Malvertising tracker Confiant has spotted a major malvertising attack. It was first detected on the 12th November. It resulted in Confiant blocking over 5 million malvertising impressions through its platform. The ads came from an unnamed top-tier exchange. Over a single 48-hour period, more than 300 million unprotected impressions were served to publishers.
The size of the campaign is significant. Earlier this year Confiant exposed the Zirconium group. It was responsible for more than 1 billion impressions over a year. By comparison, 150 million per day equates to over 54 billion per year. Enterprise Times asked Confiant CEO, LD Mangin about the attack.
What did Confiant say?
What did Confiant detect? According to Mangin: “We regularly monitor all programmatic ads that run through our platform for the presence of code associated with malvertising, namely forced mobile redirections. The incident in question is one such creative that we flagged and started seeing / blocking it at scale to the tune of ~5mm impressions in ~48 hours.”
How was it spotted? Mangin replied: “Our system performs advanced automated analysis on creative code. This analysis happens in real time and is able to recognize if the code is leveraging certain Javascript functions or APIs associated with either bad practices or malware. When needed, we perform an additional manual analysis on the creative code. Our security team will reverse engineer any code associated with the creative in order to get a deeper understanding of the attack vector and the payload.”
What type of sites were affected? Mangin said: “A variety of content sites were affected by the campaign, but any site that runs programmatic advertising could have potentially been impacted.”
What technical measures was the malvertising using? According to Mangin: “Sophisticated bad actors will often try to determine if their campaign is being displayed in a virtual environment or to a real user. In this case the ad had code that tried to identify whether or not it was running on a real user’s device and that’s how we were able to detect that it was a malicious ad.”
What attacks/malware were instigated/spread by the attack? Mangin told us: “Forceful redirection to fake ‘you’ve won a gift card’ landing pages. These pages typically try to phish visitor data in order to commit affiliate marketing related fraud and or steal personal identification data.”
What does this mean
This is a timely detection by Confiant. This weekend will see the annual Black Friday and Cyber Monday sales. The web, social media and inboxes are already awash with advertising. It doesn’t take much to hide malvertising in that flood of traffic. What is concerning is the size of the attack. While it won’t last for as long at Zirconium, when scaled up it is delivering more than 54 times the number of malvertising impressions per day than Zirconium.
Confiant has declined to identify the top-tier exchange that is distributing the malvertising attack. The problem downstream is that many of those who will find the ads on their pages will have little in the way of solutions to identify and deal with them.
Once again this shows how the big advertising exchanges are failing in their duty to provide a safe environment for their customers. Is it time for regulators to start looking more closely at this?