AdSecure analysed more than 1 million ad campaigns across multiple regions, devices, and browsers for partners between 1st January to 31st December 2019.Continue reading
Looking at what will be big in 2020, Bryan Taylor, Sales Manager at AdSecure shares his top four ad tech predictions and how bad actors could manipulate them.Continue reading
In our Q2 violations report cyber criminals ramped up their attacks for Spring, AdSecure observed a major increase in detections for Adware and Scareware violations compared to Q1.Continue reading
AdSecure, the innovative digital security company that works with ad platforms and publishers to ensure a secure engaging online advertising experience for users, has released their security violations report for Q1 2019. AdSecure's always online solution uses a crawler built around modern browser technology, analysing ad creatives to detect malicious threats, non-compliance and ad quality issues in real-time.
For this report AdSecure analysed more than 200,000 ad campaigns across multiple regions, devices, and browsers for our partners between 1st January to 31st March. These findings provide insights into cyber-criminal behaviour during Q1: Where they were most prolific, how they delivered their attacks, their malicious weapons of choice, and what AdSecure's detections revealed in order to stop and protect end users from malicious ads.
Top 10 GEOs with security violations
The percentages represent the 100% total of these top 10 GEOs. They are generally considered to be part of the tier 1 countries group, with the sometimes exception of Argentina. AdSecure's product manager Mat Derval commented, "Affluent populations are prime targets for cyber criminals. These richer populations are more likely to buy fake security or fake repair software when being redirected to tech support scams as well as being targeted by malware distribution attacks such as the Emotet banking trojan."
Top 5 GEOs violation breakdown
Drilling down further into the data, AdSecure performed a detailed analysis of the top 5 in order to rank the percentage of detected violations targeted at each country. We can see that Browser locker was by far the biggest violation from a volume perspective, with the only exception being Canada, where it came second to Malware attacks at 50%. Around a quarter of violations were Malware attacks in the USA & Belgium and Scareware being the second most detected violation in France, Argentina, and the USA.
Browser lockers - the biggest current threat
With the prevalence of Browser locker detections in 8 out of the top 10 GEOs, AdSecure looked globally at which browsers cyber criminals used to target their Browser locker activity on desktop and mobile.
With 70% of detections coming from Google Chrome, Mat Derval commented, "To a cybercriminal it is all about volume and Google Chrome is indisputably the most popular browser. The criminal doesn't know how long he can get away with the attacks, therefore the life cycle of the attack could be short, so by targeting the world's biggest browser he can maximise the revenue of the malicious campaign by exposing it to as many end users as possible."
In conclusion Mat Derval explained, "The biggest threat in Q1 2019 was clearly Browser lockers, including Push lockers, a new variation on this threat, distributed by bad actors who exploit a flaw in the push notifications opt-in process. AdSecure was able to detect a massive amount of those attacks because our crawler is powered by modern browser technology, which is crucial in order to catch the latest versions or mutations of threats. We detected this new trend at the end of Q4 2018, and we were able to release a major update to our crawler at the beginning of Q1 2019 to protect our clients and partners."
The key takeaways: using data to fight cyber-crime effectively
- Follow the money, threat actors certainly do. Much like criminals flock toward the high spending we see within the programmatic and mobile ad marketplaces, targeting affluent nations where digital marketing budgets flow at an astounding pace (digital ad revenues surpassed $100 Billion in the US in 2018) is a no-brainer for a fraudster looking to make the most of an attack. Frequent, diligent scanning and analysis of your campaigns running within these affluent regions will help to greatly eliminate the most dangerous threats lurking within your ad inventory.
- Everyone loves Google Chrome, including malvertisers. With Chrome being the dominant browser, the likelihood of an attack targeting Chrome users increases dramatically. When looking at how best to distribute the monitoring resources at your disposal, focusing on campaigns frequently viewed on Chrome is a great practice for mitigating attacks.
- Modern threats require a modern solution. AdSecure was the first provider to identify the push locker mutation of the browser locker attack thanks to the modern tech powering our crawler. Working with modern solutions is key to uncovering every new threat before it can infect your ad delivery.
- Analyse your campaigns, a lot. Attacks can infect the redirection path at any time during an active campaigns lifecycle, meaning that a creative you scanned right at launch can go from clean to dirty several days after launch. The best way to stay one step ahead is to scan the creatives for threats regularly, using a comprehensive approach that aims to keep threats out pre-flight, and once your campaign is up in the air.
This security violations report is the first of what will be an ongoing, quarterly analysis on the always evolving world of digital risk. In future we will compare current quarterly data with past reports to take a look at how digital ad attacks change over time, where improvements can be found Q on Q, and what new threats are rising in popularity. We look forward to providing both our partners, and all stakeholders within the digital advertising ecosystem, with insights that will help them build a safer digital world. For everyone.
AdSecure provides constant detection and notification of security, compliance & quality issues within the digital ad supply chain.
