Online Ad Industry Threatened by Security IssuesVoluntary Set of Anti-Malware Guidelines May Not Go Far Enough
The online advertising industry is at an inflection point, and not just from falling ad rates, ad blockers and potential regulation. It's facing a big security problem, and one that - like many internet-scale problems - will demand close industry cooperation to be mitigated.
Cybercriminals have long realized that distributing malicious software through spam emails is getting harder. Botnets that send junk email are tracked and blocked, and spam filters continue to improve. There's a far more powerful alternative: piggybacking on the $50 billion online ad industry.
So-called malvertising is very appealing to cybercriminals because the distribution channel is already in place and will never be shut down. That network - involving thousands of companies worldwide delivering billions of ads daily to websites - is porous and easily infiltrated. Many digital ad distributors don't have the electronic equivalent of a bouncer to keep the riff-raff out.
The scale of the problem is enormous: In just a single month in 2014, Google, which runs one of the most diligent checks on ads, disabled 400,000 ads due to malware concerns.
Earlier this month, a digital ad industry group, the Trustworthy Accountability Group, or TAG, released the first-ever set of guidelines for how ad companies can scan their content to ensure they're not distributing malware. The recommendations are voluntary, but mark an important step forward if the industry wants to keep regulators at bay.
Governments "are starting to understand that the delivery vector for ransomware is the internet - it's not email, it's the web," says Chris Olson, co-founder and CEO of The Media Trust, a security and compliance vendor focused on digital media.
Privacy and data security have become top issues for regulators around the world, which are moving toward stricter laws that govern how companies handle data.
The U.S. Federal Trade Commission is increasingly taking action against companies for failing to protect customers even before a data breach or malware infection and has recently filed 60 enforcement actions. That is worrying the ad industry, which is realizing that change, whether it wants it or not, is on the horizon.
The FTC is even considering whether failing to apply quick security patches may run afoul of the law, Chairwoman Edith Ramirez said in early September.
"Businesses play a critical role in ensuring that they adequately protect consumers' information, particularly as security threats like ransomware escalate," Ramirez said.
The ad industry is also taking note of the European Union's General Data Protection Regulation, which could impose fines of 4 percent of revenue or €20 million ($22.5 million) - whichever is greater - for violations. The GDPR "is finally being paid attention to," Olson says (see Mandatory Breach Notifications: Europe's Countdown Begins).
One View, One Infection
Merely viewing a malicious ad is enough for a computer to be infected with ransomware, the file-encrypting malware that has proven to be devastating to organizations and users.
When a malicious ad is carried by a high-traffic website, thousands of computers could potentially be exposed and compromised in a short period of time. The malicious ads are eventually detected and removed, but that's only after computers have been exposed.
The better approach is to filter out malicious ads before they're published. But just a handful of large digital advertising suppliers do this.
The technical relationships among ad companies are opaque and complex, which makes stringent quality control nearly impossible. Negligence on the part of one company can have impacts far down the line.
In 2014, a U.S. Senate investigation found that a single visit to a tabloid news site triggered interactions with 352 other web servers, all of which would be potential entry points for sneaky tracking code or malware.
"The online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user's computer through an advertisement," according to the committee's report.
TAG's proposal, Best Practices for Scanning Creative for Malware, would have ad companies diligently screen and re-screen ads sometimes even hourly.
The goal, in part, is trying to spot when a legitimate ad may have been swapped out for a malicious one after screening. But thorough scans and security could slow the ad industry down, something that is at odds with the highly automated ways ads are bought and placed now in real-time auctions.
One big concern revolves around referral tags, which are bits of HTML code that are key to delivering personalized, targeted ads. When someone visits a publisher's website, a tag is sent to an advertising network with information about the user.
The advertising network makes a decision about what ad to deliver, sending a tag back to the browser instructing it to render an ad from a certain URL. The ad itself could come from any number of third parties. Those tags often rapidly change, which poses security issues.
"Because of those capabilities, you have to really be scanning every single [tag] before any of that code starts to be served or executed on the device that pings it," says Craig Spiezle, executive director and president of the Online Trust Alliance. "That's a challenge. It's very hard."
More Work Needed
TAG's recommendations do address some of the main concerns with malicious ads, says Jerome Segura, a security expert with Malwarebytes who has extensively studied malvertising. But he says some risky practices - such as third-party hosting of ads and arbitrage - still appear to be acceptable under the guidelines.
"There is a tough balance between business and security," Segura says. "The ad ecosystem exists the way it does because the rules and guidelines have always been expanded to satisfy the business side, not to reinforce security."
The guidelines also don't address social engineering. Cybercriminals have been known to impersonate known companies and brands in an attempt to do last-minute substitutions of ads. They've also created fake ad companies, complete with bogus LinkedIn profiles for employees, to try to appear legitimate.
"Exploiting the human factor will always have the upper hand, no matter how good your security solutions are," Segura says.
Solving the security problems around online ads would give the industry a more compelling reason to persuade consumers to give up their ad blockers, which threaten their revenue. It's estimated as many as a quarter of web surfers use one.
Most people use ad blockers because they're irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from malvertisements.
The social media site Reddit, which can be a rich traffic source for publishers, warns users of links to content that demand people to disable their ad blockers, including publishers such as Forbes and Wired.
"Warning! Disabling your ad blocker may open you up to malware infections, malicious cookies and can expose you to unwanted tracker networks," Reddit's warning says. "Proceed with caution."
Many publishers are pushing back, warning users that they can no longer access free content if ad-blocker software is enabled. That forces security-conscious users to make an uncomfortable choice: open up their computer to attacks or forgo the content.
"What you're effectively experiencing is a consumer boycott of advertising," the OTA's Spiezle says. "Right now, all of these issues are marginalizing the ability for publishers to monetize and pay for their content."