Malware menaces poison ads as Google, Yahoo! look away
Booming attack vector offers mass malware distribution, stealthy targeting
"..." – That's what big ad networks say about malvertising
The big ad networks are not talking, but they did in 2014 in a US Senate hearing chaired by one testy Republican John McCain. Google and Microsoft played down the malvertising threat which, then as now, was causing incalculable but immense online carnage.
They said malvertising was less of a threat than regular malware, and offered ultimately misleading metrics about how only a tiny percentage of ads are compromised, rather than the many thousands who are fully compromised when Google servers Angler on YouTube ads.
"Their (ad networks) defence is that 'this is a one percent problem and I don't want to design for it, 99 percent is good enough'," says Spiezle. "But one percent last year was over 15 billion impressions." The Online Trust Alliance formed the Advertising and Content Integrity Working Group to bring in the advertising players to help address the malvertising scourge, but it lacks interest from the big players.
"The challenge is in all candour that the big dominant players aren't willing to come to the table and will contend that they have the problem under control," Spiezle says. "These are the Yahoo!s and Googles of the world, and the impactful trade organisations." Ad networks and exchanges do not have the problem under control, according to Spiezle, and they do not know who their advertisers are, nor what code they are submitting. "Everyone says it's not their fault. The system has a lack of accountability."
Some US researchers believe members of the US Congress already savvy with the malvertising menace are likely to propose legislation to regulate the online advertising industry which they say is an unfortunate but ultimately necessary move when self-regulation fails.
"Unfortunately, there appears to be a lack of transparency within the largest advertising platforms," says one accomplished security pro on the condition of anonymity. "The cause is multi-faceted, but a systematic issue is that there are so many resellers within these advertising networks and no one has basic information on the end customer submitting the ads."
The many loaded external resources for one news site.
The criticisms are sentiments echoed by many experts interviewed for this story; citing the small number of bad ads is fact-fudging because in the wash those bad ads can reach easily 100,000 users in a day.
"Google has something like 3.5 billion searches a day, so what's one percent of that?" says Cisco's Schultz. "That's a lot of damage in a short amount of time. There is a big issue of trust because people's guard is already down."
Abhinav Singh (@abhinavbom) is a threat researcher formerly with Symantec and now at a major investment bank. The fraud and malware boffin joins the chorus of criticism against advertising networks for failing to implement proper security sanitisation checks of advertisement code. "It is the ad networks that are to blame," says Singh. "Their lack of sanitisation checks and security controls allows attackers to inject rogue ads and malicious code in order to convert an ad into a weapon."
Some networks will buddy-up with malvertisers, Singh says, to cash in on lucrative malvertising opportunities. "So its the responsibility of the ad channel owners to protect the rights of the users."
While the ad networks have kept mum, experts are full of recommendations. While the source of the crime points irrefutably to ad networks, big and small, website owners have a part to play in reducing or vetting the sources of content that display on their sites. The Register for its part goes to some length to pull ads from reputable entities.
MalwareBytes' Segura says ad networks need to implement more stringent security and validation measures like extending probation periods for new advertisers to trusted companies, while patching remains a perennial problem in allowing attacks to occur.
"Some of the biggest cases we have seen in the past have involved duping an advertiser that the ad network had already vetted," he says. "Also, another crucial aspect is ad networks' response time to minimise the impact on end users [which] is especially true for rogue advertisers that use a crash-and-burn approach where they know they will get caught and are trying to get as many impressions as they can before it happens."
The increasing deployment of secure sockets layer across ad networks will serve to complicate analysis for researchers to determine the source of attacks in what Segura sees as a "huge issue in the near future".
The unanimity of opinion continues. "Everyone is partly to blame," says Bilogorskiy. "Popular websites still using ads exchanges for monetisation, ignoring the risk to their users. Ad exchanges pass the blame onto other entities in the ad food chain , like ad networks. Ad networks are not filtering their ad creatives completely. Users do not secure their browsers , do not patch their systems and still use broken technologies from the 1990s like Java and Flash. Browsers do not yet disable all of these technologies by default for 'good user experience'."
They say the use of so many and untrusted third parties for big sites needs to end. Some Schultz says should vet and load content from their own domain.