'Booby-Trapped' Ad Delivered Via RTB Reveals The Ever Evolving World Of Ad Fraud

Over the weekend, malware detection firm Malwarebytes Labs discovered a “booby-trapped” ad that appeared on top publishing sites such as Huffington Post and Zillow. The malware was delivered via an ad by packing the exploit into the advertisement itself -- a different approach, per Malwarebytes.

The particular type of malware uncovered here is called “Cryptowall ransomware,” which a Malwarebytes representative explained as such: “A piece of malware that encrypts your files and locks you out of your computer, demanding a ransom to recover them.” Anyone that ran an outdated version of Adobe Flash Player while visiting one of the impacted sites was susceptible to the ad.

And perhaps worst of all, the end user didn’t have to interact with the ad at all to be infected. “The mere fact of the ad loading is enough to trigger the malicious code,” explained a Malwarebytes research member.

The malicious ads -- masquerading as Hugo Boss ads -- were delivered via real-time bidding (RTB) on the Engage:BDR ad network. The “advertiser” won the RTB auction for a CPM of $2.31, per Malwarebytes.

"We’re not sure if the choice of Hugo Boss was intentional or not, but picking a well-known brand may have been a decision from the rogue advertiser to appear legitimate," said a Malwarebytes spokesperson.

Real-Time Daily also spoke with Engage:BDR about the incident. The ad tech company was candid about the issue, acknowledging that their buy-side platform delivered the ads in question. A company rep asserted that Engage:BDR has “stringent measures in place to combat malware,” and scan all tags pre-serve as an “aggressive rate.”

To be clear, the purpose of this post is not to knock Engage:BDR. They are not the only company dealing with this type of problem -- obviously -- and their transparency regarding this particular malware attack helped shed some light on how the “bad actors” operate.

The rep said: “This attack came through an account created falsely in the name of an agency in LA that we know and work with. The account creator had gone so far as to set up a false LinkedIn profile confirming he worked at the company. We spoke with him on the phone, looked into his online presence, and moved forward with licensing his seat. We were notified by Malware Bytes Sunday morning that they had picked up malicious post-serve action, and we terminated the account as soon as we received word. We are also working with the agency to help catch this bad actor.”

Once the person (or persons) behind the attack got into the marketplace, all they had to do was hide their malware inside the ad and make sure the ad was delivered. (The last part appears to be what made this particular attack so unique; typically malicious advertisements re-direct users to other sites, but in this case the advertisement itself was carefully coded to contain the malware, said Malwarebytes.)

And what better place to ensure your ad is delivered than a real-time bidding (RTB) marketplace, where all you have to do is make sure you win the bid? The difficult part -- other than craftily coding the advertisement to hid the malware -- was to trick the actual humans by creating LinkedIn profiles, duping ad agencies and feigning phone calls. Once in the marketplace, all they had to do was flash the money.

“Unfortunately, Malwarebytes Labs does not have stats on how many users were affected, and this information would not be released by the ad agency either,” said a Malwarebytes research team member. “Having said that, the ad was placed on high ranked websites, so the impact was most likely substantial.” The company has Cryptowall removal instructions on its Web site.

The incident goes to show that the world of digital ad fraud is ever evolving. "We consider our anti-malware practices to be constantly evolving, just as the bad actors are constantly evolving," said an Engage:BDR employee. That's a thought shared by most -- if not all -- of the digital ad space.

Earlier this year, for example, Google released data on its fight against "bad ads." In a blog post, Google's Vikram Gupta, director of ads engineering, wrote: “This is a constantly evolving fight. Bad actors continually create more sophisticated systems and scams, so we too are continually evolving our practices, technology, and methodology in fighting these bad ads.”

4 comments about "'Booby-Trapped' Ad Delivered Via RTB Reveals The Ever Evolving World Of Ad Fraud".
Check to receive email when comments are posted.
  1. Shilpi Sharma from Kvantum Inc., April 14, 2015 at 2:54 p.m.

    Thank you Tyler for sharing this. Not sure how as a user I can make my devices safe? Is there a list of websites that are affected by this? As I believe it is sometime hard for RTB engines to even tell where the ad was delievered.

  2. Tyler Loechner from MediaPost, April 14, 2015 at 6:22 p.m.

    Hi Shilpi. Thanks for reading and for the comment. Malwarebytes has the Cryptoware removal instructions on their site -- maybe they have preventative tips as well if you poke around.

    I'm checking on a full list of sites and will post here if I learn more. But as noted in the article, the full extent of this attack is not known.

  3. Vox Usi from The Voice of the User, May 2, 2015 at 4:24 a.m.

    You had to "run an outdated version of Adobe Flash Player while visiting", which probably was a damage-limitation factor. Which version of the said Flash Player is the latest? 

  4. Rich Kahn from, Inc., May 17, 2015 at 8:13 a.m.

    Users simply need to make sure they keep their Flash version updated to the latest and greatest.  That is all you can do, however these fraudsters usually get some malware out, before an update to close the security issue is released.

    Flash has been a favorite of malware designers for years, so it makes sense for RTB and adnetworks to stop accepting Flash Ads. HTML5 has been around for years now and is a much better design for ads.

    It's time to force the switch from Flash to HTML5.

Next story loading loading..