Blockers Alone Won't Cure Malvertising Woes

Criminals continue to infect millions of consumers by exploiting programmatic ads despite the efforts of some publishers and platform providers that use blockers to help prevent bad ads from souring user experience. However, The Media Trust has discovered that cybercriminals have found new ways to bypass those blocker defense solutions and execute their malicious code, while staying under the radar of security teams.

These commercial blocking solutions use scripts designed to detect and obstruct malicious domains and are often installed in a content delivery network. Researchers found that ad blockers might not be the complete solution to the malvertising problem.

“Recently, The Media Trust Digital Security & Operations (DSO) team prevented bad ads from executing on a publisher’s website, protecting their audience of 900,000 per week from infection,” Chris Olson, CEO, The Media Trust wrote in a blog post.

Despite the client’s use of malware blocking solutions, malware slipped through the blocker’s cracks in “dq6375rwn2aoi.cloudfront.net,” a known malicious domain. “It was disguised in a cloak of additional code that made it unrecognizable and unreadable, a process called obfuscation."

Malvertising drives up the costs of the US digital marketing, media and advertising industry by more than $8bn each year, according to our separate email interview with Olson. “Not surprisingly, many companies have turned to products that promise a quick fix, and blocking solutions are one example.

“No sooner than these solutions hit the market do bad actors begin stepping up their game with malware that can work around them and persist, often to conduct a multi-phased attack. One technique used in about 90% of mobile redirects is obfuscation – padding malware code with more code so blockers can’t recognize it. When malware is obfuscated, blockers fail to detect and thwart them.”

The Media Trust found that another deterrent to many blockers’ effectiveness is the lag between the time that new malware hits the ecosystem and the time that blocker data is updated, which is on average about every three to five days. “If a new attack occurs every 30 seconds, at least 8,000 attacks occur between updates. A single attack can infect from one to millions of victims.”