It should come as no surprise to anyone involved in the digital advertising ecosystem that fraudsters are always looking for new methods to target users with sophisticated digital attacks. As soon as innovative new ways of engaging with users are developed, cyber criminals aren't far behind with a method for exploiting these innovations, particularly when there's money to be made. Now, as push notification ads grow in popularity, a new threat to user security that capitalises on the push notification flow itself has arrived: push lockers.
Upon identifying these push notification specific lockers, between February and March AdSecure saw a 563% increase in the detection of browser locker attacks, and at the time of writing this article, we have protected our partners from more than 20 unique push lockers in under 24 hours.
What is a push notification ad?
Push notification ads are simple clickable messages, accompanied by a small image, that are delivered to desktop browsers or mobile devices, but only once a user has consented to receiving them. This is a key point, as the users have agreed to see the ads, leaving the perception that they are less intrusive than traditional formats, and develop a higher level of engagement from the user.
Push notifications work by displaying an initial permission request — managed by the browser — when a user is visiting a site for the first time. Once the user agrees to receive these push notifications, they will receive them based on the frequency set out by the publisher. Should a user opt not to see push notifications, the browser logs this choice as well, and they won't be asked to subscribe to them again.
What is a push locker?
The push notification format, while relatively new, is growing in popularity within the online marketplace for all the reasons mentioned previously: users have to opt-in to see them at all, and with that consent comes a higher rate of engagement. Brands using push notifications are seeing increased click through rates, and just as marketers are seeing the clear benefits the format provides, cyber criminals are becoming wise to the potential for driving malicious campaigns straight to users screens. What has developed out of these sinister intentions is a new form of browser locker specifically designed around the natural behaviour of a push ad.
How do push lockers work?
When you make the choice to opt-in, or out, of receiving push notifications on a particular site, the browser manages the request and saves the choice. However, it's the way the browser saves this choice — either by domain, or subdomain — that can expose the user to trouble. What happens if you opt out, but the website redirects you automatically to another subdomain? Can you guess what's coming? This allows the user to be prompted again to accept the push notification. So naturally, you decline this new request, and then you're sent to yet another subdomain and asked again, and again, and again. Suddenly you are trapped in an endless looping push notification nightmare, and escape can only be had by giving in and "consenting" to receive the push notification.
Incredibly annoying, right? But this is tame compared to what other push lockers are capable of.
What type of push lockers has AdSecure encountered?
Since first discovering this new form of attack, our development team went on the hunt, uncovering various types of push lockers. In one particularly sophisticated case, users clicking somewhere on the page other than the buttons to allow or block the push would cause the browser to switch to full screen mode, preventing the user from doing anything else until they accepted the push notification, which in turn leads them to a scam offer, or the forced download of malware, or similar security threat. In a separate case, we encountered a push locker that kept users locked on the consent page until they accepted the push, all the while quietly mining cryptocurrencies in the background. Those who opted in were then redirected to a new offer page which also launched the cryptocurrency miner, leaving the user with no safe option to take.
When this type of push locker is implemented on a mobile browser, the entire device is rendered useless for the owner, again until they are forced to consent. In all cases, the looping push notification locks the user into an action they absolutely do not want to take, and puts them at severe risk of exposure to exploit flaws or other security breaches.
What is the solution?
The relative speed at which push lockers have appeared on the scene has caught some ad verification providers off guard. They either weren't aware of the problem quickly enough, or they aren't using the modern technology needed to detect push lockers with any degree of consistency and precision.
Push lockers are sophisticated and pernicious, and in order to catch them early and often, the scanning technology being used needs to be based on the most modern browser technology available. This is one of the reasons AdSecure — with a crawler powered by Chrome — was the first ad verification provider to uncover these looping push notifications, and continues to be the only provider catching them at high frequency, and a strong level of precision.
As more publishers and ad platforms begin to work with the push notification ad format, push locker attacks will spread across the digital ads landscape. Make sure your partners are working with an ad verification provider that has the resources and the knowledge needed to track down push lockers and keep them from hurting digital users.
AdSecure empowers ad platforms & publishers to take back control of their ad quality by providing constant detection & notification for ad security, compliance, and quality issues within the digital ad supply chain.
To learn more about how AdSecure is driving a safer digital world for everyone, contact us today.
25 July 2018. AdSecure, the ad verification tool used by ad networks, ad operations teams and publishers, today announced that it has added the detection of the auto-redirect to it's arsenal. The auto-redirect is considered to be an annoying format and is also widely used by cybercriminals for distributing malicious advertising.
This intrusive technique affects desktop, mobile and tablet. Mobiles are particularly affected by auto-redirects on both Android and iOS.
AdSecure's Product Manager Mat Derval commented, "These malicious auto-redirect ads used to only affect junk websites, but recently auto-redirects have been placed on reputable websites including The New York Times amongst others. AdSecure's team and our technology has enabled us to quickly develop and get to market the software needed to detect this malicious ad format. Ad platforms and publishers that use AdSecure's all in one malware detection package benefit from keeping their users safe from being exposed to malicious ad formats."
