Gavin Dunaway warns that scammers are leveraging domains from defunct ad tech companies to spread malvertising not through the ad server, but user sync URLs.
For all its luster and majesty, the back-end of the world wide web is a graveyard, littered with the remains of deceased companies. Instead of corpses, websites are covered in dead code from ad tech players that have been acquired, rebranded, or simply shut down—an all-too-common occurrence in digital advertising.
Just like how the departed occasionally receive junk mail or telemarketing calls, dormant domains still get requests for syncs even though they will never respond…until they do.
And just like in the movies, it’s never good when the dead come back to life.
A Series of Strange Incidents
In late 2020, The Media Trust investigated an odd case. An enterprise company that only ran house ads on its properties was drowning in redirects. Looking into the site’s call chain, we found the culprit: the company’s DMP was trying to sync with Choicestream.com, which was sending back a malicious redirect.
Choicestream… Why did that name ring a bell? Oh yeah, it was a prominent DSP that closed up shop back in 2017. Further examination showed that Choicestream redirected the user sync to a domain notorious for its malvertising exploits—a malevolent actor had bought Choicestream.com, though only temporarily as the site appeared to be a parked domain soon after.
In five hours, an SSP’s hijacked user sync delivered malicious code more than 24,000 times across the globe, affecting 450+ publishers and ad tech providers.
This would’ve just been a story to amaze your friends at malvertising industry cocktail parties (they exist, and sometimes reach double-digit attendance!) if something similar didn’t happen a few months later in January 2021. This time, we detected 5,000 episodes across many prominent publishers where a hijacked user sync delivered redirects. The offending domain had previously belonged to Telemetry, an ad tech measurement company that ironically had focused on preventing ad fraud.
In February, the big one hit. In five hours, an SSP’s hijacked user sync delivered malicious code more than 24,000 times across the globe, affecting 450+ publishers and ad tech providers. Dubbed Electrum-3PC because of its bitcoin wallet scam, the malware attack did not appear to come from zombie ad tech, but a .tk domain registered on the island of Tokelau off of New Zealand—a notorious source for malicious domains.
A Mounting Menace?
Don’t think I’m going to start the “Kill all ID-syncs!” brigade. Syncs are extremely useful tools for advertising, site personalization, and overall user experience. But any avenue that lets third-party code access your site can be hijacked to deliver malvertising or general malware— e.g., malware that is not delivered via ads. That’s the wonder of JavaScript, baby. When trying to understand what happened in all of these incidents, I struggled to wrap my head around that—”Wait, where is the ad server?”
In ad tech, consolidation is constant, leaving hellacious amounts of zombie code that could be exploited by bad actors.
Hangups with user syncs are not uncommon. Many years ago while I was Editorial Director of AdMonsters, our team went batty trying to figure out the source of extreme latency on our site. Our pages were taking anywhere from 30 seconds to a minute to load. We finally discovered that a sync likely installed several years prior was hitting an expired domain and failing to time out.
Delivering malware through user syncs isn’t a new concept either—there were outbreaks with expired domains following the merger of Altitude Digital with Genesis Media (in 2017—is that year cursed or what?). But what strikes us with these new attacks is the frequency and the quick ramp-up. The appeal of a hijacked user-sync from a scammer’s viewpoint is clear: no need to buy ad inventory or pass a creative audit by a demand-side platform.
In ad tech, consolidation is constant, leaving hellacious amounts of zombie code that could be exploited by bad actors. Making their job easier, there are domain-buying services out there that will let you rent out a parked domain for a short period of time. And while these incidents have been mainly limited to redirects, user-sync hijacks have a similar attack vector to credit-card skimming Magecart; escalation is certainly possible.
Finally, digital scammers are quick to copy each other’s bad acts—one can only imagine the torrent of malvertising unleashed if hijacking user syncs becomes a fad.
Check Your Code
Depending on how your creative blocker operates and where it’s integrated, it may not be effective in mitigating these attacks. For example, a creative blocker based on buyer or creative IDs would never see the malvertising coming—because there is no buyer or creative ID.
Unfortunately, the solution is complicated. Publishers need to strip from the header any code from defunct or dormant partnerships. Ad tech players need to hunt down and expel syncs to deceased companies or inactive partners.
This is a harder ask than it seems—cleaning up code from the myriad partnerships is laborious, and removing one piece of code has a bad tendency to affect other code. Besides, an idle partnership could be flipped back on at any time, so why go through the headache of reintegrating? Who has the time anyway?
That’s why publishers need to also stay vigilant by employing continuous client-side site scanning to monitor all the third-party code surfacing on their pages and identify potential vulnerabilities.
It may seem strange to say, but some malvertising doesn’t come through the ad server. Living dead ad tech is real, and it will bite you… And your audiences.
Everything you ever wanted to know about malware and ad quality but were afraid to ask—join The Media Trust, the IAB, and TAG for a free webinar on April 13, 2021 at 1 pm ET.
