The Persistence of Malware

The ever-changing digital advertising ecosystem has one constant: Malware. Vigilance is the onus of every publisher. Securing the digital advertising ecosystem is easier said than done.

The malware emergency du jour differs—this year’s phishing scams and scroll jacking could have been last year’s mobile redirects and app auto-installs. Meanwhile, users are losing patience for malware, downloading ad blockers in droves and taking note of the sites where their devices became infected. The tools to combat it have evolved, and there’s a crescendo call to scan for malware at all points along the supply chain–not just the at the publisher end. Even TAG released scanning best practices and launched a “Certified Against Malware” program.

As the entire digital ecosystem has become more alert to malware, not only do malvertisers persist, but it seems they’re creating bigger problems than ever. How can these far-flung and seemingly ungovernable bad actors continue to out-wile industry participants?

Continuous insight and security for the digital ecosystem.

Now You See It…

Malvertisers’ methods do seem more overt now than they once did. Years ago, a user might accidentally download a virus and never find out. Today’s phishing and mobile page redirects have a more immediate and visceral effect. Phishing requires user data input and The redirects take over the whole mobile screen, and often prevents the user from doing anything but follow its shady link. These are effective tactics for bad actors, but at the cost of consumer experience.

There’s a more evergreen problem: While everyone gives lip service to the idea that preventing malware should be a responsibility shared by all parties across the supply chain, there isn’t really anyone leading the charge. Advertisers and publishers both put faith in intermediaries to keep the ad pipes clean. But those intermediary partners usually aren’t directly incentivized to keep bad actors out, unless their buy- or sell-side partners demand it. A misunderstanding remains that malware is probably someone else’s problem to fix.

The Perils (and Promises) of Pushing Back

Publishers are also culpable when they’re not cautious about selecting ad tech partners. Revenue potential tempts the onboarding of every exchange and network that comes knocking. For smaller pubs, there’s a real revenue risk in turning away partners. But to secure the ecosystem, publishers and advertisers both need to establish relationships with their partners, and to know who their partners’ partners are.

Existing malware prevention models address threats as they emerge—which creates that dreaded Whac-A-Mole effect. The problem is exacerbated when scanners rely on blacklists and third-party malware sources. The ad tech industry may be great at solving the issue at hand, but malware will persist unless we understand its sources. It’s not just the malware, it’s the serving partner who should be terminated.

That’s where publishers can flex some muscle. Without publishers and their ad inventory, tech vendors don’t have a reason to exist. Pubs have the power to hold upstream partners accountable: Push your partners to disclose which other vendors they’re working with. This can be revealing. You might find, for example, malware delivered from a third party working with two of your SSP partners. Shutting it down with one SSP won’t necessarily stop it from traversing via the second SSP. Pubs can wield their power by telling both SSPs that this problem vendor’s ads aren’t allowed on your site until a direct relationship is established. In fact, pubs shouldn’t be deterred from working with new and unfamiliar partners, but they should be ready and willing to turn those partners off in the event of shenanigans.

Every publisher walks a line between “more revenue” and “better user experience,” and the two can feel at odds sometimes. But reports from users need to be taken seriously as they pop up. The habit of waiting for someone to prove they’ve gotten malware from their site is one more reason why malware has persisted and spread.

Malware is serious business. Alerts need to go up the ad serving chain of command, and if not resolved, pubs need turn off the offending partner. If several publishers with the same experience follow suit, the partners’ bottom line will reflect publisher displeasure and incentivize a tighter, more thoughtful approach to malware.

Unfortunately, turning off ad partners is easier said than done in a “revenue first” environment. Larger pubs have more resources and more clout to make demands of partners, whereas smaller publishers with fewer resources have more to lose. Turning off ad partners for them may be as much of an existential threat as driving away users. A better strategy may be to work with fewer, more trustworthy partners to drive a cleaner ecosystem.

Run It Up the Flagpole

We don’t need to advise publishers to establish policies around security risks– what publisher doesn’t have them? But these policies aren’t always enforced. A triggered security event may be overlooked because it’s coming from a known partner that delivers significant revenue every month. Or, ops teams are so overwhelmed correcting spec-violating ads that they don’t have bandwidth to deal with all troublesome ads—opening the door for straight-up malicious content.

