HTML5: a devil in disguise

In today’s digital age, online users have become much more demanding about the quality of the websites or applications they are using. They have come to expect an optimized user experience as a basic requirement and HTML5 has played a key role in enabling developers to improve user experience, without the security risks associated with plugins like Flash. Indeed, after the series of reported Adobe Flash vulnerabilities in recent years, browser vendors, publishers and developers have turned to HTML5, which seemed to promise greater security and more advanced features. As a result, the percentage of websites that use HTML5 has grown to 70 percent.

However, despite HTML5 being universally supported on various devices as well as web and mobile platforms, it has a security issue of its own. Over the last couple of months, The Media Trust Digital & Security Operations team discovered numerous malware incidents that calls into question HTML5’s security reputation.

Hiding in plain sight

The malware uses JavaScript commands to hide within HTML5 creative to avoid detection and is designed to lure victims to enter their information in response to a pop-up ad. Their information will then be stored and used for malicious purposes.

What makes this malware unique is that it breaks into chunks, making it hard to detect, and reassembles when certain conditions are met. This malware is quickly coursing through the digital marketing and media world and is responsible for over 20 separate incidents affecting online media publishers across the globe and at least 15 ad networks.

This attack vector is one of the latest examples of how malware developers are constantly on the lookout for new, creative ways of exploiting the open standards’ basic functionality to launch their attack.

However, this is not the first encounter of HTML5 malware. In 2015, as the retreat from Adobe Flash began, security researchers discovered several techniques attackers could use to take advantage of HTML5 code. Those techniques involved the use of APIs, which in turn employed the same obfuscation-de-obfuscation JavaScript commands in delivering drive-by malware. The following year, the malware was used to freeze computers and secretly obtain user’s personal information, including phone numbers. This year’s incidents are different as they require no interaction with the victim and are designed with a higher level of coordination compared to earlier versions.

Indeed, the campaign reflects the hacker’s knowledge and understanding of the display advertising supply chain and their ability to recognize potential victims. The result is quicker, more successful attacks with a much wider scale of infection.

Throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions.

HTML obfuscation can lead to GDPR and other privacy regulations infractions

The General Data Privacy Regulation in the UK and the myriad of privacy regulations across the United States should give companies pause with the amount of fees that could be imposed as a result of an infraction. Incidents like HTML obfuscation, where the danger is not readily detected and where hackers make off with private data could prove to be the silent bomb waiting to go off.

Hackers are known to target third parties because they often have weaker security in place and are easier to penetrate. Once hackers break through a third party’s security measures, they can enter the client’s secure networks undetected through a trusted connection. Another easy target are online ads, which let hackers spread malware to thousands of users without having to compromise or even infect a website.

The only way website owners can protect their users’ privacy and reduce the company’s digital risk is by actively and continuously monitoring third parties, investigating and addressing any violations of digital policies. This can be achieved by continuously scanning in real time their digital assets for unauthorized third parties and code.

In addition, organizations should share clearly written policies and enforce privacy clauses with their vendors as part of creating a compliance culture within their digital ecosystem. GDPR can impose penalties on an organization and their data processing partner even if the partner is entirely at fault. 

Finally, companies need to lay out an expeditious process that details how they will respond to a breach or to any unauthorized vendor activity when it occurs. Besides a full remediation plan along with a plan for informing customers and reporting the incident, that process should include the immediate termination of any vendor that continues to break policy or clauses after being put on notice. Regulators will take a hard look at what actions companies took in the wake of a breach, how fast they informed the public and what precautions were enlisted before the breach. Those well documented actions could mean the difference between a crippling penalty and a survivable one.