When blockers stumble: Where malvertising solutions come up short

Malware blockers are not the perfect solution some publishers might think they are. Recently, The Media Trust Digital Security & Operations (DSO) team prevented bad ads from executing on a publisher’s website, protecting their audience of 900,000 per week from infection. The client had recently begun to use a malware blocking solution to stop bad creatives from being served, but they would soon discover that these solutions alone would not completely solve their malvertising problem.

Obfuscation: how malware slipped through the blocker’s cracks

To understand this problem further, let’s take a look at a recent example involving a known malicious domain called “dq6375rwn2aoi.cloudfront.net”, likely to be found on a public, open source or third-party list of domains to watch out for. Yet this domain was able to slip past the malware blocker in place because it was disguised in a cloak of additional code that made it unrecognizable and unreadable, a frequently-used process called obfuscation. (See Figure 1.)


(Figure 1)


(Figure 2)

However, scanning the publisher’s ads enabled the DSO team to quickly identify the malware and work with the client to terminate the ads and their source. The team’s analysis of the malware’s infection path shows that once the code executes, it calls “d2bqvm6ajgzddu.cloudfront.net” within the publisher’s website. Next, the malware redirects and presents the infected user with a fake “you’ve won” pop-up that prompts them to claim their reward. (See Figure 2.) When users click “OK”, they are taken to a website that prompts them to provide personally-identifying information (PII), such as name, email and telephone.

In one day alone, the team uncovered similar obfuscated malware executing in 16 other clients’ websites that used the same malware blocking solution.

Blockers: a narrow solution to a broader problem

Some publishers and platform providers intent on avoiding bad ads have resorted to blocking technologies that promise convenience, but this convenience comes at a cost. These commercial blocking solutions consist of scripts designed to detect and obstruct malicious domains and are often installed in a content delivery network.

Clients’ experiences show that blockers provide only a partial solution to the problem of bad ads. There are several reasons. First, at least 90% of malware used in malicious mobile redirects are obfuscated so they can elude blockers, and that percentage is growing as bad actors develop new obfuscation techniques. Second, malware developers often include code that can identify and work around specific providers’ tools. If the malware detects the presence of a known provider’s tool, it will change tack and behave differently. Finally, blockers often use third-party malware data whose currency diminishes by the minute as new malware is introduced into the ecosystem. In fact, the DSO team finds new attacks at a pace of at least one every 30 seconds and classifies at least 5,000 new active malicious domains each month.

According to The Media Trust’s analysis, third-party malware data sources take an average of three to five days to identify and record malware. As a result, by the time a third-party filter is updated, at least 8,600 attacks could have occurred over a three-day period: that’s 14,400 attacks over the course of five days. A single attack can affect anywhere from one to millions of devices.

These numbers show why malware has a significant advantage over commercial blockers. People write malware; machines block them. For blockers to fully match the complexity and sophistication of the malware that hits the ecosystem, they would need to be able to think, recognize and anticipate new patterns of obfuscation and make decisions — rather than follow instructions, which would have to spell out in precise terms every new pattern that emerges. In other words, blockers would have to be as agile, knowledgeable and innovative as malware developers whose growing array of products they are designed to thwart.

Tackling malvertising

Until machines can go toe-to-toe with intelligent programmers, companies should supplement a blocking solution with other measures to reduce their digital risk, be it legal, security or privacy. They should implement a multipronged approach, where a blocker is one among several tools for securing a company’s digital assets and ensuring the privacy of users’ data.

A large part of managing digital risk is collaborating with all of the third parties who support the functions and features of a company’s digital assets. Doing so will involve frequent security audits, sharing and enforcing digital policies, and terminating third parties that fail to align with policies. Third parties with trusted connections to clients’ networks are often the targets of hackers, hoping to break through their weaker security measures.

Second, companies should ensure that periods between updates of the data the blocker uses is short. Ideally, making sure that the malware blocker uses a list that updates as soon as new malware is identified. Third, they should continuously scan their digital assets in real time for unauthorized actors and activities. In the digital ad space, new actors appear in digital ecosystems on a daily basis and, along with authorized parties, can (unintentionally or not) introduce new threats.

Malvertising is not a simple problem. Nor should it be addressed with a simple solution. In both the short and long-run, a comprehensive solution will be the most rewarding for both publishers and their audiences.

https://digiday.com/?p=309245

More from Digiday

At the Las Vegas Grand Prix, Mastercard joins a pack of consumer brands flocking to Formula One

For marketers looking to align their brands with F1’s expanded appeal to audiences, the Las Vegas Grand Prix is providing a slip road into the sport.

News publishers may be flocking to Bluesky, but many aren’t leaving X

The Guardian and NPR have left X, but don’t expect a wave of publishers to follow suit. Execs said the platform is still useful for some traffic and engaging with fandoms – despite its toxicity.

Buying with bots: AI search raises the bar for tailored shopping and transparency

AI search platforms like Perplexity and Amazon are adding new ways to shop, but where do the generated recommendations come from?