Most of people are familiar with online ads. You see it everyday on webpages you browse. Most people also know that these ads are "targeted."
For example if you're shopping for a car and browsing related sites, you seem to start seeing more car-related ads, and sometimes the exact manufacturer that you are interested in.
Google, Yahoo! and ad networks have spent billions of dollars and years to develop these targeting technologies so ads can be served to "target" their audience.
However, protecting ad network infrastructure is a hard problem to solve. The ad ecosystem is so big with such sophistication that it's hard to pin point which party in the ad serving chain is ultimately responsible for the malicious ad.
In most cases, the website that displays the ad and the end user who sees the ad have no control over what ads will be displayed. This becomes a perfect playground for attackers. The technology is readily available, the cost is cheap, and the impact is not only great, but can be precisely targeted.
Most of the more security-aware have heard of the very hot term "targeted attacks", or "advanced persistent threats" as we call it in the industry. It is a new generation of attack where the attacker target individuals and organizations that they want to breach or infect. This is more powerful than infecting the general public; the attackers may be seeking specific information, source code, or intellectual property from a company or a government organization.
This is where advanced threats and online ads intersect, and the key word is "targeted."
Attackers have learned to leverage the advanced, ready made, and cheap technologies of the online ad ecosystem to serve their attacks. When they do so, the attacks can easily be targeted at a geographic location; at a certain time; or to a specific industry or community. They can turn the ad campaigns on and off, and they can see the click rate to determine success.
The attackers' ecosystem is built to differentiate humans versus automated crawlers and makes sure content is served to humans only. This makes it difficult for automated security scanners to "see" the malicious ads, and block them.
Industry initiatives such as the anti-malvertising working group at the Online Trust Alliance (OTA) are starting to look at the issue, and security vendors like Symantec and Armorize have started to provide solutions and technologies that monitors for malvertisements on websites and in ad networks. But it's still very early, and there are many more battles to come.
No comments:
Post a Comment