Many news reports of late have described malware being delivered through advertising networks. But that leaves the impression that the AdTech itself is benign and being hijacked for nefarious purposes. While it may have started out that way, that is definitely not the case today. Kaspersky Labs mention several times in their latest report that the adware has become so aggressive, intrusive, and exhibits such bad behavior that they are now classifying the adware code itself as malicious.
According to AdWeek, global advertising revenues have reached $512B and they forecast declines in revenue growth for 2015. Meanwhile, cybercrime is estimated to cost the global economy $445B annually and that cost is increasing steadily due to advances in technology and in part because victims pay the price over many years so the victim pool grows relentlessly year over year.
Online advertising has escaped its digital Hayflick limits and is spreading out of control. Online advertising is the new digital cancer.
You are opted in by default
I often refer to AdTech as the Research & Development arm of organized cybercrime. The criminals no longer have to spend money inventing new ways of penetrating the mobile device or PC since they can purchase a highly targeted ad for mere pennies instead. Thanks to very effective personalization capabilities delivered by ad networks, the cybercriminals can slice and dice their content and tailor the malware for specific audiences.
There are many ways to personalize content. For instance, do you ever wonder why we so much email spam is obvious? Spam is often riddled with misspellings, bad grammar, and other glaring clues as to its malicious intent. We think “those must be some really dumb spammers” as we click delete. Who would fall for that, right? Actually, that is intentional. People who are so eager for the promised product that they are willing to overlook those obvious clues are self-selecting as the most gullible targets, and therefore the most lucrative. Malvertising relies on a similar filtering mechanism: Anyone NOT using ad blockers is self-selecting into the cybercriminal’s target pool.
Let the personalization begin
That is a very broad level of personalization but provides the baseline pool for cybercriminals to choose from. The personalization engine built by advertising provides the rest. You want to target by gender? No problem. You want to target by age? We got you covered. You want to target by geolocation, income, political party, health, or special interest? Any or all of the above are trivial.
Just how personal or how creepy can targeting get? Brian Swichkow famously pranked his roommate by individually targeting him to receive specific ads of his own design. Malware targeting can range from indiscriminate bait all the way down to specific individuals. All the way down to you.
The advertising industry likes to claim their ability to personalize the web to show you only relevant ads justifies all their secret data collection. Whether or not you see personalized legitimate advertisements as a benefit, cybercriminals are among the biggest customers and they use it to deliver personalized, relevant malware custom tailored to exploit your individual mix of cognitive biases in order to manipulate you into installing malware. The cancer analogy doesn’t do it justice. It would be better to describe online advertising as designer cancer, engineered for your individual DNA.
Of course, the advertising industry can’t be blamed for cybercriminal intrusion into the ad network. Or so they would have us believe. According to AdWeek, cybercriminals hijacked the network serving ads on YouTube. It isn’t like they were invited in. Or at least that’s the response provided to the media.
Looking at their own marketing though, the ad networks do not even try to hide the fact that they are in bed with cybercrime. Yasha Levine over at Pando found that “legitimate” companies even let you target pensioners who play the lottery. Specifically targeting elderly gullible populations is not only despicable, it is also clearly designed for cybercriminal ad buyers.
It isn’t important to the online ad industry that the ads and network are toxic or that cybercrime acts in the role of silent partner. The important thing is the plausibility of the claims of distance from cybercriminals and claims that personalization is beneficial. These are the angiogenesis of the advertising tumor. The plausibility of these claims are what keeps the money rolling in.
The advanced persistent tumor
Even among privacy advocates like me (fanatics, some would say), the worst effects of malvertising are usually described in terms of how it affects the individual on the Internet. In their quest for personal data, surveillance ad-tech puts you at risk. While that’s true, the targeting doesn’t stop at individuals. Sometimes it is specific populations of individuals that are targeted. Sometimes it is people working for national infrastructure targets.
Federal Times reported in October that over a two week period a campaign dubbed ‘Operation DeathClick’ targeted several American aerospace and defense contractors in more than two dozen attacks.” Security firm Invincia makes an ominous prediction in the same article:
“While we discovered these attacks across multiple defense companies, we expect it will not be long, if not already, before other highly targeted segments including federal, financial services, manufacturing and health care are victimized with the same micro-targeted malvertising.”
In a white paper on their own web site, Invincea reports that malvertising “represents another development in the ongoing blending of techniques from cyber crime and advanced threat actors with nation state agendas.” In other words, advertising is the Advanced Persistent Threat.
If you wanted to prevent skin cancer, you would either avoid excessive exposure to the sun, or else apply sunblock liberally when outdoors. Unfortunately, avoiding malvertising isn’t an option since cybercriminals have figured out how to ride the rails advertising has built into high value sites you trust like YouTube, Amazon, and Yahoo. Malicious ads on AOL Time Warner infected AOL’s users with the notorious CryptoWall ransomware. That is a type of software that encrypts your hard drive and then sells you the decryption key.
Since malvertising isn’t limited to the seedier side of the Internet, we know it has been served up on top-tier web sites, we have to conclude that there is no “safe” web site that runs ads. Avoidance isn’t a practical answer. Prevention is all that’s left.
