Our CEO and founder, David Ulevitch, recently announced that OpenDNS would be turning off ads. The main reason is because, as David says, “ads and security don’t mix”. In the last few years, “Malvertising” (malicious advertising) has reached epidemic proportions. That’s bad for many reasons, but one cool thing is that OpenDNS has a product that is awesome at preventing malicious ads from impacting our customers—from Fortune 100 companies to individual home users.
Ads: A Complex and Vulnerable Ecosystem
Not many Web surfers realize that when you a visit a website such as TMZ.com—a popular tabloid news site—it triggers user interactions with 352 third-party Web servers without your consent. Websites are commonly linked to dozens to hundreds of other servers—most are a result of online ads. In 1997, ad networks were established to be a conduit between advertisers and content publishers. Over the years, advertisers outsourced parts of their ecosystem to third parties, who in turn contracted out further. And as result, online ad delivery evolved into a highly complex process involving an unsecure chain of often six intermediaries that come and go all the time. Like most technology innovations that pursue speed over security, cyber criminals found flaws that were easy to exploit for profit with little risk of being caught.
Malvertising: From Embarrassment to Epidemic
Even though Malvertising became a widely known and recurring threat by 2009 (e.g. Guardian article), incidents are frequently forgotten after a few days. Typically, in Malvertising incidents, the website owner suffered some embarrassment, apologized, and pointed a finger at the ad network that served the ad. Then, the network owner apologized and disabled the offending ad. And everyone moved on. Today, it has evolved from mere embarrassments into an epidemic that has caught the attention of the U.S. Senate Homeland Security and Governmental Affairs Committee. After a year of investigations, a subcommittee published a report in May with this #1 finding:
“Consumers can incur malware attacks without having taken any action other than visiting a mainstream website. The complexity of the online advertising ecosystem makes it impossible for an ordinary consumer to avoid advertising malware attacks, identify the source of the malware exposure, and determine whether the ad network or host website could have prevented the attack.”
In 2014, two separate Malvertising incidents impacted millions of Yahoo and YouTube users. In both, simply searching for something or watching a video was enough to lead to an infection. The Online Trust Alliance testified that based on its research, Malvertising increased 200%+ in 2013 to over 209,000 incidents, generating 12.4B+ malicious ad impressions. Cisco’s 2013 Annual Security Report found that online ads were the second most common source of Web malware encounters–16% of all encounters Cisco observed and 182 times more likely than viewing adult content.
Over the years, a majority of the largest ad networks have been compromised including DoubleClick (Google), YieldManager (Yahoo!), AppNexus, rad.msn.com (Microsoft), and Fimserve.com (FOX Audience Network). By focusing on ad networks, attackers obtain an effective channel for indirectly compromising thousands of websites through malicious banner ads, and then targeting every visitor or specific visitors. The biggest Web properties have been impacted including Facebook.com, YouTube.com, MLB.com, USNews.com, NYTimes.com, LATimes.com, WashingtonPost.com, HuffingtonPost.com, LondonStockExchange.com, TheOnion.com, SFGate.com, DailyMotion.com, SpeedTest.net, Hoovers.com, Tucows.com, Hotmail, Yahoo! Mail, numerous ad-supported mobile apps, and even ad-supported desktop apps like Spotify.
Attackers: As Clever as Advertisers
To deliver malicious ads to you, attackers either socially engineer a good reputation for their own fake ad network or advertising service, or hack their way into an existing vulnerable ad network. In the former case, attackers often claim to partner with well-known and legitimate online advertisers—even by using falsified letters of mandate. Attackers gain trust by first offering the targeted publishers creative ads that are clean, before pushing out malicious ones.
A common misconception is that you must click on ads to get infected, which is sometimes true, but often not. Online ads appear to be an image hosted on the website, but they’re neither hosted on that website nor just an image. Ad networks, which are not under the control of the host website, decide which ad to send you, but often don’t actually deliver the ads. Instead, the ad networks instruct your browser to call a server designated by the advertiser. Also, ads often deliver files and entire programs to your browser.
To infect you, HTML-based Javascript or Flash-based ActionScript covertly routes your browser to a different server that hosts an exploit kit. Flash is scary because it embeds sophisticated logic into the ad, which manipulates your browser as the ad is displayed. Ads can be instructed to only attack you and others at particular times and geographies. Some examples are delaying the attack until after the ad network examines and approves the ad; or until holidays, when it’s peak time for people to surf and off time for advertisers’ personnel to promptly remove offending ads. Law enforcement personnel have commonly found calendars marked with U.S. holidays in cyber-criminal hideouts in foreign countries. And if the attackers know that ad malware scanners are located on servers in Los Angeles and New York, they might instruct ads to only be malicious for visitors in San Francisco.
The exploit kits themselves probe your browser environment for possible vulnerabilities to attempt. Despite frequent flaws discovered in Adobe and Java browser plug-ins, the security community is vigilant monitoring this activity. Yet Cisco expects Microsoft’s streaming media plug-in—Silverlight—to become the target of more exploit kits. Best known for enabling Netflix’s streaming video service, Silverlight also supports 60% of rich Internet apps—so it will be a bad day for everyone when Malvertising finds its way onto one of these massive streaming platforms.
Security: Reroute Visitors Around Malvertising
Online ads often provide the primary or only revenue source for Websites that offer some amazing free content and services. And OpenDNS was a great example of this, yet the risks of Malvertising clearly outweigh the benefit of a few more dollars. Today, we no longer rely on this revenue source to operate either our free or paid services, because we’ve proven to over 10,000 businesses and thousands of home users how amazing our enterprise-grade security service—Umbrella—is at blocking such threats.
As nefarious as Malverting is, it does have an achilles heel—your browser must connect to third-party Web servers via a domain name. When your browser asks which IP address is mapped to that domain name, and either the domain or IP is tied to Malvertising, Umbrella routes your browser to our block page server instead—even when you’re not in the office or at home.
