What You Should Know About Yahoo's Malvertising Attack
People often cite lethargic page-load speeds or general aesthetics as the reasons they install ad-blocking software on their web browsers. But hackers are making perhaps the best case for people to block banner ads -- and for advertisers and publishers to take ad-blocking seriously.
Hackers have been exploiting Adobe's Flash software, which brands use to make and display visually appealing and interactive online ads, to take over personal computers entirely and hold them hostage, or to send fake traffic to sites built to siphon ad spending. According to cybersecurity company RiskIQ, the number of ads created for malicious reasons -- called "malvertisements" -- increased by 260% in the first quarter from the period a year earlier.
On Monday cybersecurity company Malwarebytes said Yahoo's ad network had fallen victim to a "malvertising" attack. Yahoo said in a statement that its team took action as soon as it learned of the issue but that "the scale of the attack was grossly misrepresented in initial media reports."
Ad Age spoke with Malwarebytes' senior security researcher, Jerome Segura, to understand why these types of attacks appear to be happening more often, what Flash has to do with it and what can be done to prevent future attacks. Adobe declined to comment.
The transcript has been condensed for clarity and length.
Advertising Age: How did this happen? Yahoo's one of the biggest online publishers out there and operates one of the higher-profile ad networks, so it seems like they should be among the least vulnerable to this kind of attack.
Jerome Segura: Right, exactly. It is quite unusual to see, in this case, the publisher and the advertiser caught at the same time. We have observed malicious advertising before where you have companies like Google's DoubleClick where the ads are displayed on various websites. But in this case it was on the main Yahoo site as well as some of the various portals. The malvertising attack itself, the chain went through a third-party ad server called AdJuggler that Yahoo had been dealing with already. What happened is a rogue advertiser basically abused AdJuggler, which in turn affected Yahoo because they were publishing their ads on their main site.
One of the big issues of malvertising: There are many layers and this is due to things like real-time bidding where various advertisers can bid on an ad using ad platforms. It's a very complex situation. There are billions of impressions each day. I think Yahoo itself admitted in its statement that this is a problem that comes with the business of online advertising. You won't be able to catch all of the attacks before they actually happen. To some extent I think that's true.
Ad Age: The crazy thing to me is that, from what I've read, it sounds like the easiest part of all this is in getting these bad ads to run on publishers' sites.
Mr. Segura: There are many techniques that cybercriminals are using to fool ad networks and advertising agencies. For starters it's quite easy on a lot of ad networks -- maybe not Yahoo's -- to register an account as an advertiser and start uploading your ad and bidding for spots. It's very anonymous. You can register without providing a lot of information necessarily. There is not really a very strong barrier to entry for advertisers to start going on to ad platforms and pushing their ads. One of the reasons is they're willing to give money to the ad networks to run the ads, like any normal advertiser, so it is in the ad networks' interest to have the advertisers come and upload their creative.
It is definitely an issue that's been shown and a lot of people have wondered how is this possible and isn't there some kind of monitoring in place to detect these kinds of advertisers that are malicious in nature. There are different techniques that are used. Some advertisers will start legitimately to gain the trust of the ad network and later turn on ads that are malicious, but only activate them a few times of day to not create too much noise.
Others that know they will be caught, once they get into an ad network they push it as much as possible in a short time frame before somebody actually notices the irregular activity and shuts them down. Because it's a very layered, complex system and billions of impressions, there is always room for abuse.
Ad Age: From an audience perspective, one of the scarier pieces of this is that if I visited one of Yahoo's affected sites while these bad ads were running, my computer could have been infected even if I didn't click on any ads, right?
Mr. Segura: Exactly. Malvertising does not require any user interaction. Simply browsing in this case to Yahoo.com and the page loading with the ad would be enough for the code to silently try to infect your computer. In terms of how successful that is, it's actually pretty, pretty high. There was a report from Cisco that showed that in 40% of cases users that were faced with a malvertising attack would be infected because in most cases their computers aren't fully secured properly. The 40% ratio of infection is definitely something that the bad guys are enjoying at the moment because they know when they run one of these malvertising campaigns, the budget they dedicate to it will see a good return on investment.
Ad Age: It feels like these malvertising attacks are happening more often. RiskIQ said that 260% more malvertisements ran in the first quarter of this year than in the first quarter of last year. Why are these becoming more common?
Mr. Segura: That's a good question. First of all those numbers are only attacks that have been detected. There are a lot of other attacks happening that nobody really sees or is able to immediately pinpoint. One example of this is earlier this year there was a malvertising attack that lasted almost two months and used a zero-day exploit -- exploiting a vulnerability before the software maker is aware of the vulnerability -- in the Flash player. But overall you're right. The trend is that there are more attacks and the campaigns seem to last longer and affect sites that have higher profiles. I think one of the primary reasons is right now cybercriminals have a lot of vulnerabilities and exploits that work really well. In the last few months we have had several Flash player zero-days or vulnerabilities where there was no patch from the vendor for several days yet the exploits were already being used for malvertising attacks. The current situation, especially due to those Flash player exploits, is making it increasingly attractive for cybercriminals.
