Malvertising degrades consumer trust in the digital advertising industry, and stymies industry growth by feeding ad revenue to criminals. This problem has been compounded by the COVID-19 pandemic, with criminals taking advantage of the crisis to target the digital advertising industry with new COVID-themed malvertising attacks.
While the term malware can mean malicious software of any sort delivered by any means, “malvertising” refers to the use of digital advertisements – including creative, tags and landing pages – specifically to distribute malware, often for financial gain. Malvertising comes in a variety of forms. A legitimate ad can become malvertising – it can be corrupted once it has been placed on a publisher website, when it passes through an ad tech intermediary, or before a campaign even begins. In other cases, criminals create fake advertisers or advertising agencies, pretending to represent legitimate clients in an ad buy while in reality distributing fake ad creative infected with malware. Sometimes, rather than focusing on ads directly, criminals simply compromise third-party scripts or pieces of code (3PC) that are delivered with an ad or page content for measurement or viewability purposes.
Malvertisers have taken full advantage of the COVID-19 pandemic to launch new malvertising attacks, often preying on specific fears about the virus. In a recent whitepaper, the Trustworthy Accountability Group (TAG) outlined findings that malicious or fraudulent functionality is found in 1 out of every 100 online ads, suggesting malvertising affects up to 20% of user sessions. According to recent research, daily malware threats to the digital ad supply chain increased an average of 18% as news of COVID-19 drove increased web traffic. And with unemployment skyrocketing, malvertisers whose criminal pursuits might have previously been a hobby have made orchestrating malware attacks a full-time job. According to research by The Media Trust, several well-known malvertising attacks increased by 300% beginning in March 2020, just as COVID-19 quarantine began in many parts of the world.
TAG has facilitated threat-sharing across the digital ad industry designed to stop malvertising attacks since its inception in 2015 and continues to partner with industry leaders to strengthen its anti-malware certification and threat-sharing programs. Our work has proven that everyone in the digital advertising industry can benefit from following these simple and proven effective best practices.
by Bonnie Niederstrasser, Director of Policy & Standards, Trustworthy Accountability Group
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.