Posts

Equifax, Malware, and the UntrustworthySupply Chain

As if Equifax hasn’t lost enough trust from the first hack, last week it had to disclose that it suffered a second breach, which was called by most reporters a second hack. But apparently last week wasn’t a second hack at all, but a different problem. . Ars Technica wrote:

 A key part of Equifax’s website has been redirecting users to malware for an unknown period of time, a security researcher discovered this week. A video posted by independent security analyst Randy Abrams  showed an Equifax webpage redirecting to a fake Adobe Flash download prompt that installs adware. The infected Equifax page, which the company took offline after discovering the problem, is used to access and update one’s credit report, meaning that many people have likely visited it in the weeks since Equifax disclosed a data breach affecting more than 145 million Americans.

But the new incident was not a second hack – Equifax told MC that the malicious redirect came from a vendor’s faulty code. “The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor’s code running on an Equifax website was serving malicious content,” a spokeswoman said. “Since we learned of the issue, the vendor’s code was removed from the webpage and we have taken the webpage offline to conduct further analysis.” Equifax appears to use a disreputable third-party ad provider, Iron Source, which is known for facilitating “malvertising,” the process of implanting malware on victims’ machines through the ads they visit.

So a third party vendor did it? Iron Source, which has a reputation for allowing malvertising. Not according to a person from Malwarebytes, a service used to detect malware. This person said it’s incorrect to call this a hack or attribute it to ads. In fact, the third party script was a web analytics component, and not ad code. But the third-party script itself was leveraged to load a domain serving as “ad rotator.”

Apparently, that’s is an issue with 3rd party scripts and any site that was using that particular one was at risk.  The ad rotator delivered very low quality redirects, suggesting that these were not even targeted ads.

While malvertising remains quite common, compromised analytics tags are less so. What could the takeaways be from this incident?

Our biggest takeaway is that you have to know every single step in your supply chain, and every partners must be certified and trusted. There are far too many unknown intermediaries in digital transactions for us to feel comfortable about our visitors’ data, and we have to limit the number of those for safety’s sake.

That’s why we have a private platform where this cannot happen. We have weeded out low quality sites, we have only quality inventory, only high quality partners, and no one else enters the supply chain once we set up a buy. This must be the way the entire industry operates in the future. If we don’t let the bad apples in, they can’t corrupt our supply chain or compromise the data of any of our partners.

 

Trustworthy Accountability Group

The Trustworthy Accountability Group (TAG) has accomplished an incredible amount during its first year, including rolling out a TAG Registry, an Anti-Piracy Initiative, Certified Against Fraud, Certified Against Malware,  and updated Inventory Quality Guidelines. Now the work begins: to round up more participants. The early adopters are already on board: 127 companies are already TAG-Registered. To be registered, companies must complete a self-assessment and attest to having certain processes and procedures in place and a plan to keep them in place for the coming year. TAG Registered companies have been verified as legitimate participants in the digital advertising industry through a proprietary background check and review process powered by Dun & Bradstreet and approved by TAG. Once registered, companies are awarded a TAG-ID, a unique global identifier that they can share with partners and add  to their ads or the ad inventory they sell.

130 people, myself included, have completed Compliance Officer Training, and have been designated Compliance Officers for their companies.

I first became involved with the Trustworthy Accountability Group last January, when it held a meeting at the IAB Annual Leadership Conference. Because I’ve represented ZEDO for five years on several industry initiatives that fit our “high-road” approach to partnership with both advertisers and sellers, I attended the meeting and listened to the plans. I had no idea how fast they would move.

By the end of the year, TAG had released a suite of anti-Malware tools, including “Best Practices for Scanning Creative for Malware,” a glossary of terms that establishes a reference of malvertising types, and a Malware Threat Sharing Hub, where certified companies can join a trustworthy collaborative network that qualifies and tracks malicious ads.

The Certified Against Fraud program, which was the last to roll out,  is open to participation by buyers, direct sellers and intermediaries across the digital advertising ecosystem.  Requirements to achieve the TAG “Certified Against Fraud” Seal differ according to a company’s role in the supply chain.  These requirements are outlined in details in the Certified Against Fraud Guidelines.

Companies that are shown to abide by the Certified Against Fraud Guidelines receive the “Certified Against Fraud” Seal and can use the seal to publicly communicate their commitment to combatting fraudulent non-human traffic in the digital advertising supply chain.

When the group sent out its press release earlier this year on the first hundred companies to get registered, it reiterated its pledge to create industry transformation at scale. It was formed in response to multiple accusations by news sources and participants of lack of transparency. With TAG, the industry hopes to prove that it can regulate itself.

