Over the weekend, malware detection firm Malwarebytes Labs discovered a “booby-trapped” ad that appeared on top publishing sites such as Huffington Post and Zillow. The malware was delivered via an ad by packing the exploit into the advertisement itself -- a different approach, per Malwarebytes.
The particular type of malware uncovered here is called “Cryptowall ransomware,” which a Malwarebytes representative explained as such: “A piece of malware that encrypts your files and locks you out of your computer, demanding a ransom to recover them.” Anyone that ran an outdated version of Adobe Flash Player while visiting one of the impacted sites was susceptible to the ad.
And perhaps worst of all, the end user didn’t have to interact with the ad at all to be infected. “The mere fact of the ad loading is enough to trigger the malicious code,” explained a Malwarebytes research member.
The malicious ads -- masquerading as Hugo Boss ads -- were delivered via real-time bidding (RTB) on the Engage:BDR ad network. The “advertiser” won the RTB auction for a CPM of $2.31, per Malwarebytes.
"We’re not sure if the choice of Hugo Boss was intentional or not, but picking a well-known brand may have been a decision from the rogue advertiser to appear legitimate," said a Malwarebytes spokesperson.
Real-Time Daily also spoke with Engage:BDR about the incident. The ad tech company was candid about the issue, acknowledging that their buy-side platform delivered the ads in question. A company rep asserted that Engage:BDR has “stringent measures in place to combat malware,” and scan all tags pre-serve as an “aggressive rate.”
To be clear, the purpose of this post is not to knock Engage:BDR. They are not the only company dealing with this type of problem -- obviously -- and their transparency regarding this particular malware attack helped shed some light on how the “bad actors” operate.
The rep said: “This attack came through an account created falsely in the name of an agency in LA that we know and work with. The account creator had gone so far as to set up a false LinkedIn profile confirming he worked at the company. We spoke with him on the phone, looked into his online presence, and moved forward with licensing his seat. We were notified by Malware Bytes Sunday morning that they had picked up malicious post-serve action, and we terminated the account as soon as we received word. We are also working with the agency to help catch this bad actor.”
Once the person (or persons) behind the attack got into the marketplace, all they had to do was hide their malware inside the ad and make sure the ad was delivered. (The last part appears to be what made this particular attack so unique; typically malicious advertisements re-direct users to other sites, but in this case the advertisement itself was carefully coded to contain the malware, said Malwarebytes.)
And what better place to ensure your ad is delivered than a real-time bidding (RTB) marketplace, where all you have to do is make sure you win the bid? The difficult part -- other than craftily coding the advertisement to hid the malware -- was to trick the actual humans by creating LinkedIn profiles, duping ad agencies and feigning phone calls. Once in the marketplace, all they had to do was flash the money.
“Unfortunately, Malwarebytes Labs does not have stats on how many users were affected, and this information would not be released by the ad agency either,” said a Malwarebytes research team member. “Having said that, the ad was placed on high ranked websites, so the impact was most likely substantial.” The company has Cryptowall removal instructions on its Web site.
The incident goes to show that the world of digital ad fraud is ever evolving. "We consider our anti-malware practices to be constantly evolving, just as the bad actors are constantly evolving," said an Engage:BDR employee. That's a thought shared by most -- if not all -- of the digital ad space.
Earlier this year, for example, Google released data on its fight against "bad ads." In a blog post, Google's Vikram Gupta, director of ads engineering, wrote: “This is a constantly evolving fight. Bad actors continually create more sophisticated systems and scams, so we too are continually evolving our practices, technology, and methodology in fighting these bad ads.”