Ad Age: Why does Flash always seem to be at the root of these malvertising attacks?
Mr. Segura: Typically cybercriminals try to exploit a piece of software that is very common and also give them a good return in terms of the effort spent trying to find exploits. With Flash what's interesting is we've seen in a few high-profile cases where you can combine the exploit -- that is going to find the vulnerability in the Flash player and be able to open the machine for an infection -- and combine that with the advert itself in one package. So not only can you have an ad that works perfectly fine in Flash, but that ad contains the exploit code. It's pretty unique. It's not something you can do with other plug-ins or pieces of software. In terms of what is required from the attacker point of view, it's pretty much streamlined. It's a very efficient way to compromise systems.
Ad Age: Google lets advertisers convert their Flash ads into HTML5. Does that help things?
Mr. Segura: A lot of people that are proponents to get rid of Flash say let's just exchange it for HTML5 because HTML5 is this open-source piece of software, meaning anyone can inspect it to identify vulnerabilities and submit fixes, whereas Flash is closed-source and maintained by Adobe. One of the main things right now is the fact there are still a lot of sites and games that rely on Flash. The shift has begun; Netflix and YouTube and Google are using HTML5 more and more. But there are still a lot of sites that require Flash. A lot of the games on Facebook are built in Flash. It will take time for web developers and game developers to make that transition.
Ad Age: Is this a desktop-only problem, or is it something that's also going on with the mobile web or even ads in mobile apps?
Mr. Segura: This particular Yahoo case was for desktop computers and Windows computers. But malvertising in general isn't just about malware. We see actually a lot of malvertising that targets mobile devices and is not primarily malware-related, like downloading an app you weren't prepared for. More recently we've seen malvertising attacks that have these pop-ups you couldn't get rid of for tech-support scams. That was very popular on Apple's iOS. You'd be browsing a site and this pop-up would not let you close it and ask you to call a number for support, which turned out to be a scam. As the number of users on mobile has surpassed desktop users, malvertisers are infecting or exploiting users in different ways.
Ad Age: What can publishers do about this?
Mr. Segura: They don't have a lot of control in all of this unfortunately. Most of them offer content for free, so advertising is part of their revenue and an important part of their revenue. In terms of how to minimize this, one of the important things they can do is pick advertisers wisely and go for a well known, top-level ad network, for example Google's DoubleClick or Yahoo Bing Contextual Ads. You know, the major ones. These traditionally have more resources and stricter controls in terms of quality assurance in terms of the type of ads that go through. So you are definitely minimizing your risk by going with a popular ad network.
Ad Age: Wouldn't Yahoo's ad network have been considered in that tier, at least before this attack was revealed? And so how comfortable should people feel with DoubleClick or Bing's network until something potentially happens and they're affected just like Yahoo has been?
Mr. Segura: It's perfectly valid. Overall the number of incidents for the major ad networks is much, much lower than those that are less reputable. There's no such thing as no incident when it comes to security. It's about the frequency but also the duration of an incident. So by going with a major ad network, you know that they're more likely to respond in a timely manner. That's what really matters, I think.
Ad Age: What about advertisers and ad networks? What can they do?
Mr. Segura: They have already have a lot of things in place to detect fraud. For example when a new advertiser comes on board, they don't let them get the full privilege of running campaigns on major sites. They might start with a subset of sites that are lower profile, and they also may have certain features that are disabled by default. For example, they might only be able to carry text-based ads until they've been around for long enough that they're trusted and can now introduce more dynamic ads, Flash-based ads for example. Overall what they really can do is -- knowing that incidents do happen -- they need to prepare themselves for what to do when they happen: what is the response, how fast can they react to an incident. Each second that goes by, somebody else is getting infected.
Ad Age: What can people do to protect themselves from getting infected?
Mr. Segura: Getting your computers patched is the primary piece of advice anybody can give. Obviously a lot of machines aren't patched and are getting compromised because of that. But with what's happened this year, we've seen that patching is not enough because there are more and more zero-day exploits out there. People need to start thinking of going beyond patching. Traditionally we've been talking about anti-virus and anti-malware software, which is critical.
But the problem is with a lot of these attacks, because they're happening in real time, the malware that is being distributed is so novel that most antivirus software products aren't even detecting it at the specific time it's been released. That's because criminals are able to test the malware by running it against antivirus software. The next solution is being able to block attacks as early as possible. With Flash-based attacks, one of the simple things you can do is to either remove Flash,which in the long term I don't think is the best solution because eventually attackers will move to something else. Or there's a feature in Flash that allows the user to activate Flash when they need it. That's a major component in your defence because of all these drive-by-download attacks assume that Flash is enabled by default. Looking at the scope of the attacks, they target vulnerabilities wherever they are in the browser. So users need to be able to use the right tools that prevent the vulnerabilities from being exploited.