• United States




HTML5: a devil in disguise

Jul 16, 20184 mins
ComplianceData and Information SecurityMalware

HTML5 is not the security safe haven it was once thought to be.

scary evil man with hood in the dark 100696889
Credit: Thinkstock

In today’s digital age, online users have become much more demanding about the quality of the websites or applications they are using. They have come to expect an optimized user experience as a basic requirement and HTML5 has played a key role in enabling developers to improve user experience, without the security risks associated with plugins like Flash. Indeed, after the series of reported Adobe Flash vulnerabilities in recent years, browser vendors, publishers and developers have turned to HTML5, which seemed to promise greater security and more advanced features. As a result, the percentage of websites that use HTML5 has grown to 70 percent.

However, despite HTML5 being universally supported on various devices as well as web and mobile platforms, it has a security issue of its own. Over the last couple of months, The Media Trust Digital & Security Operations team discovered numerous malware incidents that calls into question HTML5’s security reputation.

Hiding in plain sight

The malware uses JavaScript commands to hide within HTML5 creative to avoid detection and is designed to lure victims to enter their information in response to a pop-up ad. Their information will then be stored and used for malicious purposes.

What makes this malware unique is that it breaks into chunks, making it hard to detect, and reassembles when certain conditions are met. This malware is quickly coursing through the digital marketing and media world and is responsible for over 20 separate incidents affecting online media publishers across the globe and at least 15 ad networks.

This attack vector is one of the latest examples of how malware developers are constantly on the lookout for new, creative ways of exploiting the open standards’ basic functionality to launch their attack.

However, this is not the first encounter of HTML5 malware. In 2015, as the retreat from Adobe Flash began, security researchers discovered several techniques attackers could use to take advantage of HTML5 code. Those techniques involved the use of APIs, which in turn employed the same obfuscation-de-obfuscation JavaScript commands in delivering drive-by malware. The following year, the malware was used to freeze computers and secretly obtain user’s personal information, including phone numbers. This year’s incidents are different as they require no interaction with the victim and are designed with a higher level of coordination compared to earlier versions.

Indeed, the campaign reflects the hacker’s knowledge and understanding of the display advertising supply chain and their ability to recognize potential victims. The result is quicker, more successful attacks with a much wider scale of infection.

Throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions.

HTML obfuscation can lead to GDPR and other privacy regulations infractions

The General Data Privacy Regulation in the UK and the myriad of privacy regulations across the United States should give companies pause with the amount of fees that could be imposed as a result of an infraction. Incidents like HTML obfuscation, where the danger is not readily detected and where hackers make off with private data could prove to be the silent bomb waiting to go off.

Hackers are known to target third parties because they often have weaker security in place and are easier to penetrate. Once hackers break through a third party’s security measures, they can enter the client’s secure networks undetected through a trusted connection. Another easy target are online ads, which let hackers spread malware to thousands of users without having to compromise or even infect a website.

The only way website owners can protect their users’ privacy and reduce the company’s digital risk is by actively and continuously monitoring third parties, investigating and addressing any violations of digital policies. This can be achieved by continuously scanning in real time their digital assets for unauthorized third parties and code.

In addition, organizations should share clearly written policies and enforce privacy clauses with their vendors as part of creating a compliance culture within their digital ecosystem. GDPR can impose penalties on an organization and their data processing partner even if the partner is entirely at fault. 

Finally, companies need to lay out an expeditious process that details how they will respond to a breach or to any unauthorized vendor activity when it occurs. Besides a full remediation plan along with a plan for informing customers and reporting the incident, that process should include the immediate termination of any vendor that continues to break policy or clauses after being put on notice. Regulators will take a hard look at what actions companies took in the wake of a breach, how fast they informed the public and what precautions were enlisted before the breach. Those well documented actions could mean the difference between a crippling penalty and a survivable one.


Chris Olson co-founded The Media Trust with a goal to transform the internet experience by creating better digital ecosystems to govern assets, connect partners and enable digital risk management. As CEO, Olson drives the company's vision, direction and growth plans. He has more than 15 years of experience leading high tech and ad technology start-ups and managing international software development, product and sales teams.

Prior to The Media Trust, Chris created an Internet-based transaction system to research, buy and sell media for TV, radio, cable, and online channels. He started his career managing equity and fixed income electronic trading desks for Salomon Brothers, Citibank and Commerzbank AG.

Chris regularly speaks about cybersecurity trends and best practices at industry events, including events hosted by the Financial, Media, and Retail & Commercial ISACs. He earned his B.S. degree in Finance and International Business from Georgetown University and Executive MBA in Finance and Information Systems from the NYU Stern School of Business.

The opinions expressed in this blog are those of Chris Olson and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.