Home Editor's News Responsibility for malvertising lies with the advertising platform

Responsibility for malvertising lies with the advertising platform

January 9, 2014 | Posted by Dan Raywood

Malvertising is a consistent challenge which can see reputable websites having frames infected to serve up any matter of attack.

 

After Yahoo beat down malicious advertisements which redirected users to the “Magnitude” exploit kit, which was enabled following the infection of a third party, Sean Power, security operations manager at DOSarrest, said that the problem is that many banner ad companies allow JavaScript or other code inside the advert.

 

“This is something we have seen before. In our case it was an advertising campaign that included a DDoS attack against one of our customers,” he said. “For companies allowing these ads on their website, the ads should be sanitised before displaying to the public.”

 

Power said that businesses should find a balance of risk versus profit to deal with this type of attack, and techniques could range from simply “trusting that all ads are malware free” to digitally signing each ad and only showing the ones that have been verified as malware free.
He also said the responsibility should lie with the ad company to sanitise all of its ads;  although he pointed out all of the bad press will be focused on the site displaying the ads (in this case Yahoo).  “No one is going to take kindly to a “not my responsibility” attitude when they got a virus after visiting your site,” Power concluded.

 

“As with any other business relationship – do your due diligence. Find out if the ad company allows code to be inserted in the ads.  Anytime your business relationships have the ability to directly alter your customer’s experience, they should be part of your security review,” he said.

 

Also hit by malicious adverts was video-sharing website Dailymotion, which according to research by Invincea delivered a malicious executable file as a ruse to “clean” their “infected” machine. Visitors were automatically redirected via Javascript to a website that distributed the fake infection warning, and this then automatically serves up the fake anti-virus.

 

Luis Corrons, technical director of PandaLabs, told IT Security Guru that adverts can lead to exploit kits and that has happened a number of times in the past. “In this kind of attack, the site serving the malicious advert has not been compromised, so I won’t say the responsibility to sanitise the ads lies directly with them,” he said.

 

“However, it is in the company’s own interest to protect people using their website. The company serving the ads is the one that should hold most of the responsibility, as it is their platform the one being abused.”

Recent

OPSWAT Market Share Report Finds at Least 15% of Devices at Risk

OPSWAT today announced the release of their latest market share report, which includes detailed analysis of the market share of antivirus vendors and products. The report also takes a look at the use of real time protection (RTP) by users of top antivirus products and the number of devices with persisting threats or potentially unwanted (…read more)

January 29, 2015

Security Advisory for “GHOST” Vulnerability on Linux Systems

Researchers at Qualys recently revealed a critical vulnerability in the Linux GNU C Library (glibc), that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.   The vulnerability is known as GHOST (CVE-2015-0235) as it can be triggered by the       gethostbyname functions. It affects many (…read more)

January 28, 2015

Data Privacy Day musings from the Infosec community

Today marks the ninth annual Data Privacy Day; the purpose of which is to raise public awareness and advocate data protection and privacy best practices. Over the last year we’ve seen many high profile breaches, which involved eBay, JPMorgan, and most recently Sony Pictures Entertainment – so it is very clear that now more than (…read more)

January 28, 2015