Will An End to Ad Fraud Mean Bigger Budgets?

As buyers begin to demand better metrics on both ad fraud and viewability from publishers, the definition of how to measure  ad fraud keeps changing. Like viewability, fraud numbers can vary depending on the third-party monitor. And if you’ve ever seen a rat on a charged grid stop moving because of operational neurosis, you know that marketers won’t unleash the biggest budgets unless they have some standards with which they can feel comfortable.

The only thing that will change all this is greater transparency. Earlier this year, IAB in partnership with ANA and 4As started an industrywide initiative known as the Trustworthy Accountability Group to help promote transparency. The MRC is also trying to establish a certification for fraud detection. But as with viewability, it’s not so simple. In March, the group released list of first principles around fraud detection, source identification, process transparency and accountability.

The first step is to arrive at a common definition of what constitutes fraud.

There exists a set of ad-related actions generated by infrastructure designed not to deliver the right ad at the right time to the right user, but rather to extract the maximum amount of money from the digital advertising ecosystem, regardless of the presence of an audience. There also exists a set of actions generated in the normal course of internet maintenance by non-human actors – search engine spiders, brand safety bots, competitive intelligence gathering tools. These and other actions, whether they be page views, ad clicks, mouse movement, shopping cart actions and other seemingly human activities  must be expelled from the supply chain.

The supplier (ad network, exchange or publisher) must institute technology or business practices to eliminate bots, adware and malware traffic, and other sources of malicious activity.

At ZEDO we have been active in anti-malware efforts and have been selected for the Online Trust Association’s Honor Roll four years in a row. We were on the front end of this movement long before it became fashionable, and we developed our own technologies to weed out adware and malware.

Buyers should be able to identify the URLs  on which their ads appear. If the URL is masked, there must be enough trust and transparency so the buyer still feels comfortable. Suppliers must also able to supply information about what processes we employ to root out fraud. This is now becoming an industry-wide supply side requirement. There must be a rating scale, and an explanation to the buyer about how that scale works, how it is used, and what happens to the lower quality traffic.

The intent of the industry efforts is to develop a set of best practices so companies trying to achieve compliance will know what their guidelines should be. For publishers, exchanges, and networks, this should be a big opportunity, because compliance will unleash bigger marketing budgets. And since we already comply, we’d be happy to see the fraudsters chased out of the supply chain.

 

Ad Blockers: Who Loses the Right to Survive?

The rapid growth of ad blocking software in Europe has rattled publishers. The figures say that up to 35% of online users, especially younger ones, block ads. With the shift to mobile, this may get worse. Some carriers have given thought to stripping mobile ads on behalf of their users. And a new Israeli company, Shine, launched a mobile ad blocker that allows users to strip mobile ads themselves.  When asked why users have a right to do this, Shine argues that mobile ads cost users 10% to 15% of data plans, deplete battery life and decrease l page load times, so users should have the option to block them.

Shine’s entire marketing program is based on the users’ “rights” not to be charged data charges to see ads. The company even refers to ad tech as “malware,” although the percentage of malware masquerading as malware is growing increasingly smaller. ZEDO has been active in  industrywide anti-malware efforts for years and they are working. We have built the technology to spot it and get it off our network.

Unfortunately, the courts have so far  still tended to side with the ad blockers. Ad blocking has  been deemed a legal business, and mobile device owners (unsurprisingly), also have the right to control what is on their screens.

Really? What about the publisher’s right to stay in business? If the user won’t pay for content (and a major percentage of users will not), and advertisers cannot have their ads seen, who exactly will pay the cost of free content?  The best selling apps, according to App Annie, which surfaces and rates all apps, are free, indicating users are no more willing to pay for apps or app content than they are to pay for news on the web.

Traditionally, the advertiser has also had rights — the right of free speech to market products to the audience in return for paying the cost of ads. And the publisher certainly has rights: the right to be in business and sell his inventory to an advertiser for a fair price.

Compounding this messy situation is that, when you look into the business models of most ad blockers they make their money from sites that pay them to be “whitelisted.” This is a form of blackmail, but publishers must pay so their advertisers can be seen.

If the use of ad blockers keeps growing, it will force the institution at long last of paid content on the internet. After all, one way publishers can retaliate might be to block access to their sites by anyone who is running an ad blocker, unless they are willing to pay for admission to the site or pay the cost to read a specific piece of content. The internet’s 20-year “summer of love” might finally be over. Publishers have to eat, too, you know.