Through a Scanner Frequently: When Malvertisers Evade the Scanners

Earlier in 2017, savvy publishers and platforms started noticing a gnarly new breed of mobile redirects, one that’s particularly evasive to common-practice malware prevention methods. It’s a new page in the standard playbook malvertisers long ago developed to skirt around the watchdogs in the ad ecosystem, one that allows them to easily slide through the gaps in the armor shielding the publisher and, by extension, the user.

Here’s how it plays out: The ad comes through the pipes looking like any ad, but this one is hyper-aware of its environment, actively analyzing every data point it can access at every stage, actively hiding while you let it do its thing. When it’s scanned by an ad security vendor, the ad loads a nondescript domain pretending to belong to one of the name-brand measurement platforms we all know. But then, when that smart piece of Javascript built into the ad picks up characteristics of a mobile device that it knows the scanners can’t spoof, then that “A-OK” measurement script morphs into a user’s worst nightmare: a malicious domain. The bad domain can then pick its favorite attack undisturbed: instead of the measurement script, some will serve a redirect, others may pop up an alert informing the lucky user about a prize, and some try to infect the device directly. Regardless of what the malicious ad is trying to do, one thing we know for sure is that user isn’t going to be happy—no one ever calls their mother with that funny story of how they got phished!

More Than Just a Nuisance

It’s a wily little trick and not even the most technically sophisticated—just an incremental improvement on bad actors’ well-worn methods that have allowed them to consistently stay ahead of the ad security scanners. The criminals behind this most recent innovation are so confident they had it right that they didn’t stop at the standard one or two platforms to launch their attack—this malicious redirect campaign was spotted in ads coming from eight platforms in the same week.

In the end, we have to remember this is not about annoying the user. Suddenly being directed away from the content you want, to an entirely new page where it appears impossible to x out or return to the previous page is not just a weird cyber-prank—it’s criminal activity.

It’s important, then, we understand what the malvertisers might want to accomplish through mobile redirects. Sometimes the goals are not so severe—the user is sent to the app store, to a particular app—a game, or anything else that costs money. If the user ends up either convinced or forced to download it, the entity behind the redirect gets a cut. In two words, that’s affiliate fraud.

The outright criminal incentives are exponentially more problematic for the user—the user may get a fake notification on their screen that their phone has become infected, telling them they have to download a file, which then actually infects their phone. The most sophisticated criminals go straight for the attack, inserting a script into the browser that tries to steal the user’s personal information if the user is in a logged-in environment. That’s malware, straight up, and it’s a critical security risk publishers run every time you accept an unverified impression from the programmatic open marketplace.

Malvertisers, They Grow Up So Fast

Bad actors in the digital space are very active in mobile right now. Some years back, there was widespread concern about exploit kits targeting the user’s desktop. More recently, over the past two years, ransomware was the threat of the day. Now mobile is where the action is. The smartphone’s browser is overall more secure than the desktop browser and the Flash ad creative the industry used to rely on, though, so now criminals reach the user through phishing, faking an interface and driving the worst type of actions.

One might expect cost to be a barrier to entry for malvertisers—their activity would presumably be limited by whatever they’d have to pay the platforms for impressions. The intuitive defense for many publishers has been to set floors for bids. But in reality, the more sophisticated malvertisers using redirects seem to be evading paying for impressions, too. As a vendor source explained, it’s all about timing. If the malvertiser triggers the redirect before the platform has a chance to trigger their pixel, then they can win the auction with a very high CPM, beating out even premium buyers who would bid on the high side themselves. As long as the bad domain loads before the platform has registered the ad is loading, then the malvertiser can execute their payload freely. So the malvertiser gets their chance to phish the user, doesn’t get charged by the platform, and naturally the publisher doesn’t get paid. No one knows just how many discrepancies are actually intentional!

More Power to the Pubs

Today, the industry has gotten to the point where the publisher has the most incentive to solve this virulent redirect problem, for multiple reasons. For one thing, the publisher bears the brunt of the user’s ire, because most users don’t care that the publisher is just one end of a long and often tangled ad supply chain. Going forth and declaring to your audiences: “This is the DSPs fault!” will have little impact on users who have no idea what a DSP even is. They know you, the publisher, though, and they know their phone got messed up when they went to your site.

