This article originally appeared in Digital Content Next on October 2, 2018.
Popular malware blocking or filtering technologies can go a long way in preventing bad ads from impacting your business’ bottom line. But they’re not a one-stop solution. Much like a quarterback relies on the assistance of his teammates, blockers also function optimally when paired with other smart technologies and tighter security policies. The Media Trust Digital Security & Operations (DSO) team recently uncovered just how weak malware blockers can be when relied upon as a single malware solution. It’s vital that businesses recognize the danger of relying solely on malware blockers to thwart attacks. They must also take the time to build a better game plan to tackle incoming threats.
Obfuscation: The Quarterback Sneak
A big problem with treating malware blockers as a security solution is that they’re rife with issues. Take malicious domains, for example. Recently, a notable domain, known as “dq6375rwn2aoi.cloudfront.net” made its way onto many suppliers’ watch lists. Yet it still managed to sneak beyond malware blockers. The domain in question was disguised with additional code that made it unrecognizable and, therefore, unreadable by the blocker. This technique is known as obfuscation and it’s posing a massive problem in the malvertising space.
According to the DSO team’s analysis, when the right conditions are met, the malware presents users with a fake “you’ve won” pop-up that prompts readers to claim a reward. When users click OK, they are taken to a website that requests for sensitive, personal information like name, email and telephone. The DSO team quickly identified the malware and worked with the publisher to terminate the ads at the source, protecting its’ 900,000 weekly audience members. In just one day, the team uncovered similar obfuscated malware executing in 16 other client websites. All of them had one thing in common: They used the same malware blocking solution.
Blockers: A Narrow Lineup
There are several reasons why blockers provide only a partial solution to preventing bad ads. For starters, at least 90% of malware used in malicious mobile redirections are obfuscated. And that already-high number is growing. There’s also the conundrum of code that can identify and work around specific tools; if the malware detects the presence of a known provider’s tool, it will change tack and behave differently.
Finally, blockers often use third-party malware data which quickly goes stale, thanks to new malware being introduced quicker than the data can track. This issue is so rampant that the DSO team finds a new attack every 30 seconds and classifies at least 5,000 new active malicious domains each month. According to The Media Trust’s analysis, third-party malware data sources take an average of three to five days to identify and record malware. As a result, by the time a third-party filter is updated, 8,600+ attacks could have occurred over a three-day period. That’s at least 14,400 attacks over just five days. For context, a single attack can affect millions of devices.
It’s also important to note that some blockers shut down good ads or block legitimate digital partners like DSPs because of false positives in the data they use. This overzealous approach to rooting out bad ads and bad actors will reduce a publisher’s revenues and can undermine their reputation with a good digital partner. Additionally, when good ads are suppressed, the user experience becomes needlessly compromised. The fact is, while blockers can help, they cannot eliminate malvertising.
The Game Plan: How to Score Against Malvertisers with Blockers
Until machines can match the craftiness of human programmers, companies should supplement their preferred blocking solution with other measures to reduce risk. As regulations like the GDPR and the California Consumer Privacy Act evolve and spread, a single breach can have a huge impact on a company’s finances, performance and reputation. Businesses can mitigate falling victim to these consequences by staying one step ahead of the curve. A good place to start is by devising a game plan that analyzes the opponent’s behaviors and timing. Here are some tips on how companies can take — and keep — the lead.
1. Choose the Best Blocker
As mentioned, a new malware attack hits the ecosystem every 30 seconds. Many blocking solution vendors use compiled synthetic and data sources that are updated every three to five days. Companies should choose a blocker that offers more frequent updates, preferably around the time when new malware is discovered.
2. Understand Malware’s Many Moving Parts
Ad experiences consist of a creative, a tag and a landing page, each of which can be infected. Ten percent of malware that the DSO team detects infect only landing pages. This is likely because most blocking tools ignore these pages, along with site-level malware. Publishers should find out whether the blocker sees these different components, and whether or not they block them when they’re infected, and how.
3. Watch for URLs That Change Their Behavior
Blockers do a good job of rejecting ads with malicious URLs until the latter are obfuscated to avoid detection. Blockers should identify malicious URLs, along with malicious domains and bad hosts. This way, no matter what form the URL takes, the blocker can identify the malware via its host and domain.
4. Remember That Most Malware is Obfuscated
As we’ve seen, this is a huge and growing problem. Legitimate developers obfuscate code to protect intellectual property, while malware developers do it to escape detection. Obfuscation should be reason enough on its own to make companies want to tighten their security policies around malware.
Reviewing Game Day
Malware blockers can be useful tools, but not when they function as the only security tool. Keeping bad ads at bay absolutely requires that companies implement a multi-layered, proactive approach by incorporating other tools and policies into the mix. Regular monitoring of the website from a customer’s view will also allow companies to understand who and what is executing on the website to be able to take action to block code when required and stay compliant.