Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

The Dangers of Digital Advertising

DZone's Guide to

The Dangers of Digital Advertising

If you allow others to advertise on your blog, be wary of 'maltertivising' - malware infused ads that can infect your readers' machines.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

In the Internet age, publishers have moved from the world of offline to the world of online in droves. This has fundamentally changed the way we participate with publishers, engaging with content rather than simply reading it. At the same time advertising has changed to accommodate the leap in visitors, to target them by extrinsic as well as intrinsic features. An entire ecosystem of many moving parts has sprung up around advertising to satisfy this ever-increasing need to serve targeted advertising, with publishers as the sellers of ad space (selling inventory) to interested buyers through a series of middle-men and data-enriching technologies. Herein I discuss malicious advertising and how it impacts consumers, but this is not by far the only type of fraud in the industry, including but not limited to bot traffic, creative stuffing, creative laundering, and generally shady ad buying practices.

First, a primer on ad tech as it exists today. When you visit a website the publisher makes a request to what’s called an SSP (or Supply-Side Platform) with information regarding you (as much as they have, which may include age, gender, age range, IP, user agent, and so on), from there the request goes on to ad exchanges, the exchanges contact bidders (DSPs, a.k.a. Demand-Side Platforms). With all of the information the publisher passed on, the DSP makes a decision about what, if any, ad it wants to bid on, and then provides a bid back to the exchange. The winner gets to serve the ad to you. This all happens in less than 100ms (typically).

This programmatic buying has opened the door for anyone to buy ad space on a publisher site, and if you’re not one of the top publishers in the world, then you likely have a series of partners that you work with to place advertising on your site from all different sources. This requires constant vigilance, working directly with these partners to disable bad advertising, like inappropriate content. But there’s another threat that’s been prevalent with this new kind of advertising for years: malicious advertising, branded “malvertising” for short. Bad actors seek to get your customers to download malware, or to redirect them automatically to scam and phishing sites. Even with safe frames, even with bounties, malvertising is still incredibly prevalent, with attackers becoming more and more sophisticated.

In some ways this feels like a cold war, and, as with an antivirus, publishers are looking for malvertising as it appears on their properties, just as an antivirus looks for viruses as files appear on your computer. But to defeat attackers, we must first understand how they find their way onto our websites to begin with. When an SSP goes to buy advertising on behalf of the publisher it doesn’t necessarily care what ad it's buying. There are tons of SSPs and some farm out large portions of their inventory buying power to whoever is willing to fill that ad space. Keep in mind that these companies are all paid for arbitrage (at every step of the process), and if they don’t fill an ad then they don’t get paid. The description I gave for how ad tech works above is the simplest possible path. In reality, SSPs may buy traffic from other SSPs, and so on. This allows bad actors to buy from a ton of sources, switching as often as needed. Now publishers can’t block certain SSPs or even exchanges or DSPs because the bad guys can just switch where they’re coming from. This is estimated to cost publishers $1-2B each year (billion, with a B) in the US alone, which, to be fair, is in part due to consumers using ad blockers (~71% of this), and in part the cost of malvertising incidents (~18.5% of this), as opposed to lost revenue due to the malvertising itself (~10.5%).

While we wait for the industry to mature, malvertisers are taking full advantage, recognizing that there is a closing window for doing this at scale. To maximize profits they are running ads that utilize obfuscated JavaScript or Flash (both in banners as well as video ads) to redirect consumers through a half-dozen affiliates (getting paid at each step) and onwards to spam or phishing endpoints. They are likely being paid for every landing page visit to these spam or phishing sites, which are taken down and pop back up again under a new name sometimes as often as hourly. They are able to switch their entire buying process from SSP to DSP, taking advantage of the many, self-service products now available on the market. Some have gone so far as to set up custom infrastructure on AWS that will redirect consumers based on flags in their cookies that have already been set. As a result, a consumer may see four or five legitimate ads before being sent to a phishing or scam website, making it nearly impossible to detect early.

On the publisher side you can lock advertising to safe-frames, create scripts that look for common characteristics of malvertising, but it’s a losing battle. Like an antivirus, a number of vendors have popped up to defend publishers against malvertising, like GeoEdge, RiskIQ, and so on. Unfortunately, there are no vendors that specialize in ad fraud that are MRC accredited, the gold standard for advertising, which to date has focused on non-human traffic/bot detection (another highly prevalent issue) rather than malvertising, focusing on protecting advertisers and ad buyers moreso than publishers and inventory sellers. Most recently publishers, SSPs, exchanges, DSPs, and vendors have begun to come together to form groups to combat these sorts of issues (like TAG, the Trustworthy Advisory Group), which has laid out plans for information sharing, bot block lists, and a grander scheme to track the purchase of inventory between buyer and seller at each step in the chain. This would allow publishers to identify and eliminate bad links in the chain more quickly, and, more importantly, cut off the cash flow of bad actors.

The ad tech ecosystem is one of the most complex in the world, and it seems to grow more complex every couple of months (e.g., the advent of header bidding). I’m hoping that in the future the industry catches up to this many-year-old problem in a way that’s satisfying to publishers without having a negative revenue impact all its own. I'm not confident that this will be in the near future, many sites (including the MRC, and AdAge) don't even have SSL yet, which shows you just how far we have to go.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
security ,malvertsing ,security best practices

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}