In the war between malvertisers and legitimate advertising networks, the bad guys seems to be winning. Attackers use real-time bidding platforms to place malicious ads on otherwise reputable sites, infect target users and disappear -- often before anyone has even noticed that there's a problem, according to a new report by Fairvax, Vir.-based security firm Invincea, Inc..
Attackers can use the targeting features offered by advertising networks to zero in on victims based on which operating systems and browsers they use, based on their interests, based on their geographic locations, and even based on specific corporate IP ranges.
When the attackers target a wide range of people on a popular website, the malvertising will be noticed and shut down. But if the victims are very narrowly targeted, the attackers can switch out the malvertising for a legitimate ad as soon as their intended victims are infected, and nobody might notice at all.
End users and the companies where work aren't the only victims. The publishers suffer when word gets out that their websites are delivering malicious ads. So do the adverting networks -- not only do they often get paid with stolen credit card numbers, but they also lose out when publishers switch to other networks.
According to Invincea, the malicious ads appear on legitimate sites, so they don't show up on blacklists. Plus, advanced malvertisers have begun using Flash-based exploits that insert code directly into device memory, bypassing malware interception appliances.
The best way to stop malvertising, according to Invincea, is at the source -- preventing bad actors fro purchasing advertising in the first place.
One advertising company doing that is engage:BDR.
"There are all these small bad actors, constantly evolving their practices and trying to trick the system using fraud and lies and technological loopholes," said Ted Dhanik, CEO at Los Angeles-based engage:BDR .
For example, malvertisers would use credit cards that hadn't yet been reported as stolen, pose as people working in companies that engage:BDR already had relationships with.
To combat this problem, engage:BDR implemented a vetting process that involved not only checking into the company buying the ad to ensure that it is a legitimate company, but also on the employee doing the ad buying.
"You have to talk to other people in the company about who the buyer is and whether they actually work there, and can buy from you in an authorized capacity," said Dhanik.
It's in every ad network's best interest to get rid of malicious ads, he said.
"Our publishers are our lifeline," he said. "Malvertising is causing sustainability issues. Companies are going away because of this. If we can get rid of malware, we're all going to be much more sustainable."
Engage:BDR also scans all advertisements for malware, both before they go live, and then on an ongoing basis while they're active. It uses scanning by The Media Trust as well as other services.
After implementing the new policies, instances of malvertising have dropped to zero, reports Invincea.
Engage:BDR is also involved with the Interactive Advertising Bureau's Anti-Malware working Group and is helping to develop industry best practices.