Given what is at stake, it would be morally wrong, and should be criminally wrong, to bar users from employing the best possible ad and tracker blocking on the planet. Yet AdBlock Plus is being sued for providing such a tool. It is hard to see how the suit against AdBlock Plus could betaken seriously by any court in the world. A finding against AdBlock Plus would extend legal protection to cybercrime. There is no scenario in which that outcome could be considered a good thing. We must be allowed to defend ourselves against the onslaught of online threats and their method of delivery, even via advertising channels, does not factor into that social need.
The cure is bad but the alternative is worse
It is equally hard to understand how anyone could continue to argue that the existing framework for online advertising is benign or results in a net good for users. Even if we set aside all arguments over the behavior of legitimate advertising itself, the saturation of the ad delivery framework by cybercrime outweighs the legitimate benefits. Like any other cancer, online advertising started off as a functional component within a larger system. But it has become toxic to the online ecosystem it once nourished. Left untreated, cybercrime will continue to grow, and more of the world’s intellectual production and GDP will be siphoned off to fight the malware wars. Online advertising as it is practiced today needs to be excised, irradiated, and beaten back with aggressive chemotherapy.
Online advertising advocates argue that the Internet is ad-supported and that it will die if we allow blocking of ads and tracking. That is far from a certainty. People are monetizing content online through direct donations, tip jars, freemium, pay-what-you-want, formal patronage agreements, direct sales, pay walls, barter, and more. If you are a popular enough content creator, you can even monetize by giving away the same content that you sell online and in brick-and-mortar stores. If the content is compelling, people will pay to support it.
Still, some claim this ads are the only way they personally can monetize their content. There are even sad tales of families who will go without food because of blocked ads on some blog. If it is true that advertisers will generally pay more for readers on a page than those readers will pay for the content on that page, then the readers are more valuable than that particular content. That’s not a problem with ad blockers. It’s a problem with content. There’s a lot of people who make their living selling cancer treatment drugs but that doesn’t make a case for them to go around exposing the general public to carcinogens. Just like people who make their living off of real-time ad bidding networks don’t have a good case for exposing their readers to malvertising, whether they know it is happening or not.
Ad blocking will definitely disrupt the internet, and some sites that do not adapt will die off in the shakeout. There is no question of some negative impact from blocking ads. But none of it is as bad as the negative impact of doing nothing or banning ad blockers altogether.
Somebody should pass a law. There’s a commonly heard phrase if ever there was one. But what kind of law? In the US we have laws about labels on products and shelf tags. They are supposed to provide transparency so that shoppers can compare two items and make decisions. But marketers know that such a direct comparison makes you less vulnerable to manipulation through advertising. That’s why shelf tags in the US are deliberately obfuscated.
They make sure to use different units across different products, or even the same product in different sizes. Rolled paper products are measured by the sheet, by the roll, by the inch, etc. Those that are measured linearly often vary slightly as to the width of the product. Canned products are measured by the weight, serving size, per each. These make side-by-side comparisons impossible. Marketers have complied with the letter of the law, but not the spirit of it. This was deliberate.
Any law to address this in the online ad world would then need to be above trivial bypasses seen with product labeling. Outlawing specific personal data collection or tracking techniques would be like playing whack-a-mole and just drive the invention of newer, better techniques. Advertisers are adept at staying ahead of anti-malware tools, keeping ahead of legislation would be trivial by comparison.
Most of the trade in Personal Data takes place under a cloak secrecy so if we are going to pass a law, let’s start with transparency. If it is true that data invasive data capture and personalization are benign then the companies collecting, processing and trading in that data should not mind letting us know who they are, what data they have, how they use it and who they sell it to. Having seen what the same marketers did with shelf tags, we should try not to repeat the same mistake of poorly worded regulations and lax enforcement.
Definitely pester your elected representatives about this (assuming they remember they represent natural citizens first and corporations second), but don’t hold your breath waiting for good legislation. Or even bad legislation. Instead, go install AdBlock Plus, NoScript and Ghostery or, as James Bruce calls them, the Trifecta of Evil. (Jame’s anti-ad blocking post seems naive in retrospect but keep in mind it was written in 2012. I just like his catchy title.) I also like the EFF Privacy Badger. These tools are the surgical, radiation and chemo treatments for the cancer of online ads.
The collection of arguments about how good advertising, tracking invasive data gathering and personalization are, that is advertising’s homeopathy and just as effective in keeping you from harm.
Or as Invincea put it, malvertising “does not represent a single flaw, 0-day, or unpatched bug, but rather a significant development in the adversary’s capabilities and strategy to leverage legitimate online advertising platforms on well-known ad supported websites via a technique called Real-Time Ad Bidding. In other words, this problem will not be patched on Tuesday.
Below are some pull-quotes from the Kaspersky Labs report with emphasis added.
Threats designed for Mac OS X
(AdWare represents 8 of the Top 20 malware agents intercepted.)
Almost half of our TOP 20 programs, including the one in first place, were occupied by AdWare programs. As a rule, these malicious programs arrive on users’ computers alongside legitimate programs if they are downloaded from a software store rather than from the official website of the developer. These legitimate programs might become a carrier for the AdWare-module: once installed on the user’s computer it can add advertising links to browser bookmarks, change the default search engine, add contextual advertising, etc.