Poor policy enforcement allows malvertising proliferation. Compounding the problem is a general lack of knowledge among ground-level ops people of where to escalate security concerns. Here’s a hint: identify your company’s chief privacy officer, security officer or head of legal affairs–those whose job is to protect the company.

People in those positions are typically eager to go after security issues. They’re motivated not by revenue, but by ensuring organizational viability and not getting sued.

Ops puts out so many small fires on a daily basis that, it doesn’t always feel intuitive to think of how these small issues can indicate broader problems that weaken the foundation of an entire business. Security incidents have certainly shaken the foundation of other large companies, though.

In the end, cleaning out the pipes will take work from both sides. The buy side needs to abide by publishers’ policies. Agencies need to know they’re buying from quality publishers, not counterfeit sites, and publishers need to demonstrate they’re delivering legitimate audiences. (Ads.txt is angled to provide transparency to agencies about who they’re buying from, but adoption of the protocol has reportedly been low to date.) Both sides need to communicate directly, not just through verification or measurement systems.

Malvertisers’ Day in Court

Most malware is essentially criminal in nature. But it’s extremely tricky to take malvertisers to court, and the lack of reprisal does not deter bad actors.

Much of the criminal activity in this space happens outside the U.S. The criminals themselves are hiding behind VPNs and data centers. Even when we’re able to track malvertising back to a likely source, extradition is a complicated process.

Furthermore, much of the activity in taking down cybercriminals happens in the international intelligence world, and it’s not heavily publicized. There’s some wariness of publicizing these cases–many would worry it invites hacking and copycat activity.

Law enforcement doesn’t necessarily engage actively with DSPs, SSPs and security vendors to clean up the ad space. Creating a direct line between ad platforms and law enforcement would call for culture changes among digital ecosystem participants. It might take a determined state attorney general to push some of those changes. To that end, we’ve seen the Minnesota AG’s office pursuing cases such as a Latvian malvertiser who set up a fake ad agency (this case was pursued as wire fraud and computer fraud), and a Russian hacker sentenced for computer fraud. Recently, a Brooklyn U.S. Attorney extradited and prosecuted an Italian click fraud operator.

What Happens Next?

The idea of real-time malware detection and prevention has gained traction among publishers. It’s compelling as an alternative to stifling identified threats, but real-time solutions are worthy of scrutiny. If a security vendor is using third-party lists of confirmed malware issues, there’s a risk of missing drive-by attacks that flare up for a few hours and then vanish.

It’s a virtue for a security vendor to detect anomalies, rather than relying on second-source validation to confirm a threat. If the security system sees a domain it’s never seen before, or if it sees an delivered by a server the advertiser normally doesn’t use, it can investigate.

A predictive security solution can be a proactive measure. In terms of detecting new threats, you’ll want to identify activity that behaves in the same way as previously verified threats.

You’ll also want to make sure you’re identifying users at highest risk for malware attacks among your own audience. For example, malvertisers may target people who appear to be high-worth individuals for ransomware, or users in government capital cities for espionage. Digital security vendors should look at data from multiple ad platforms, because not every user looks the same to every platform.

Malware’s persistence certainly doesn’t make it a lost cause for publishers. If anything, understanding the foundational issues that allow malvertisers to thrive empowers pubs, showing them where to buckle down as they lead the anti-malware charge.

Premium publishers have the audience, inventory, policies and clout to put the heat on all of their partners. But they need to keep the security discussion going over time, because new threats are continuously launched. Ops teams need to run their security concerns right up the chain of command. If publishers’ security officers can team up with government agencies and convince them to pursue legal action, that’s even better.

What’s in it for you?

Tighter security means better user experience, which means more engagement and higher CPMs. Good security itself can require hard decisions about business partners, and it might present some revenue hiccups, but premium publishers need to lead the way. Malware may be persistent, but the industry can work together to minimize the amount that reaches publishers’ sites, which hopefully will reduce the incentive to would-be malvertisers in the first place.