For another thing, publishers also bear the most financial burden. Malvertisers rob publishers of revenue they could get from trustworthy, premium buyers. The platforms are still getting paid by their advertiser clients. It’s not as though the platforms overall don’t care. It’s just that where malvertising is a quality control issue for the platforms, it’s a bottom-line revenue issue for publishers.

While there’s been plenty of talk over the years about how quality control in the digital ad industry should be spread out across the supply chain, with the weight borne by everyone involved, publishers have an opportunity to take the lead in this discussion. The impressions and the audience are the publisher’s, and the publisher ought to take ownership of them. From that point, publishers can dictate how the responsibility for malware prevention could or should be distributed up and down the chain.

Also, if publishers are worried about the negative ramifications of making demands of buyers, let’s remember there’s value in premium content, and premium advertisers care about that value. Chase recently cut basically the entire publisher long tail off of the sites they buy from—almost 99% of those pubs—from 400,000 to 5,000.  Champion the user experience, get rid of the criminals, and the real advertisers will take their place.

Looking for the Now

But how? As it stands, the prevalent industry solution for malware prevention is to scan ads. There are weaknesses to scanning, though, including three notable ones.
First, scanners can be evaded—like in our earlier example, the domains being served to scanners weren’t the same as those being served to your site. Second, scanning isn’t a real-time solution—it is a sandbox-based sampling testing process that can only draw conclusions on what it sees, not what your user saw. Third, scanners, by their nature, can only scan, not actually block the bad ads they do detect.
So, though scanning certainly has a place in an overall industry-scaled ad security solution, scanners clearly have limited value for programmatic-enabled publishers. Detecting malware and other security risks pre-auction? Sure, scanners work for that. Blocking mobile redirects once the auction has been won? Nope. When bad actors are aware their behaviors are being scanned for, and as such actively evade, the platforms detection methods, it becomes pretty obvious scanning is neither comprehensive enough nor fast enough to fully protect publishers in the current programmatic era.

So, let’s back up, and acknowledge as an industry we can’t afford to be less than comprehensive anymore. If the platforms are not delivering on their promise to protect users, publishers need to hold platforms, and therefore themselves, to a higher standard. User experience matters--just go ask your neighbor’s kid about which ad blocking software they find most effective. Publishers need the industry to drive home that they demand security and protection for their users, with standards that align with both their short-term and long-term needs.

Get Ahead of the Problem
This starts by identifying the optimum security processes for each layer of the ad ecosystem. Buy side platforms have their own needs and environments, different from exchanges and ad networks, which are in turn different from publishers themselves. One lax publisher with no security controls who drives a user to install an ad blocker hurts the industry just as much as the DSP that let in the bad ad in the first place. Instead of working top down from what the DSP wants, towards the sell side, and eventually to publishers, let's work backwards from what the ideal publisher solution looks like. That’s pretty straightforward: An ideal solution starts and ends with mobile redirects and other malicious ads being blocked before they affect users, full stop. Scanning may have a role for the buy side pre-auction, and the exchanges in-auction, to verify bids that haven’t won impressions, but if an impression is occurring, the publisher (as the owner of the users’ experience) needs to be able to verify it doesn’t bring any uninvited guests. A real-time, post-auction, impression-level verification is a logical starting point.

Publishers have been using price floors and vendor partner choice as proxies for effective malware prevention, but neither is a complete solution, and both impact revenue generation. To take on the most dangerous and audacious malvertisers out there, publishers need real-time insights and the ability to effectively block compromised ads—and those are the only capabilities that could help enforce their rightful position as the authoritative drivers of the industry-wide conversation about malware prevention. Coupled with targeted point solutions for pre-auction & in-auction verification, and eventually even open channels to law enforcement, real-time verification could help make the fight proactive rather than reactive.  That’s a world in which we, as an industry, are two steps ahead of the malvertising criminals instead of 10 steps behind.

Related Event: 

Brian LaRue has been AdMonsters' Staff Writer since the summer of 2015. He arrived at AdMonsters with several years' worth of knowledge of media and advertising tech, having written and edited on behalf of publications and tech vendors alike. Brian has been publishing steadily since high school and cut his teeth professionally at regional alt-weeklies in New England. Being involved in print in the 21st century certainly helped inspire his vocal advocacy of digital media. These days, he lives in Brooklyn, NY, where he pursues several threads of an art-damaged semi-secret life.

Rocket Fuel