All Articles Marketing Marketing Strategy Yahoo malvertising breach offers lessons in ad security

Yahoo malvertising breach offers lessons in ad security

3 min read

Marketing Strategy

A days-long malware attack this month targeting servers used by search giant Yahoo underscores the unique security challenges that continue to face companies transitioning into the digital marketing arena.

The malware, which exploited Java vulnerabilities in ads served on Yahoo sites, affected as many as 27,000 Yahoo users an hour, according to security company Fox-IT. Specifically, the “malvertisements” redirected unsuspecting Yahoo users to sites hosting the Magnitude exploit kit, which is designed to install a variety of trojans and click-fraud malware onto computers.

While malvertising remains a largely silent threat (at least until a major company like Yahoo gets hit), the problem is not something to ignore. According to the Online Trust Alliance, in 2012 there were more than 10 billion ad impressions compromised by malware. Cisco Systems warns that users are 182 times more likely to be infected with malware from bogus ads than from pornography websites.

“Spreading malware over the Web is about traffic volume,” Wayne Huang, vice president at ProofPoint’s Armorize Technologies, recently told Security Week. “Large websites have the volume, but it’s much harder to hack [them]. However, all large websites serve advertisements.”

Seen in this way, digital ads are the perfect device for concealing a cyber-payload. By gaining access to ads served via major dynamic-delivery platforms, malicious actors open up a direct conduit to millions of computer users who would otherwise be unlikely to click on unfamiliar or suspect content. Wrap that payload in a trusted package, however, and the sky is the limit.

Experts say that cybercriminals use a number of different tactics to distribute malvertisements. For instance, they create fake advertisers and agencies to exploit vulnerabilities in the ad supply chain, or hijack the reputation of established brands either by mimicking their content or even by infiltrating agency accounts. According to the OTA, 60% of malvertising involves cybercriminals masquerading as legitimate advertisers or agencies.

Vulnerabilities in ad networks, which often err on the side of efficiency over security, make it easy for exploits to get overlooked. In a panel discussion last summer at the Black Hat security conference, researchers from WhiteHat Security warned about how easy it is for malicious actors to distribute bugs through unsuspecting ad networks. In a chilling demonstration the researchers embedded JavaScript in display ads and submitted them to advertising networks, ultimately generating 20 million hits on the “infected” content.

So how can companies protect themselves?

In 2010 the OTA formed an Anti-Malvertising Working Task Force to educate advertisers, agencies, publishers and exchanges on the scope of the malvertising problem and best practices for addressing it. Among its set of 16 guidelines, the group recommends:

  • Developing and promoting voluntary best practices and guidelines, including an accreditation/authentication process for new clients and ad agencies.
  • Evaluating and testing all creative using an isolated and sandboxed system or third party service.
  • Thoroughly examining and vetting any creative that includes obfuscated script and re-evaluating “high-risk” content such as ads that were created in the past two weeks on a regular basis.
  • Creating an incident response plan to notify affected clients and partners upon the discovery of compromised or fraudulent advertising.

Christopher Moraff is a Philadelphia-based freelance writer who covers politics, media and technology. His work has appeared in The Philadelphia Inquirer, Business Insider, Washington Monthly and Al Jazeera America, among other local and national publications.