Posts

Equifax, Malware, and the UntrustworthySupply Chain

As if Equifax hasn’t lost enough trust from the first hack, last week it had to disclose that it suffered a second breach, which was called by most reporters a second hack. But apparently last week wasn’t a second hack at all, but a different problem. . Ars Technica wrote:

 A key part of Equifax’s website has been redirecting users to malware for an unknown period of time, a security researcher discovered this week. A video posted by independent security analyst Randy Abrams  showed an Equifax webpage redirecting to a fake Adobe Flash download prompt that installs adware. The infected Equifax page, which the company took offline after discovering the problem, is used to access and update one’s credit report, meaning that many people have likely visited it in the weeks since Equifax disclosed a data breach affecting more than 145 million Americans.

But the new incident was not a second hack – Equifax told MC that the malicious redirect came from a vendor’s faulty code. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” a spokeswoman said. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.” Equifax appears to use a disreputable third-party ad provider, Iron Source, which is known for facilitating “malvertising,” the process of implanting malware on victims’ machines through the ads they visit.

So a third party vendor did it? Iron Source, which has a reputation for allowing malvertising. Not according to a person from Malwarebytes, a service used to detect malware. This person said it’s incorrect to call this a hack or attribute it to ads. In fact, the third party script was a web analytics component, and not ad code. But the third-party script itself was leveraged to load a domain serving as “ad rotator.”

Apparently, that’s is an issue with 3rd party scripts and any site that was using that particular one was at risk.  The ad rotator delivered very low quality redirects, suggesting that these were not even targeted ads.

While malvertising remains quite common, compromised analytics tags are less so. What could the takeaways be from this incident?

Our biggest takeaway is that you have to know every single step in your supply chain, and every partners must be certified and trusted. There are far too many unknown intermediaries in digital transactions for us to feel comfortable about our visitors’ data, and we have to limit the number of those for safety’s sake.

That’s why we have a private platform where this cannot happen. We have weeded out low quality sites, we have only quality inventory, only high quality partners, and no one else enters the supply chain once we set up a buy. This must be the way the entire industry operates in the future. If we don’t let the bad apples in, they can’t corrupt our supply chain or compromise the data of any of our partners.

 

Malvertising Raises Questions About Ad Blocking

ota-2015-logoA recent Buzzfeed article totals up the recent loss of jobs in digital media as publications struggle to adjust to new market forces. Because of the dominance of Facebook and Snapchat, media organizations that once hoped to make it at scale have cut back to pursue niches, which we believe is the best strategy for the present. But even niche publications have to contend with malvertising and poor delivery of ads to mobile devices.

However, other headwinds are also hitting the publishing industry. On Medium this week Rob Leathern, long-time digital advertising critic, wrote that crummy ads (he used other language) cost iPhone users $8 billion in data charges last year.

We ran across 7 websites for 3 minutes, and loaded 1712 URLs on average, whereas the top 10 blockers on average needed just 493 calls to render all the content and images on these sites -> this means that advertising technology accounts for 71% (1,228 hidden items loaded) what loads on your mobile phone in an average web session! I think that’s just crazy, and hard to justify for the small amount of advertising revenue most sites are making off of us.

Focus on the last sentence. Consumers are spending the money for data, advertisers are paying for ads, but publishers are still not making any money. Fortunately, mobile consumers are still not blocking ads in the numbers desktop consumers are, and we can fix this problem if we hurry.

We’ve been heavily involved in the Online Trust Association (OTA) for years, and we are working on the Advertising Integrity Committee this year.  This morning the organization sent around an article about a massive malware infestation in the Netherlands:

As of Monday, at least 288 websites had been infected with malvertising, exposing millions to poisoned ads.

One example of how far its tentacles have reached: the campaign has hit Nu.nl, the most-visited Dutch-language news portal.

Nu.nl alone is estimated to have scored more than 50 million visitors in March, according to Tech Week Europe.

Other affected sites include eBay-style service Marktplaats.nl and well-known news and culture sites, according to Fox-IT.

The campaign originated in an advertising platform used by the affected sites

OTA is worried that consumers might respond to this by blocking ads, which the organization does not feel is a suitable solution, because most ad blocking software is itself untrustworthy. Most of it has white lists or allow lists that do not block advertising and are increasingly being used by consumers as ad vectors.

In our own case, we have created a private buying platform for our publishers that does not admit malware and is very closely monitored to refuse to serve questionable sites.  Working with both the Interactive Advertising Bureau (IAB) and the OTA, we’re engaged in being as much a part of the solution as we can.  We can only do our best to lure back angry consumers.