Hackers’ New Camouflage: Online Ads

Consumer confidence online was dealt another blow this Spring when seven of the Netherlands’ most popular websites served malicious ads to visitors. This follows the revelation in March that hackers hijacked advertising software on websites including the New York Times, the BBC, AOL, and the NFL to conduct cyberattacks. The latest cybersecurity failures pull back the curtain on an unsustainable data supply chain, threatening the trust at the heart of the digital economy. Just as the brakes on your car are intended to help you go fast (consider how fast you would drive if you didn’t have brakes), better security can accelerate the progress of internet business models. 

What happens when the websites we trust become tools for hackers? 

Not the First, Nor the Last

The latest attack is certainly not the first to exploit advertising providers. In the incident, hackers targeted vulnerabilities in multiple advertisers to turn online ads into vehicles for ransomeware – malware that encrypts files and demands ransom for the keys. The scope of this attack dwarfed previous attempts: the infected sites receive total visitors in the billions. These repeated incidents of advertising software running wild and posing a threat to readers’ security adds fuel to the ad blocker fire. 

Unlike highly secure, business-critical cloud providers like Salesforce, advertisers have a poor cybersecurity track record. A few months back, hackers used a similar strategy against online readers of The Economist. The details of this incident highlight the uphill battle site hosts face in keeping visitors safe. In the Economist’s case, the weak link was a vendor named PageFair, an anti-ad blocking service. A series of security failures, individually minor, gave hackers access to PageFair’s Content Distribution Network (CDN). It all started with a compromised email account and escalated because PageFair did not have multi-factor authentication activated on their CDN. In a different incident, Forbes asked visitors to disable ad blockers while unknowingly serving malware via advertisements.

Lydia Leong is a VP and distinguished analyst at research firm Gartner

 Malware delivery is not the only threat from online advertisers. Trackers used for targeted advertising gather detailed information on peoples’ online activity and can be used to profile and target victims in a method referred to as a “watering hole” attack. The average employee is tracked by five different online services, for an average of 31 services tracking employees across an entire company. They are all potential sources of intelligence for hackers looking for a chink in a company’s cybersecurity armor. With information from these services, hackers can find out the websites visited by users from a company. Imagine a watering hole attack campaign targeting your company’s Workday users by planting malware on your employees’ favorite websites.

Hackers used a Chinese restaurant's online menu to attack oil company employees.

 Fingerprinting is an advertising tool that collects information on the software used by web visitors. Hackers can leverage this information to target attacks on visitors with outdated, vulnerable software. And by the way, much of this data is available for sale, no hacking necessary.

Jeremiah Grossman is the chief of security strategy at SentilenOne.

An Online Security Crisis

 The poor security in current online advertising environments fundamentally disrupts online trust. These security failures demonstrate a lack of maturity in this ecosystem: after all these years it still feels like the wild west. Site owners can be victims but ultimately are accountable.

Matt Blaze is an Associate Professor of Computer and Information Science at the University of Pennsylvania

Complexity is typically an enemy of security; the more hands data touches, the more vulnerabilities exist for data leakage. The proliferation of online data and ad providers creates a huge risk for companies’ digital channels. The New York Times not only needs to ensure the security of their own systems, they also need to choose vendors who they trust not to be compromised.

In the enterprise cybersecurity world, this vector is known as third-party or partner risk. A Fortune 500 corporation’s cybersecurity defenses are only as strong as its weakest link, which may be a much smaller vendor, as Target realized. While companies may exercise caution with customer data in their own possession, they don’t always conduct due diligence before handing data off to vendors – whether for lack of discipline or effective tools. To make matters worse, most enterprises have “shadow” vendors, vendors who are grandfathered and who have access to the enterprise data and networks without necessary oversight.

Cloud technology only exacerbates this tendency, as companies can effortlessly share large amounts of data with a few clicks. Analyzing cloud traffic shows that the average enterprise connects with 1,555 business partners. Only 8% of business partners are high-risk, but they receive 30% of data shared. Business to business vendors can be especially attractive targets because they consolidate customer data from multiple companies. 58 “super partners” are connected to over 50% of enterprises. The breach of online photo vendor PNI, for example, affected CVS, Walmart Canada, Costco, Tesco, and Rite Aid. This is exactly the same reason compromising the New York Times’ and AOL’s advertising vendor had such widespread consequences.

Innovation Depends on Trust

 New technology lowers barriers to data sharing, but security needs to catch up. Third-party risk is by no means unique to online advertising. As a bleeding edge field, advertising software needs to contend with the challenge sooner rather than later. The vast amounts of data generated and shared in the digital age force the issue of privacy and security early on. Pagefair’s report estimates lost ad revenue due to adblockers at $22 billion last year, and the number of users grew 41% globally. The technological arms war between adblockers and anti-adblocking software only wastes more resources and tests consumer patience. 71% of adblocker users are in general not actually against advertising. The sooner companies address the predatory vulnerabilities in their digital presence, the more willing consumers will be to engage in data transactions that are the bread and butter of online publishing.

Keith Block is Vice Chairman, President, and COO of Salesforce.com

 To return to an earlier analogy, although brakes slow a car down, they ultimately enable the driver to confidently attain higher speeds. Establishing trust in a digital ecosystem removes barriers to adoption. In the case of advertising technology, there’s no question the status quo is unsustainable. Consumers will keep flocking to adblockers as long as sites put their information at risk.

A reminder for all companies: Your digital presence is an extension of your brand experience.

What’s invasive and dangerous in the physical world remains so online. Theft has moved to the internet, and companies need to design their online experience accordingly.