And the symptoms are familiar, but no less devastating to consumers or corporate networks: viruses, phishing attacks, keystroke loggers and more.

Worst case scenario? Advertisers see non-performing campaigns, a proliferation of bots and a broken relationship with their consumers. How has this been happening for so long right under our noses?

Video as a trojan horse

The newest ad formats are rich. They’re complex. There are many, many moving parts. And all of this makes them particularly enticing to malware developers. Take the example of a typical video ad placement.

“There’s the introduction of a whole additional set of objects,” said Chris Olson, co-founder and CEO of The Media Trust. “One of them is a video player. The video player is just a piece of code; it’s hackable.”

“Then within the video structure, it introduces a video creative and all the pieces that go along with it, which means that there are multiple entry points for malware to penetrate and unwittingly be served.” All it takes is for one snippet of malicious code to latch onto any one of those pieces, slip in through any one of those entry points, and the user (and potentially the entire enterprise network) is compromised. The growth in sophistication around distribution and targeting has helped rather than hindered the spread of malvertising.

“The more targeting capabilities there are, the easier it is to hide [the malware],” said Olson. “It also means that they can target very specific constituencies, which means if you’re not scanning the creative as a particular constituent, you’re not going to realize it’s bad.”

Mea culpa?

So who’s left holding the buck in an ecosystem that’s ever more integrated? It starts with the point where consumers and the ads cross paths.

“The publisher has to do it,” said Olson. “There’s no way for them to know, today, who all of the advertisers are that are going to run on their site.” A scan of all creative running on their platform will help alert them to any ads harboring potential cyber criminals.

But it doesn’t stop there. Ad exchanges and demand platforms have skin in the game (and some of the weight on their shoulders) if they’re doing anything to modify ads that are being served, from adding additional data layers to tagging them to track performance. The same goes for the advertisers themselves.

“If an advertiser hands a creative off to a demand platform and they’re adding their own analytics or other counting mechanism, then they need to be scanning as well, because the creative is going to behave differently once the creative is modified.”

Unfortunately, as it stands, no one is picking up the slack, and malware keeps slipping through the cracks. Advertisers go to great lengths to make sure their creative run as ordered but most advertisers do not thoroughly check creative and landing pages for purity.

It’s a matter of timing

Many trusted advertisers, including Fortune 500 companies, have the mistaken belief that because their ads are sent to the exchanges clean, consumers have a clean advertising experience.

But, as Olson pointed out, “That isn’t the case. Outside parties, or other platforms are used to create media campaigns quickly in formats that can be easily compromised.  And, no one thinks about landing pages. Each element, from creative to ad tags to landing pages, must be reviewed by media buyers ahead of and during campaign life.

It really is all about the timing. An initial scan before the creative launches will rarely catch the harmful stowaway elements that are added later. “Malware and advertising almost never happens at campaign launch. It’s going to happen an hour, a day, five weeks or a year later once [the malware developer is] confident that they’re getting broad reach.

“So that individual first scan, though useful from a creative QA perspective, is not a panacea from a security perspective.”

Will ad blocking save the day? No.

Needless to say, concern over malvertising is driving consumers and enterprises alike to seek shelter behind the wall of another (very different) industry threat: ad blockers.

“Security routinely comes up and consumers are afraid of that,” said Olson. But the measure may be somewhat misguided. “Enterprises and those on the corporate side believe that by shutting off ads, they’re going to be safe. But ad blockers do not stop all malware delivery.”
Besides, advertisers are finding more and more ways to get around the ad blockers themselves, adding to the false sense of security currently lulling consumers and companies into inaction. And inaction in the face of a threat like this can be deadly for a business on either the sending or receiving end of a malvertising attack.

As an industry, it’s imperative that we continue to innovate, developing new formats to drive revenue. But it’s equally important that we close the gaps in these new formats that expose users to harm.

Author

  • The Media Trust works with the world’s largest, most-heavily trafficked digital properties and their upstream partners to provide real-time security, first-party data privacy, performance management and quality assurance solutions that help protect, monetize and optimize the user experience across desktop, smartphone, tablet and gaming devices. As the global leader in monitoring the online and mobile ecosystems, The Media Trust leverages a physical presence in 500 cities across 65 countries to continuously scan websites, ad tags and mobile apps and alert on violations affecting websites and visitors alike. More than 500 enterprises, media publishers, ad networks/ exchanges, and agencies—including 40 of comScore's AdFocus Top 50 websites—rely on The Media Trust to protect their website, their employee internet use, their revenue and, most importantly, their brand.

https://staging.digiday.com/?p=194622
Ad rendering preventing in staging

Ad position: web_bfu