Confiant, an advertising technology company focused on ad quality and security, just published research [1] on the quality and security of programmatic ads observed over the course of 2020. Over 650 billion ad impressions served on approximately 40,000 mainstream websites were part of the study. In more common terms, they study “malvertising” — malicious ads served into programmatic ad slots on mainstream publishers’ pages. For the most part this study excludes porn sites, pirated video and audio sites, and download and torrent sites (collectively “non-mainstream” sites) which consumers should recognize as inherently higher risk.
Putting Consumers At Risk
Consumers typically experience malvertising as tech support scams or sweepstakes scams that pop-up and cover the entire screen of their device (see screen shots below, from the Confiant report). Clicking anywhere will initiate the malicious code that attempts to plant malware on the device or compromise it in other ways. The reason this type of exploit works well and is continued to be used by hackers and scammers is that the consumer believes it came from the mainstream site they were visiting.
For example, if a consumer were visiting usatoday.com and got a T-Mobile sweepstakes popup on their device; they are likely to think it’s real and click on it and thus get compromised. Most of the malware stays hidden so it can harvest the users’ personal information like logins and passwords and also make money via ad fraud — loading ads continuously in the background. In some cases, the malware fries the users’ devices; but the user will be mad at the mainstream publisher because they “got the virus” while visiting the mainstream publishers’ sites.
screen shots of tech support scams and sweepstakes scam
Malvertising code is also very advanced. The malicious activity does not trigger when it detects it is in a malware researcher’s test environment; it triggers when it can confirm it is on a real human’s device (for example when there is motion and orientation detected via the device’s gyroscope and accelerometer sensors). The code also loads malicious payloads specific to the type of device, browser, and operating system — e.g. it loads Android-compromising code when it detects the device is an Android device; or it loads Internet Explorer specific exploits when that is the browser that is detected. Furthermore, the malicious ads are targeted very specifically at individual humans so it is extremely difficult for malware researchers to even observe these ads in the wild. For example, it is highly successful for hackers to target individual people who have previously paid ransoms, because they are more likely to pay again, if compromised again.
Putting Advertisers At Risk
These malicious ads “infect” mainstream publishers’ sites because the sites have UNsecured programmatic ad slots on the page. These are the iframes (“tiny windows”) on the page into which the ads are served. The publisher does not know ahead of time what ad will be served into the ad slot. They also don’t know which advertiser will be sending the ad. This is because in real-time bidding (RTB) the ad slot calls out for bids when it becomes available. Various advertisers (buyers) bid on the opportunity to show their ad; and whoever wins that bid gets the right to serve their ad into the slot.
Malware writers act as an advertiser in this case. They use one of dozens of DSPs to place their bids and ads. So it is typically very difficult for malware researchers to track down where these malicious ads entered the supply chain. The bad actors might even bid very high CPMs for an ad opportunity if they see it is a specific cookie/user or type of user they are trying to target — e.g. the user who is vulnerable to another ransomware attack. They can afford to bid very high because they don’t need many ad impressions. These attack operations are surgical, not “spray-and-pray” like typical brand advertisers. Again, because these attacks are so surgically placed, they are literally needles in a huge programmatic haystack of hundreds of billions of bids and ad impressions, making it extremely difficult for malware researchers to find “in the wild.”
When the malicious code is delivered into the mainstream publishers’ pages, it activates when the conditions are right, and it spawns the pop-up, pop-under, screen takeover, or forced redirect that is the first step in compromising the user. This action also takes the user somewhere else and leaves all of the other advertisers’ ads on the page without any possibility of user engagement (e.g. clicks). This further reduces what advertisers think is success, the number of clicks, leading them to question why “engagement” on the mainstream publishers’ sites is so low compared to fraudulent sites (that use bots to click on ads and create the illusion of high “engagement” on the fake sites). Advertisers are thus tricked into spending less on mainstream publishers’ sites and allocate more dollars to fake and fraudulent sites that show higher clicks.
Putting Themselves (the Publishers) At Risk
All of the above is possible because publishers have not secured the ad slots on their page. There are simple ways to do this: 1) using iframe sandbox parameters, which are standard in javascript code, or 2) using SafeFrames, a standard for securing ad iframes to reduce the malicious actions described above. If mainstream publishers have not properly secured the programmatic ad slots on their pages, all of the harmful activity described above can come in through these unsecured ad slots; there are literally no barriers at all. Those publishers who have not secured their ad slots are leaving themselves vulnerable and putting their advertisers and consumers at risk.
This is one of the reasons consumers use ad blockers. Not only do they block the ads, the act of ad blocking also protects them from compromise via malicious ads. But this is a deadly downward spiral because publishers that leave ad slots unsecured increase the odds of more consumers deploying more ad blockers, which further reduces the publishers’ own ad revenues. Not only is it a good idea to secure ad slots to protect consumers and advertisers, it also makes business sense for the publisher to avoid further downward pressure on their own ad revenues. This doesn’t even take into account the reputational harm to the publisher when consumers think they “got the virus” from that publisher; the consumers don’t realize they got compromised by a hacker deploying malicious code inside an ad that got served into the publisher’s page. The pissed consumers may never come back to the publisher’s site.
There are many more technical exploits that are possible because ad slots are unsecured — for example malicious code harvesting user logins, recording interaction events like mouse movements and clicks on the parent page, or plagiarizing the publishers’ content for use in creating hundreds of fake sites with remixed content for ad fraud. Detailed research by Deepsee shows a specific type of exploit that remains rampant in the wild — affiliate fraud via cookie stuffing.
So What?
Publishers, yeah all the mainstream ones, can do more to secure the programmatic ad slots on their own pages. At the very least, putting some kind of iframe sandboxing will help deter the simplest malvertising exploits that compromise the publishers’ own visitors and advertisers. Advertisers should also demand that the publishers that carry their ads properly secure the ad slots so that malicious actors are less able to hijack the user and negatively impact the performance of advertisers’ campaigns.
