Bad Actors Are Taking Advantage Of Genuine Web Infrastructure To Hide The Spread Of Malware

When people join a browser-based video conference call, their top worry is usually whether their hair looks OK.

But there’s a bigger concern lurking.

WebRTC, the open source technology used by browsers and apps to enable real-time communications over the internet, is being exploited to camouflage the dissemination of malware-infected ads.

Programmatic exchanges appear to be the main and unwitting distribution point for malware spread through the manipulation of the WebRTC protocol, according to Israeli ad security company GeoEdge, which first encountered the scheme in October 2018. About 87% of the attacks observed by GeoEdge have taken place through header bidding auctions outside of a publisher’s primary ad server.

GeoEdge estimates publishers will lose around $325 million in 2019 due to WebRTC malvertising.

Cybersecurity startup DEVCON, which also discovered the WebRTC vulnerability late last year, has noticed a substantial increase in its exploitation over the last two weeks, said company CEO and founder Maggie Louie.

When an advertiser wins a programmatic auction in a legitimate scenario, an ad is served with a Javascript tag to render it.

But with WebRTC malvertising, bad actors misuse the protocol by launching a script that extracts information about a user’s browser, including the local IP address and referring URL, to determine whether a machine belongs to a security researcher or if there’s a verification vendor afoot.

If fraudsters suspect that a session is being monitored for malicious activity, they won’t attack. But if the coast is clear, they insert malicious code into a piece of ad creative – usually one that was just stolen from around the internet – and serve that ad through a legitimate ad exchange.

From there, a user is often forcibly redirected to known spam and phishing sites. (“You just won an Amazon gift card!”)

The practice is particularly tricky to detect and intercept, because traditional domain-based security methods don’t apply, said GeoEdge CEO Amnon Siev.

WebRTC relies on legit third-party servers, known as STUN (SessionTraversal of Utilities for Network Address Translators), to function and power peer-to-peer communication. The servers are also backed and used by valid entities such as Google, Mozilla and Microsoft.

That means the attacks are being launched through a benign entity, and there’s no domain to blacklist. Blocking an entire STUN server would cut off a lot of bona fide activity.

And so GeoEdge uses behavioral heuristics, or analyses, to observe how ad creative performs in the wild.

If something looks amiss, GeoEdge’s manual research team, comprised of former Israeli army security experts, analyzes the code to identify specific exploits or the mechanisms of an attack. GeoEdge uses that information to create a signature for the exploit and block the specific programmatic tag.

Siev claims that six out of the 10 biggest exchanges and supply-side platforms were inadvertent conduits for WebRTC malvertising.

It’s a losing proposition for publishers. When users have a disagreeable or unexpected site experience, it leaves a bad taste in their mouth that they’ll most likely blame on the publisher.

PubGalaxy, a Bulgarian company that runs a programmatic platform for publishers, experiences this worry firsthand, because it also operates the technology website (The site launched in 2001, and PubGalaxy was founded in 2013 to develop monetization tools based on the notion that a publisher knows what a publisher needs.)

“Our primary concern is the experience we provide to our readers. With the escalation of malicious ad attacks, bad user experiences are becoming a true concern for us,” said Ivan Ivanov, who ran biz dev for PhoneArena before becoming COO of PubGalaxy five years ago.

PubGalaxy has its own in-house ad quality team and partners with GeoEdge to block malicious ads. Every time a new type of exploit sneaks onto the scene, it’s a reminder that if there’s a vulnerability, someone will take advantage of it.

“This type of malvertising creates quite a disruption for us,” Ivanov said. “And it’s clear that the attacks will get even more sophisticated in the future.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!