Don’t fall prey to ad networks peddling dicey links

Malicious hackers are now using ad networks to deliver malware to unsuspecting users, most recently to Android users. This sort of attack is not new. But it warrants your attention, especially if you’re in charge of your company’s Web resources.

Many websites link to external ad networks. Advertisers turn to these services to deliver their messages across multiple — sometimes thousands of — websites, typically at low cost. Ad networks are big business, raking in billions of dollars.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors. Download the PDF today! | Learn how to secure your systems with the Security Central newsletter. ]

Hackers target ad networks in a variety of ways to gain access to unsuspecting viewers. In the early days, hackers would compromise ad elements one by one. Nowadays, hackers realize they can spread malware much faster by compromising the ad network and injecting malicious JavaScript redirects into all ads instead of one or just a few. Such compromises now happen on a daily basis.

Follow the links The ad networks have caught on and have started checking suspicious ads. In response, hackers now specifically code their redirect websites to show the correct, unadulterated ad. If someone from the ad network performs a spot check, the good ad appears. Hackers can be sneaky.

Hackers have also begun buying legitimate space on ad networks. The bad guys often work from companies that appear to be legitimate; usually they pose as Internet marketers or ad agencies, making it difficult for ad networks to determine what is and isn’t legit. How is an ad network supposed to tell an ad for legitimate antivirus software from an ad for fake antivirus software that actually installs malware?

In fact, some suss that out and prohibit ads containing questionable content. But the bad guys have an answer for that, too. They pay for a particular number of ad impressions and initially send ads with links to legitimate products. The ad network approves the link, and after a while, the originator swaps out the good link for the rogue one. Again, if the ad agency responds to reports of a bad page, it will be redirected to the original, legitimate ad. It’s a classic game of cat and mouse in the digital age.

The real problem is not just compromised ad networks — it’s potentially any link on a Web page. Popularly visited websites often have dozens or hundreds of objects; usually a large proportion of those objects include links to objects and code outside your organization. External linkage is an area of potential abuse you must evaluate.

In general, the concept is known as transitive trust. If you trust A and A trusts B, then you implicitly end up trusting B, even if you don’t know anything about B.

Map your transitive trusts All your Web developers and managers should be familiar with the risk of ad network compromise — and the risk of malicious links in general. Education is key. They must understand that each indirectly managed link is an area for potential abuse. But awareness is not enough. Here are four best practices to keep you out of trouble:

1. Create a trust map. Require that all websites under your control have transitive trust maps. That is, every website linking to external content should have that linkage documented and managed. This sort of documentation is best based in a database or spreadsheet so that managers can easily pivot between particular websites and the sites to which they link.

2. Screen your suppliers. Make sure every external link comes from a site or company known to use good security practices. Some companies go so far as to require external security audits or at least send the external party a security checklist to which they must respond.

3. Know your emergency contacts. Establish a contact at the ad agency or external link provider who you can call if malicious behavior is reported. You don’t want to scramble for that phone number in the middle of the compromise. You want a person or department you can contact for investigation and remediation 24/7. This one step can be a lifesaver.

4. Seal it with a contract. Add appropriate legal language to contracts with external linkers. Make sure those parties understand what security measures you require and set expectations as precisely as feasible. If possible, include penalties for noncompliance or damage to your own customers or employees that result from malicious compromise that should have been foreseen.

The truth is that nearly all, if not all, ad networks have been compromised and will likely endure compromises in the future. Simply saying you won’t do business with them if they suffer a single compromise is like saying you won’t use the Internet if your computer gets a virus. The likelihood of compromise is a fact of life. But if you take a few sensible steps, you can reduce the risk to you and your customers substantially.

This story, “Don’t fall prey to ad networks peddling dicey links,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.