The Malicious 1% of Ads Served
Last week at IMC Vancouver 2014, cyber-security researcher Apostolis Zarras of Ruhr-University Bochum presented a research paper entitled “The Dark Alleys of Madison Avenue, Understanding Malicious Advertisements” that he co-authored along with other researchers including my fellow Lastline co-founder Christopher Kruegel and myself. For this paper, we performed the first large-scale study of ad networks that serve malicious ads or “malvertising,” investigating the safety of 600,000 ads on 40,000 websites.
The basic idea behind the experiment was to use a real browser to crawl both very popular and not-so-popular web sites, analyzing the ads that were served. If clicking on an ad would lead the browser to a suspicious web site (that is, a host that is deemed malicious by 5 or more public blacklists or a landing page that is suspicious according to Wepawet) then we would mark the advertisement as “malvertisement.”
During this experiment we looked at which services (ad networks, ad brokers, ad providers) delivered the ad that was eventually displayed on the page.
The malicious 1% of ads served
Ultimately, we measured that on average 1% of served ads led to suspicious pages. When multiplied by the millions of ads served every day, that is a sizeable number. Interestingly, entertainment and news websites hosted more malvertising than adult websites. This widespread proliferation of malvertising through unsecured or undersecured ad networks on mainstream websites is a serious threat to both Internet users and the Internet economy.
Malvertising can be prevented in modern browsers by using the sandbox attribute of iframes in HTML5, which can protect those who click on ads from link hijacking (the most common vector for malvertising in our study). Unfortunately, not one website we looked at used this attribute to protect its users.
As stated in the paper presented in Vancouver last week, “one of the greatest and most prevalent cyber-threats facing marketers, advertising and creatives is malware.” When you consider how pervasive malvertising is based on these findings, it could be one of the greatest threats to the Internet as we know it. Thankfully, there are clear steps that can — and should — be taken today to stamp out malvertising.
Editor’s note: Some ad networks expressed concerns about the validity of ranking them by the percentage of benign ads in our dataset, which was included in a previous version of this blog post. We have removed that section while we investigate those concerns.
Need Security Breach Detection?
Lastline’s Breach Detection Platform enables security operations to rapidly detect, block and respond to active breaches caused by APTs and evasive malware. Learn more here:
Latest posts by Giovanni Vigna (see all)
- From Trapping to Hunting: Intelligently Analyzing Anomalies to Detect Network Compromises - October 17, 2017
- When Malware is Packing Heat - September 12, 2017
- Hacking and Malware Analysis Have More In Common Than You Think - August 15, 2017