Malvertising: Federal Support is Coming

Secret Service paying attention to malvertising

 

Within the past 12 months, the U.S. government successfully apprehended individuals who have long manipulated digital advertising to distribute malware through major brands. The arrest of a Ukrainian malvertiser and takedown of 3ve fraud network herald progress for safeguarding the digital advertising industry. Unfortunately, these were only two large-scale malware incidents in a sea of thousands. There’s more work to be done and making a dent in malvertising’s success will take more collaboration among authorities, publishers and their technology partners. And federal authorities are paying attention.

“Malvertising continues to be one of the most pervasive, costly, and rapidly evolving criminal schemes on the Internet,” Michael D’Ambrosio, Asst. Director (Acting) for Investigations, U.S. Secret Service.

State of the (digital) union

Publishers’ programmatic revenue channel can also be the biggest risk to their business model. The Internet’s dynamic environment and the nature of programmatic advertising means that publishers have very little control over the code behind the user experience. Malvertising (and other quality issues) are the inevitable result.

Here are the facts:

  1. Malvertising has doubled in the past 2 years. Our global, 24/7/365 Digital Security & Operations team tackles an average 1,500 active incidents each day and classifies more than 6,000 new malicious domains each month. The team is busy analyzing, alerting, and remediating malware events, from redirects and exploit kit drops to scams and ad stacking.
  2. Ad/Martech code is significant. With more than 7,000 vendors operating in the space, it’s no wonder that 50-90% of the code executing in publisher environments derives from third-party partners. This means that publisher teams (ad/revenue, security and IT) have no control over most of the code behind the user experience.
  3. Self-regulation is seriously threatened. GDPR (and soon CCPA) is taking a bite out of businesses that fail to protect consumer data siphoned by the digital experience. Now federal U.S. authorities have adopted a similar mindset, levying fines and announcing investigations into Big Tech.
  4. Cookieless world is emerging. Mobile is now the primary internet access point and browsers have reduced tracking capabilities. While first-party data is becoming more valuable, there are many ways to surreptitiously collect visitor data. Our Digital Security & Operations team is watching an uptick in fingerprinting and collection of device IDs for targeting.
  5. Data Leakage and Ad Tech Tax are costly. Revenue channels are at risk when competitors and unnecessary partners are allowed to execute on your site. In fact, endemic publishers appear to suffer the most from data leakage, with numerous clients being alerted to competitor trackers.

Malvertising prosecution isn’t easy

Everyone has a reason to be upset by malvertising: businesses, because attackers exploit their publications and target their users; consumers, because malicious ads are designed to defraud them, chew up data resources, and waste time. From redirects and ransomware to device takeover and fake ads, malvertising is costly.

It’s clear that malvertising constitutes a danger at worst and an insufferable nuisance at best, no matter what form it takes. And, the scourge is getting the attention it deserves from U.S. authorities.

Encouraging progress

Progress is evident; the dark web takedowns of 3ve and Silk Road show that investigators can isolate bad actors with the help of digital supply chain players and security providers. Moreover—as a recent case shows—international cooperation can overcome jurisdictional disputes.

While the U.S. doesn’t criminalize “malware” itself, it does have enough legal ammo to indict the criminals it catches:

  • It is illegal to commit – or conspire to commit – fraud
  • It is illegal to sell or advertise “illegal wiretapping” devices (a law that was recently leveraged to indict Marcus Hutchins)
  • It is illegal to disseminate software that damages machines or networks without consent, thanks to the Computer Fraud and Abuse Act (CFAA)

Taken altogether, these laws suffice to encompass the vast majority of cybercriminals that anyone cares about, and all that remains is to enforce them. But in order to enforce them, we must work together by sharing data and blocking bad actors at the source.

“The relatively simple email campaigns of the past have advanced into elaborate frauds, corrupting the entire Internet ecosystem, from social media and ad-tech to domain name services and transport layer security. In order to keep pace with the growing threat, close collaboration between industry, law enforcement, and overseas partners is - and will remain - essential.” Michael D’Ambrosio, Asst. Director (Acting) for Investigations, U.S. Secret Service.

After witnessing the takedown of a major malvertising operation this past month and monitoring the web daily for malicious actors, we know that we will see many more in the future. In the meantime, businesses must prevent cyber crooks from using them as channels for fraud and identify and eliminate malicious actors from their own domains.