The TOP 20 malicious objects detected online
(Twelve of the Top 20 in this category are AdWare.)
As is often the case, the TOP 20 is largely made up of objects used in drive-by attacks, as well as adware programs. 73.7% of all verdicts identified links from these black lists.
Noticeably, in 2014 there was an increase in the number of advertising programs in the TOP 20, up from 5 to 12 compared to the previous year and accounting for 8.2% of all malicious objects detected online (+7.01 percentage points). The growth in the amount of advertising programs, along with their aggressive distribution schemes and their efforts to counteract anti-virus detection, has become the trend of 2014.
The Trojan-Clicker.JS.Agent.im verdict is also connected to advertising and all sorts of “potentially unwanted” activities. This is how scripts placed on Amazon Cloudfront to redirect users to pages with advertising content are detected. Links to these scripts are inserted by adware and various extensions for browsers, mainly on users’ search pages. The scripts can also redirect users to malicious pages containing recommendations to update Adobe Flash and Java – a popular method of spreading malware.
The TOP 20 malicious objects detected on user computers
(Seven of the Top 20 objects listed in this category are adware.)
Both this rating and the rating of web detections show that advertising programs are becoming more common. In 2014, the number of users who encountered adware doubled from the previous year and reached 25,406,107. At the same time advertising programs are becoming both more intrusive and more dangerous. Some of them “cross the border” into the category of potentially unwanted programs and are assigned a “harsher” verdict. For example, Trojan-Dropper.Win32.Agent.jkcd (16th place), in addition to displaying ads and changing search results, can download malware on the computer.
Below are pull quotes from Invincea’s whitepaper. Emphasis is theirs.
In this new targeted variation of malvertizing, the perpetrators are attacking specific organizations by leveraging real-time ad bidding networks and micro-targeting techniques developed over the last decade in online advertising. The objective of these micro-targeted attacks against the Defense sector is likely theft of Intellectual Property more than ad fraud and indicates motive and sophistication characteristic of advanced threat actors.
The campaign described here does not represent a single flaw, 0-day, or unpatched bug, but rather a significant development in the adversary’s capabilities and strategy to leverage legitimate online advertising platforms on well-known ad supported websites via a technique called Real-Time Ad Bidding. In other words, this problem will not be patched on Tuesday.
In the campaign described here, Operation DeathClick , traditional malvertising has been armed with a micro – targeting system using IP address ranges, geographically narrowed down to zip codes, and interests of the user (recorded in cookies) to target specific companies, company types , and user interests/preferences . They are employing the tactics of real – time ad bidding to guarantee malicious ad delivery to intended target s of the campaign – building on a decade of work in real-time analytics for online ad placement, but for nefarious purposes.
The threat actors redirect their ads for just minutes at a time and then abandon their exploit kit pages forever. This means that list – based threat intelligence feeds are rendered ineff ective. The domains use d do not appear in any proxy blacklist, and the malware droppers delivered by the exploit pages always employ different signatures , evading traditional network and endpoint detection technology.
Ad delivery networks today are not incentivized to address the problem in a credible manner as they derive revenue from the criminal enterprise , while not being held accountable . Turning a blind eye to the problem is rewarded economically. Meanwhile the perpetrators are able to use traditional malvertising and ad fraud bots to fund the criminal enterprise.
Without cooperation of ad networks to vet the advertisers working through front companies, this attack vector will go unchecked And now, with the advent of real-time ad bidding, these threat actors have weaponized ad delivery networks to target victims based on:
- User-Agent strings (versions of flash, OS, java and browser)
- Interest-related content (click bait articles, industry specific software or hardware, like medical supplies, radar mapping software, ammunition sales, stocks forums)
- Advertising Profiles derived from cookies (someone with specific tastes, may shop for shoes, handbags, cars, luxury vacations)
- Geographic region (malvertisers can target specific neighborhoods or states via geoip direct advertising)
- Specific corporate IP ranges (targeted malvertising can target the public IP space of your network or an Industrial Vertical)
Real-time ad bidding allows advertisers, and by extension, adversaries, to micro-target ad delivery on an extremely granular basis. For example, oppressive regimes trying to gather intelligence on activist protests can deliver ads to people getting email from within a specific locality where they are protesting. Today, it is commonplace for micro-targeting techniques to be used as part of the toolset in legitimate online advertising. For instance, a defense contractor, trying to win a new omnibus contract, can deliver targeted ads to online news sites frequented by Government program personnel. The latest software product release can be delivered to Windows users visiting PC Magazine’s website. A local car dealership can sense when someone is in the market for a new car and can deliver advertising to those users, based solely on browsing history.
Now advanced threat actors are able to target an organization directly via micro-targeted malvertising, based solely on their corporate network IP range. Thus, it doesn’t matter where in the world you point your web browser–an online video poker room, a fantasy football club homepage, a Pakistani news homepage, or even checking your own webmail at a trusted email provider. Those ad windows can and are being used to deliver malware if the bidding price is right.