If you would like to find out more about incorporating AdSecure into your business, please visit our contact page for more information.
For further press information contact:
Six questions about ransomware and malvertising with AdSecure's Product Manager Mathieu Derval.
What role does phishing play in ransomware attacks?
Phishing is probably one of the most popular social engineering types of attack. The objective is to trick someone into clicking on a link contained within a message that looks like it comes from a well-known/genuine company (often including a copycat logo) and then the user is tricked either stole sensitive information (login, password or other) through a fake online form which seems to be legit, or in other cases, download infected files that executes as soon as the user open it, encrypting their data and asking for a ransom.
From an ad verification solution point of view, phishing is indeed an important vector of ransomware spreading. Malvertising campaigns are crafted by cybercriminals to lure victims to click on ads or links in websites that will redirect them to other websites hosting exploit kits designed to use vulnerabilities in web browsers or plugins on the visitor's computers to install and execute ransomware.
How serious a threat is ransomware?
Apart from traditional spam distribution, ad networks and publishers may often act unwittingly as intermediaries, targeting thousands or even millions of potential victims. The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed upon them. A script hidden in an infected ad will run in the background and look for vulnerabilities on the user's computer so it can quietly download and execute a malicious application such as ransomware.
What are the best ways to prevent a ransomware attack?
– Do not open any emails from untrusted sources.
– Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.
– Keep your plugins updated and disable or uninstall the ones you don't frequently use, including java.
– Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.
– Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.
– When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.
– Ad platforms and publishers have to constantly monitor their ads thanks to ad verification tool, especially after the campaigns are live since attackers can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.
How can an active ransomware attack be contained?
For the ad platforms, the challenge lies into being capable of detecting and identifying the malicious campaign while it is active (which usually varies between a few hours and a couple of days so that criminals can try to ensure that it remains undetected). For this reason ad platforms need to monitor and scan the offers running on their network continuously to be able to stop the propagation as soon as possible.
Does it ever make sense to pay a ransom?
This criminal business model has proven to be very lucrative given the vast and varied potential of victims. Law enforcement officials discourage victims from paying ransoms, there is no guarantee whatsoever that your files will be accessible again after you pay the ransom. Yet, many will come down to pay those ransoms in the hope of getting their files back. This decision should be the last resort, in case all other alternatives failed (no offline backup available to recover the encrypted files or no free decryption tool available). As long as individuals and organizations will continue to pay ransoms, we can't expect to see this criminal scheme to disappear.
How is ransomware likely to evolve over the next few years?
Even if during the last few months Crypto-Mining attacks have been center stage and that cybercriminals are increasingly embracing this new form of making money from the internet, Ransomware attacks will probably continue to increase and to evolve in the next years: the threat landscape will see more and more well organized and well-funded groups that will employ technical tools or software vulnerabilities, such as the exploit EternalBlue used with the Wannacry attack in may 2017, but also social engineering skills to access computer systems and network. At the same time, we can expect Ransomware-as-a-service to become more accessible cybercriminals will expand their target not only financial objectives, but also political and strategic interests, with intend to cause damages and not only extortion.
AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.
This new kind of malvertising attack points out once again the need for ad platforms and publishers to use ad verification tool to protect their network, reputation and visitors safety. AdSecure now offers the detection of crypto-mining activity. Contact us to see how we can help safeguard your network or sites against malvertising.
Malvertising, or malicious advertising, is the practice of using web advertisements to spread malware with little to no user interaction required. Cybercriminals use the same advertising strategies as legitimate ad companies, except that malvertisements will either try to download malware directly to visitors devices upon viewing, or send visitors to websites that distribute viruses, ransomware or other unwanted and malicious programs.
How malvertising works?
Rather than attempting to trick users into visiting a malicious website, attackers use the granular profiling functionality provided by ad networks to spread financial malware, data-stealing malware, ransomware and other cyber threats, or if applicable, ads that will trigger an automatic redirection to landing pages hosting exploit kits.
The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious related products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed there. A script obfuscated in an infected ad will run in the background and look for vulnerabilities on the user's computer so it can quietly download and execute a malicious application such as ransomware.
One of the most frustrating aspects is to figure out how easy it is for attackers to bypass ad platforms' safeguards either because of insufficient checks or more seriously because they can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.
Who has this affected so far?
Unfortunately no publisher can be considered absolutely safe, you have probably heard of many cases recently, but here are a few examples of some of the most trusted websites online that have been affected: Forbes, MSN, Yahoo, The New York Times, BBC, Spotify… and the list continues to grow.
How do you protect yourself against malvertising?
Besides not clicking on questionable ads, here are some recommendations to help ensure you remain safe from threats distributed by malvertisements:
- Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.
- Keep your plugins updated and disable or uninstall the ones you don't frequently use, including java.
- Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.
- Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.
- When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.