• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Why Ads and Security Don’t Mix

Author avatar of Barry FisherBarry Fisher
Updated — July 24, 2020 • 5 minute read
View blog >

Our CEO and founder, David Ulevitch, recently announced that OpenDNS would be turning off ads. The main reason is because, as David says, “ads and security don’t mix”. In the last few years, “Malvertising” (malicious advertising) has reached epidemic proportions. That’s bad for many reasons, but one cool thing is that OpenDNS has a product that is awesome at preventing malicious ads from impacting our customers—from Fortune 100 companies to individual home users.

Ads: A Complex and Vulnerable Ecosystem

Not many Web surfers realize that when you a visit a website such as TMZ.com—a popular tabloid news site—it triggers user interactions with 352 third-party Web servers without your consent. Websites are commonly linked to dozens to hundreds of other servers—most are a result of online ads. In 1997, ad networks were established to be a conduit between advertisers and content publishers. Over the years, advertisers outsourced parts of their ecosystem to third parties, who in turn contracted out further. And as result, online ad delivery evolved into a highly complex process involving an unsecure chain of often six intermediaries that come and go all the time. Like most technology innovations that pursue speed over security, cyber criminals found flaws that were easy to exploit for profit with little risk of being caught.

Malvertising: From Embarrassment to Epidemic

Even though Malvertising became a widely known and recurring threat by 2009 (e.g. Guardian article), incidents are frequently forgotten after a few days. Typically, in Malvertising incidents, the website owner suffered some embarrassment, apologized, and pointed a finger at the ad network that served the ad. Then, the network owner apologized and disabled the offending ad. And everyone moved on. Today, it has evolved from mere embarrassments into an epidemic that has caught the attention of the U.S. Senate Homeland Security and Governmental Affairs Committee. After a year of investigations, a subcommittee published a report in May with this #1 finding:

“Consumers can incur malware attacks without having taken any action other than visiting a mainstream website. The complexity of the online advertising ecosystem makes it impossible for an ordinary consumer to avoid advertising malware attacks, identify the source of the malware exposure, and determine whether the ad network or host website could have prevented the attack.”

In 2014, two separate Malvertising incidents impacted millions of Yahoo and YouTube users. In both, simply searching for something or watching a video was enough to lead to an infection. The Online Trust Alliance testified that based on its research, Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions. Cisco’s 2013 Annual Security Report found that online ads were the second most common source of Web malware encounters–16% of all encounters Cisco observed and 182 times more likely than viewing adult content.

Source: Online Trust Alliance

Over the years, a majority of the largest ad networks have been compromised including DoubleClick (Google), YieldManager (Yahoo!), AppNexus, rad.msn.com (Microsoft), and Fimserve.com (FOX Audience Network). By focusing on ad networks, attackers obtain an effective channel for indirectly compromising thousands of websites through malicious banner ads, and then targeting every visitor or specific visitors. The biggest Web properties have been impacted including Facebook.com, YouTube.com, MLB.com, USNews.com, NYTimes.com, LATimes.com, WashingtonPost.com, HuffingtonPost.com, LondonStockExchange.com, TheOnion.com, SFGate.com, DailyMotion.com, SpeedTest.net, Hoovers.com, Tucows.com, Hotmail, Yahoo! Mail, numerous ad-supported mobile apps, and even ad-supported desktop apps like Spotify.

Attackers: As Clever as Advertisers

To deliver malicious ads to you, attackers either socially engineer a good reputation for their own fake ad network or advertising service, or hack their way into an existing vulnerable ad network. In the former case, attackers often claim to partner with well-known and legitimate online advertisers—even by using falsified letters of mandate. Attackers gain trust by first offering the targeted publishers creative ads that are clean, before pushing out malicious ones.

A common misconception is that you must click on ads to get infected, which is sometimes true, but often not. Online ads appear to be an image hosted on the website, but they’re neither hosted on that website nor just an image. Ad networks, which are not under the control of the host website, decide which ad to send you, but often don’t actually deliver the ads. Instead, the ad networks instruct your browser to call a server designated by the advertiser. Also, ads often deliver files and entire programs to your browser.

To infect you, HTML-based Javascript or Flash-based ActionScript covertly routes your browser to a different server that hosts an exploit kit. Flash is scary because it embeds sophisticated logic into the ad, which manipulates your browser as the ad is displayed. Ads can be instructed to only attack you and others at particular times and geographies. Some examples are delaying the attack until after the ad network examines and approves the ad; or until holidays, when it’s peak time for people to surf and off time for advertisers’ personnel to promptly remove offending ads. Law enforcement personnel have commonly found calendars marked with U.S. holidays in cyber-criminal hideouts in foreign countries. And if the attackers know that ad malware scanners are located on servers in Los Angeles and New York, they might instruct ads to only be malicious for visitors in San Francisco.
The exploit kits themselves probe your browser environment for possible vulnerabilities to attempt. Despite frequent flaws discovered in Adobe and Java browser plug-ins, the security community is vigilant monitoring this activity. Yet Cisco expects Microsoft’s streaming media plug-in—Silverlight—to become the target of more exploit kits. Best known for enabling Netflix’s streaming video service, Silverlight also supports 60% of rich Internet apps—so it will be a bad day for everyone when Malvertising finds its way onto one of these massive streaming platforms.

Security: Reroute Visitors Around Malvertising

Online ads often provide the primary or only revenue source for Websites that offer some amazing free content and services. And OpenDNS was a great example of this, yet the risks of Malvertising clearly outweigh the benefit of a few more dollars. Today, we no longer rely on this revenue source to operate either our free or paid services, because we’ve proven to over 10,000 businesses and thousands of home users how amazing our enterprise-grade security service—Umbrella—is at blocking such threats.
As nefarious as Malverting is, it does have an achilles heel—your browser must connect to third-party Web servers via a domain name. When your browser asks which IP address is mapped to that domain name, and either the domain or IP is tied to Malvertising, Umbrella routes your browser to our block page server instead—even when you’re not in the office or at home.

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella