Security Experts:

Yahoo Attack Spotlights Challenges of Malvertising

For a few days, Yahoo.com served up more than just search results. For its European customers, it also served up malicious ads.

Unfortunately for the infected, malvertising continues to pose a problem to websites of all sizes, and policing the ecosystem of online advertising remains a serious challenge.

"Spreading malware over the Web is about traffic volume," said Wayne Huang, vice president of Armorize Technologies at Proofpoint. "Large websites have the volume, but it's much harder to hack [them]. However, all large websites serve advertisements."

During the last 30 days, researchers at Blue Coat Systems have detected 47 different IP addresses used by malvertisement servers. Nearly all of that traffic occurred beginning on Dec. 29, with Jan. 2nd and Jan. 3rd being the high-water marks, explained Chris Larsen, malware researcher at Blue Coat Systems.

MalvertisingIn the case of the recent Yahoo incident, the attackers were able to spread malware from Dec. 31 to Jan. 3 by redirecting users to sites hosting the Magnitude exploit kit. It was not made clear in Yahoo's statement exactly what part of the online advertisement ecosystem the attackers were able to infiltrate. According to Online Trust Alliance Executive Director Craig Spiezle, many of these incidents happen by the accepting of an ad through an ad exchange and not just through ads companies like Yahoo accept directly.

The vast number of third-parties involved in the process of pushing ads makes addressing the issue complex.

"The way ad serving is set up today is assuming everyone is trustworthy," Spiezle said. "So you have advertisers, you have ad agencies, you have ad networks, you have ad aggregators, you have ad exchange, you have all these third-parties that touch an ad or could be putting in an ad or an ad tag to make it very efficient for sites to take and receive advertising. So that's all great. But that same flexibility in the design makes it very easy to [penetrate] and compromise any one of those."

According to RiskIQ CEO Elias Mansousos, the number one attack vector for malvertisers is the impersonation of legitimate ad creators and agencies.

"ATO [account takeover] is also a major vector since many agency accounts are trusted," he said. "If a malvertiser gains access to these accounts, they are more likely to get suspect creative approved even against an ad quality team's better judgment. Number three is hacking of the infrastructure. You see this more with hosted ad servers running smaller networks or agencies."

Since a successful malvertising attack on a high-traffic site can represent a significant bounty for attackers, the threat remains persistent. The Online Trust Alliance [OTA] has been examining the issue of malicious ads for years. Among its recommendations is to create an accreditation/authentication process for new clients and ad agencies and to decline those that do not meet its standards.

But even that can fall short if ad providers are not continually measured against those requirements, Larsen said.

"A lot of it happens more or less automatically - once the 'big ad network' has vetted a prospective new partner, my sense is that they don't pay nearly as much attention to what that ad provider is doing now compared to its behavior during the vetting process," he added. "Also, there can be multiple layers of providers involved, and they're all serving chunks of obfuscated javascript instead of a simple banner graphic like the old days. Nowadays it's all about the metrics, and to gather those you need javascript. So it's often very hard for the host site for example to know who actually served the final ad in that space that they turned over to the big ad network."

"If I had my way, I would eliminate dynamic content," opined Chester Wisniewski, senior security advisor at Sophos. "Strict adherence to only retrieving ads from a short list of trusted domains and images only. No JavaScript, no video, etc. The destinations also need to be screened on a frequent basis to be sure they have not fallen victim to attackers as well."

"If you run your own ads, be sure you have humans checking the veracity of the ads and those placing them," he added.

Other solutions to the problem include taking a code-signing approach similar to what is done in the world of mobile applications, Spiezle noted. However, like other proposed fixes, this can add friction, time and cost to the process of publishing ads, he said. Still, it is clear that the industry address the issue through malware scanning, code testing and having a strong vetting process.

"This [attack on Yahoo] needs to be a wakeup call that systemic changes must be in place to protect consumers from harm," Spiezle said.

Subscribe to the SecurityWeek Email Briefing
view counter