The Media Trust's malware team, which provides data protection and security, has discovered a malware campaign -- about 21 separate incidents -- that hit dozens of global digital media
publishers and at least 15 ad networks.
The malware uses JavaScript commands to hide within HTML5 creative ads. The malware is broken into chunks, making it hard to detect by the same
attributes that enable HTML5 to render images, videos and audio. It then reassembles when certain conditions are met.
HTML5 malware isn’t new, but this is “a bit of code we have
not seen before,” said Brandon Chen, malware desk manager at The Media Trust. “There’s an extra block of code that executes the redirect on the page.”
Chen said
that buyers, publishers and all those in between need to take responsibility to monitor activity coming from their platforms.
There are several reasons for redirects such as impression fraud,
but in this case the reason is for the person viewing the page to give up personal information.
In a blog post, Patrick Ciavolella, head of malware and analytics at The Media Trust, describes
how the scale of the attack marks a turning point for HTML5’s alleged security by demonstrating advances that malware developers have made in exploiting the open standards’ basic functions
to launch an attack.
When a user views the webpage, the JavaScript checks the device to determine whether the device is iOS and if the user is connected through their carrier.
When the
device meets certain criteria, the JavaScript inserts the malicious code into the website. The malware is reassembled and issues a separate call to automatically redirect the click to a new
domain.
It then serves a pop-up ad requesting the person to input personal information. As this occurs, the JavaScript puts together the ad’s various components.
Ciavolella notes
in the blog post that stopping this malware has become more urgent than in the past, with the enforcement of the European General Data Protection Regulation (GDPR).
Those responsible for
allowing the malicious malware to remain on the site could become responsible, Chen added. “It’s not difficult to see how malicious actors could start using the GDPR framework against
you,” he said.
The GDPR, which penalize infringing organizations as much as 4% of their annual revenue, is a precursor to what appears to be a growing trend around the world toward
greater online privacy.
The Media Trust notes that this campaign is quickly spreading through the online world, waiting for individuals with the right devices to trigger the collection
of personally identifiable information.