Busting Malvertising Myths – How Malware Enters the Online Advertising Supply-Chain

In the light of recent high profile malvertising attacks, the adtech industry is finding itself as a center of attention in respect to the ongoing malware epidemic. In this article we will cover how in fact it is the industry itself that to some extent is causing malvertising attacks to be possible.

HOW DO MALVERTISING ENTER ONLINE ADS?

Malvertising is made up of ads that in addition to delivering the ad creative, also deliver malicious payload targeting internet users. Using standard function of common ad platform, malvertising can be targeted in many different ways, for example:

individual users (against a cookie)

based on vulnerability (browser, device, software, etc)

audience profile (affluent users, etc)

geography (city, country, region, etc)

organization (based on IP address)

sites or categories of sites (based on domain or IAB tier-1 category)

In all of the cases, the mechanism and process are exactly the same:

sign-up with a common ad platform create a campaign and upload a creative together with the creative include a custom javascript code wait for the approval of your campaign start the campaign watch how your targets are exposed to your malicious code

To understand how this is possible and how exactly malware can get in to the system, we have to first understand how the adtech industry is structured.

The adtech supply-chain is principally made of 5 different stakeholders:

internet users

publishers

exchanges

demand side platforms (DSP)

trading desks / buyers

Out of these, the user is a genuine victim.

The publisher is a minor cause due to irresponsible behavior in respect of working with too many 3rd-parties, including working with more than one exchange partner to increase yield, not having appropriate policies in place and by allowing 3rd-parties to act as conduits for nth-parties.

Exchanges are a slightly greater cause due to not having appropriate policies in place and by allowing 3rd-parties to act as conduits for nth-parties, not only in respect to tracking but also in respect to redirecting practices.

Demand side platforms are a far greater cause due to allowing through their platforms virtually any 3rd-party tag to be delivered together with ad creatives.

Trading desks and buyers can be broken into two in this case; where the trading desk is acting as a conduit for the buyer/s, and where the trading desk itself is a buyer. Further, these can be broken down into two; where the trading desk is intentionally engaging in malvertising, and one where they are being used as a conduit for malvertising.

In all of the cases, trading desks commonly expect demand side platforms to allow inclusion of 3rd-party javascript tags to be delivered with ads, even when in most cases they themselves have no idea what is being loaded through those tags. Which acts as a major cause of the wider problem.

In simplistic terms, the way the supply-chain operates in terms of transactions is also important to understand:

a user goes to a website ad exchange tag on the website creates an auction based on step 1 demand side platforms participate in the auction demand side platforms create a separate auction based on step 3 trading desks bid on the auction created in step 4 each demand side platform taking part in the auction created in step 2 send back the winning bids from the auctions created in step 4 ad exchanges pick the winner among the demand side platforms based on the bids received in step 6 ad together with javascript tags gets displayed on to the user

In order for this process to make sense, we have to remember how at the trading desk level, the buyer had already created a campaign, where the creative and the javascript were approved. As part of the process of setting up the campaign, targeting criteria for bidding had also been set.

There are 4 different modes in which this process takes place:

where the publisher is connected with single exchange and the exchange is not engaged in redirecting between other exchanges (this is very rare) where the publisher is connected to more than one exchange and the exchange is not engaged in redirecting between other exchanges (this may be slightly more common, but still rare) where the publisher is connected with single exchange and the exchange is engaged in redirecting between other exchanges (this is somewhat more common, but still rare) where the publisher is connected to more than one exchange and the exchange is engaged in redirecting between other exchanges (this is very common)

1. single exchange – no exchange redirects

2. multiple exchanges – no exchange redirects

3. single exchange – exchange redirects

4. multiple exchange – exchange redirects

The most complex of the four modes in which malware delivery take place within the online advertising eco-system is also by far the most common. Arguably more common than the three others combined. A point indicative of the structural issues acting as a cause to the malvertising problem.



ROLES AND RESPONSIBILITIES OF VARIOUS ADTECH COMPANIES