Advertising has long been a vector for nefarious actors
ranging from organized crime to a variety of other bad actors, but the proliferation of digital media and especially the programmatic advertising marketplace has given rise to increasing opportunities
for purveyors of "malvertising" -- digital ads served to unsuspecting users that spread malware, compromise computer systems and harm consumers, publishers and platforms.
And while the
magnitude has been difficult to benchmark, much less track, weakening advertising marketplace conditions are projected to accelerate the proliferation of malvertising, according to the first of what
is planned to be an ongoing series of "threat assessment" reports published for the ad industry by the Trustworthy Accountability Group (TAG).
"Internet users remain largely unaware of the
threat of malicious and low-quality advertisements on popular and trusted websites, social media platforms, and within search engine results because traditional cybersecurity training programs focus
almost exclusively on the dangers of social engineering attacks via email and text messages - a gap that cybercriminals are increasingly using to their advantage," reads the first report in the
series, "Exploiting Social Engineering Tactics On The Rise In Malvertising," which was published in July, but
is being released broadly today by TAG.
The reports, which are generated by TAG's Malvertising Threat Exchange -- a group of both supply- and demand-side platform cybersecurity and threat
assessment experts who come across new and evolving forms and purveyors of malvertising -- which meets monthly.
TAG plans to publish and distribute the reports quarterly, at least to
start.
The first report reads more like a primer of the rapidly evolving malvertising marketplace, including a succinct glossary explaining the main methods used to propagate it.
In
addition to malvertising, it defines related nefarious practices, including:
- Social engineering: the use of psychological manipulation to deceive a victim into revealing personal
identifiable information (PII) or allowing access to a computer system.
- Phishing: a form of social engineering in which cybercriminals attempt to steal sensitive information or
gain access to computer systems using fraudulent emails or other communication platforms by disguising as legitimate and trusted sources.
- Multichannel phishing: the expansion of
phishing to reach several channels of communication beyond email, SMS, and phone.
- Search engine optimization (SEO) poisoning: a technique used by cybercriminals to boost the
overall ranking of their malicious website to appear higher on search result pages, leading unsuspecting users to click on the site and potentially download malware or other malicious content.
While the report does not explicitly benchmark the magnitude or growth rate of malvertising, TAG Vice President of Threat Intelligence Mike Lyden told MediaPost that reputable cybersecurity
industry experts estimate that overall phishing is expanding at rate of "35% to 50%" annually, and that malvertising likely is growing at an even faster rate, because the digital advertising ecosystem
is so easily exploitable.
The new TAG report suggests 2023 will likely be on the high end of that growth spectrum due to the slowdown in the overall advertising marketplace, which creates more
abundant supply opportunities for bad actors.
"Market conditions increase opportunities for bad ads," the report warns, adding: "The ad tech industry is seeing a slowing growth rate in global
ad spending due to economic uncertainties, which may give cybercriminals more opportunities to enter the ad ecosystem and take advantage of the current market conditions."
