The Malicious 1% of Ads Served

The Malicious 1% of Ads Served

Last week at IMC Vancouver 2014, cyber-security researcher Apostolis Zarras of Ruhr-University Bochum presented a research paper entitled “The Dark Alleys of Madison Avenue, Understanding Malicious Advertisements” that he co-authored along with other researchers including my fellow Lastline co-founder Christopher Kruegel and myself. For this paper, we performed the first large-scale study of ad networks that serve malicious ads or “malvertising,” investigating the safety of 600,000 ads on 40,000 websites.

Our research revealed the widespread and presumably uninvited distribution of malware through online ad networks, dubbed “malvertising.” To detect malicious behavior in ads we used a composition of blacklists and Wepawet, a honeyclient developed at UCSB that uses an emulated browser to capture the execution of JavaScript to identify signs of maliciousness such as drive-by-download attacks. (Side note: Wepawet celebrates its 6th birthday this Friday, November 14.)

The basic idea behind the experiment was to use a real browser to crawl both very popular and not-so-popular web sites, analyzing the ads that were served. If clicking on an ad would lead the browser to a suspicious web site (that is, a host that is deemed malicious by 5 or more public blacklists or a landing page that is suspicious according to Wepawet) then we would mark the advertisement as “malvertisement.”

During this experiment we looked at which services (ad networks, ad brokers, ad providers) delivered the ad that was eventually displayed on the page.

The malicious 1% of ads served

Ultimately, we measured that on average 1% of served ads led to suspicious pages. When multiplied by the millions of ads served every day, that is a sizeable number. Interestingly, entertainment and news websites hosted more malvertising than adult websites. This widespread proliferation of malvertising through unsecured or undersecured ad networks on mainstream websites is a serious threat to both Internet users and the Internet economy.

Malvertising can be prevented in modern browsers by using the sandbox attribute of iframes in HTML5, which can protect those who click on ads from link hijacking (the most common vector for malvertising in our study). Unfortunately, not one website we looked at used this attribute to protect its users.

As stated in the paper presented in Vancouver last week, “one of the greatest and most prevalent cyber-threats facing marketers, advertising and creatives is malware.” When you consider how pervasive malvertising is based on these findings, it could be one of the greatest threats to the Internet as we know it. Thankfully, there are clear steps that can — and should — be taken today to stamp out malvertising.

Editor’s note: Some ad networks expressed concerns about the validity of ranking them by the percentage of benign ads in our dataset, which was included in a previous version of this blog post. We have removed that section while we investigate those concerns.

Need Security Breach Detection?

Lastline’s Breach Detection Platform enables security operations to rapidly detect, block and respond to active breaches caused by APTs and evasive malware. Learn more here:

Learn More

Giovanni Vigna

Giovanni Vigna

Giovanni Vigna is one of the founders and CTO of Lastline as well as a Professor in the Department of Computer Science at the University of California in Santa Barbara. His current research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He also edited a book on Security and Mobile Agents and authored one on Intrusion Correlation. He has been the Program Chair of the International Symposium on Recent Advances in Intrusion Detection (RAID 2003), of the ISOC Symposium on Network and Distributed Systems Security (NDSS 2009), and of the IEEE Symposium on Security and Privacy in 2011. He is known for organizing and running an inter-university Capture The Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world. Giovanni Vigna received his M.S. with honors and Ph.D. from Politecnico di Milano, Italy, in 1994 and 1998, respectively. He is a member of IEEE and ACM.
Giovanni Vigna