Confiant, a cyber security company supporting publishers such as Tribune Media, Internet Brands, Vice Media, Peopleconnect, and Topix, identified what researchers at the company call the “single worst malware redirect attack” to date in 2018.
One in every 200 programmatic impressions acted as a malicious redirect to attack those viewing the ads. An additional three in 200 were fraudulent in-banner video (IBV) impressions, where the publisher’s display inventory was being misrepresented to video advertisers.
The hackers used a Chipotle ad developed in HTML5 to carry out a malware attack on June 11, 2018 that lasted for more than 7.5 hours until the exchange blocked the creative.
The hackers specifically targeted viewers in the U.S., about 65% running iOS and the remainder Android.
Chris Tolles, CEO and cofounder of the publisher Topix, uses Confiant’s technology to prevent redirects and block malware. “People hijack ads and redirect the session without the user doing anything,” he said. “We run ads on Taboola, Outbrain and Facebook, and then in short order they redirect the click to an app store. And we won’t know it at the time.”
Tolles said it ruined the company’s ability to run on mobile in 2016 and then blocked by a couple of ad partners in 2017.
“We have had $50 million in trailing revenue in the past year, with more than half on mobile,” he said. “[Confiant’s technology] enabled us to do more than $30 million in revenue last year. And the bad thing about it -- Google doesn’t require ad partners to prevent this from happening.”
During the latest attack in June, Confiant managed to block approximately 650,000 malicious impressions per hour. The attack occurred through a “top-tier exchange,” Confiant CEO Louis-David Mangin told MediaPost, adding that Chipotle was not in any way at fault for this incident because a hacker stole their ad and pretended to be the brand.
“The ad had a very low average CPM of 10 cents,” Mangin said. “And the ad ranged in price from 7 cents to 15 cents throughout the day.”
Each impression represents a redirect from the ad -- about 8% of the exchange's traffic during the time. “Platforms that allow them to buy the ad do not usually have proper security in place or they do not have the technology to catch this,” Mangin said. “The buy-side of the industry still uses scanners to protect themselves and scanners cannot catch these attacks.”
The link from the Chipotle ad redirected consumers to an Amazon gift card scam that presents the viewer with a fraudulent message that is intended to prompt a click to steal the user’s personal information.
Mangin said the hackers initiating the initial takeover of the browser are not often serving up the malicious content. Sometimes they will find someone willing to pay the most for the impression. “If you talk with folks over at White Ops they will tell you malicious ad redirects are still the No. 1 vector for the delivery of and creation of botnets and exploits,” he said.