Blocking Malicious Ads is Not Enough: Building a Better Mousetrap

Blocking Malicious Ads is Not Enough: Building a Better Mousetrap
featured image

This article was written by Niles Rowland, Vice President of Product Management at The Media Trust.

There is a good quote about innovation: “Build a better mousetrap, and the world will beat a path to your door”. Now the fact that we do not immediately buy a cat to deal with rodents today shows this principle in action – we found better solutions to a timeless problem, because the old one didn’t work.

Right now, publishers need a better solution to the problem of malicious advertising, which has reached historic heights, cutting down revenue streams and user trust. In response, some have tried to fix the issue with a solution that is not much better than a band-aid on a head wound.

The Problem with Blockers

Just as cats were once touted to farmers as the ultimate panacea against rodents, blockers have emerged as the de facto remedy against a media ecosystem infested with bad third-party code. The theory behind blockers is simple – stop malware from running on a browser or device, and the work is done.

But just as farmers discovered that mice are smart and learn to dodge cats easily, ad ops are discovering that blockers have a similar affect. These parallels have real consequences: merely blocking bad ads does not make them disappear – in fact, it makes them better and guarantees that they will multiply.

Mice are more agile than cats; malware is more agile than blockers

When sizing them up, cats seem to have the edge on mice: they’re bigger, stronger and have keener senses. But this is an illusion: mice are agile, and agility means they escape.

Similarly, any viable solution for malware must be able to handle polymorphic code, and its speedy propagation. By rapidly identifying suspicious behavior before a payload is delivered, it is possible to:

  • • Learn new patterns fast. Unique malware vectors are developed every 30 seconds or less. 
  • • Stop malware’s spread in its tracks by reporting bad partners up the media supply chain.
  • • Determine the objective of malicious ads by scanning and analyzing the source code

The most common blockers in the industry do none of these things, rendering them as unagile as an overfed house cat and impeding their ability to react, respond or collect useful information. 

Mice multiply fast – so does malware

Mice are notorious for their ability to frequently reproduce. Likewise, malware is developed quickly: we discover more than 8,000 new, unique malicious domains each month. And by the time blockers get to them, it’s usually too late.

In our trials, we discovered that blockers are consistently behind malware spread – in some cases, by to 2-5 days. This duration exceeds the average lifecycle of malicious code, allowing it to impact thousands of unique properties and visitors.

For blockers today, this sluggishness is fundamentally related to a design flaw: they depend on feeds from public sources which are not frequently updated to manage today’s dynamic digital advertising ecosystem. Motivated attackers are aware of these feeds and work quickly to stay ahead of them. 

Top-tier publishers are too often the casualties of this flaw, as they were earlier this year during the appearance of several large-scale incidents like Stegoware-3PC which – during its short life – manage to avoid alerting blockers to its presence or appearing on any public list.

Cats are predictable – so are blockers

By interacting with cats frequently, mice instinctively learn to dodge them. The situation with blockers is worse, because – unlike mice – malware developers have intelligence, and they can learn exactly how a blockers works on the level of code.

We are therefore not surprised when we encounter malware containing scripts to trick blockers, or simply avoid them. At the end of the day, most blockers are a JavaScript based program that runs in a reader’s browser, not on the publisher’s backend. 

Even with advanced obfuscation techniques, it’s no challenge for skilled malware developers to reverse engineer the tools that are meant to obstruct them.

What does a ‘better mousetrap’ mean?

For all their weaknesses and flaws, cats are not completely useless, and they are nice to have around. So are blockers: the first will slow the spread of pests, and the second will – at least in some cases – decrease the number of successful attacks, especially in the short term.

As such, the point of looking for a ‘better mousetrap’ is not to throw the old one away but to improve it. And one improvement would be accurate and timely data, afforded by:

  • Using frequently updated sources. Cycles should be measured in minutes, not days.
  • Human intelligence around the clock to recognize patterns an algorithm can’t identify and provide corrective feedback

That being said: deciding only to block is choosing to allow malware to spread and reach its target. For a growing number of regulators, this constitutes unacceptable negligence. Assuming there’s a set volume of malware, a lazy malware sender will just switch targets to a website that doesn’t have a blocker. 

So how can we prevent that from happening anymore?

Getting to the root of the problem

The state of malware is different today than it was twenty years ago. Back then, we could deal with bad actors on an individual basis. Today, we deal with global cybercrime networks, APT groups, and lone wolves with sophisticated tools and knowledge of the digital ad supply chain.

Unfortunately, they don’t need all these resources in the first place: today, there are hundreds of DSPs, and the price of admission might be as low as $25. For them, it’s hard to protect downstream partners when any partner can easily take their business elsewhere.

For publishers and their partners, a better solution to this problem comes from a multi-pronged approach that not only reduces the incidence of infection but also tackles it at the root:

  • Share threat intelligence with digital partners
  • Use scanners to find unauthorized domains and code
  • Use blocking to assess how users are affected
  • Have experts to identify obfuscated malicious code in all their partners
  • Cooperate with vendors to catch malware upstream

In the end, it turns out that a better mousetrap for malware isn’t a single thing: it’s an approach that combines multiple aspects of accountability, good communication and due diligence.