HTML5: A Safe Haven for Malware?

Authored by Patrick Ciavolella, Head, Malware Desk and Analytics, The Media Trust

Mobile Redirects Targeting iOS Devices.

In the digital marketing and media world, the user experience is king. HTML5 has played a key role in enabling developers to deliver a richer yet smoother user experience and, as everyone presumed, without the security risks frequently associated with plugins like Flash. In fact, over the past five years, developers, along with publishers and browser providers, have staged a mass exodus from Flash technology into HTML5, which seemed to promise greater security and more advanced web app features. In 2015, when the Interactive Advertising Bureau updated its digital advertising guide with best practices for using HTML5, they cited security as the chief reason behind publishers’ adoption of HTML5.

Over the past two months, The Media Trust malware team has discovered numerous malware incidents which call into question HTML5’s mantle of security.  The malware, which has produced at least 21 separate incidents affecting dozens of globally recognized digital media publishers and at least 15 ad networks, uses JavaScript commands in order to hide within HTML5 creative and avoid detection. The scale of the infection marks a turning point for HTML5’s presumed security and demonstrates the advances malware developers have made in exploiting the open standards’ basic functionality to launch their attack.

HTML5’s Cloak and Dagger

HTML5 renders multimedia content—images, videos, audio—and runs on any computer and mobile device.  The very same attributes that enable it to render popular formats without external plugins also can be used to break apart malware into chunks, making it hard to detect, and reassemble those pieces when certain conditions are met. The malware incidents recently identified by The Media Trust carried out their attacks by infecting HTML5 ads.

The screenshot below illustrates the malware’s behavior through the call chain. When a user views the media publication’s webpage, the JavaScript checks the device for key criteria, namely (1) whether the device is iOS and (2) whether the user is connected via their carrier. When the device meets these criteria, the JavaScript inserts the malicious code into the website (see line 20). The malware is reassembled and issues a separate call which automatically redirects to a new domain that serves a pop-up soliciting input of personal information. Meanwhile, the JavaScript puts together the ad’s various components (see lines 48 through 56).

Figure 1: Call Chain of 2018 HTML Malware Phishing Via an Ad

HTML5 malware are by no means new. In 2015, just as the retreat from Flash began in earnest, researchers discovered several techniques to convert HTML5 into a safe haven for malware. Their techniques used APIs, which in turn employed the same obfuscation-deobfuscation JavaScript commands in delivering drive-by malware. In 2016, tech support scammers used an HTML5 bug to freeze computers and obtain unsuspecting users’ phone numbers. One year later, The Media Trust identified a small number of HTML5 malware delivered pell-mell through a few online publishers. This year’s incidents are different because they require no interaction with the victim and are targeting devices known to make detecting malware even more challenging.

It is important to note that throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions.

HTML5 Malware in the GDPR Era

In this instance, the HTML5 malware was designed to entice victims to enter their information in response to a pop-up ad and is quickly coursing through the digital marketing and media world, waiting for individuals with the right devices to trigger the collection of personally identifiable information. Thwarting this malware will be more urgent than ever as the European General Data Protection Regulation (GDPR) is applied to organizations around the world—regardless of where they are located–that collect personal information on EU citizens. The GDPR, which is poised to penalize infringing organizations as much as four percent of their annual revenues, is merely a precursor to what appears to be a growing trend around the world towards greater online privacy.  Public weariness with hacking and with platform providers sharing user data with their partners has spiked distrust even in brands whose reliability and transparency were previously believed to be unassailable.

What steps should organizations take? First, they should continuously scan in real-time their digital assets for vendors and code. Second, organizations should share and clearly written policies and enforce privacy clauses with their vendors as part of creating a compliance culture within their digital ecosystem. GDPR can impose penalties on an organization and their data processing partner even if the partner is entirely at fault.  Third, they need to lay out an expeditious process that details how they will respond to a breach or to any unauthorized vendor activity. That process should include the immediate termination of any vendor that continues to break policy or clauses after being put on notice. Finally, companies should have quick access to information in case they are required to respond to a regulatory review.

Fixing the Internet One Digital Ecosystem at a Time

Note: This article was initially published in ExchangeWire on May 10, 2018.

Read article

Over the past 14 years, The Media Trust has focused on one audacious goal: to fix the internet. The company has continuously monitored the internet for malvertising, creative quality, data leakage, and other compliance issues on behalf of organisations seeking to protect and monetise their mobile apps and websites. In this piece, ExchangeWire speaks with The Media Trust CEO Chris Olson; CRO Alex Calic; and European General Manager Matt O’Neill.

How The Media Trust delivers on its promise has evolved and expanded in scope over the years. The company’s products have noticeably shifted in approach from a reactive detect-and-notify to a pre-emptive identify-evaluate-notify-and-resolve. Olson and CTO Dave Crane started The Media Trust to meet publishers’ emergent need for a systematic way to verify whether an online ad published according to the contract with the ad buyer: on the right page location, to the right audience, at the right time. Next, they pioneered malware scanning and spawned services for malware prevention, creative QA, and data protection. Today, the company helps their clients address the three dimensions of digital risks – security, privacy, and quality – from a single platform known as ‘Digital Vendor Risk Management’. “We work with most of the largest publishers, advertising exchanges, demand side platforms (DSPs), brands, and e-commerce companies”, explains Olson.

Continue reading

INFOGRAPHIC: GDPR Bill of Rights

This infographic was first posted in Digiday on May 8, 2018.

What are the Experts saying about PyRoMine?

Article appeared in Brilliance Security Magazine, April 25, 2018.

Read article

Recently, a new python-based cryptocurrency mining malware that uses the ETERNALROMANCE exploit was uncovered and dubbed “PyRoMine.” This malware is particularly malicious and those Windows machines that have not installed the patch from Microsoft remain vulnerable to this attack and similar attacks.

Alex Calic, Chief Strategy and Revenue Officer of The Media Trust explains, “Cryptomining is a profitable business, and its perpetrators are accelerating in numbers and innovation thanks to a growing number of weaponized exploits in their arsenals. What makes this incident unique and alarming are (1) the exploit’s ability to spread fast around the world, (2) the malware’s ability to disable a machine’s security features for future attacks, and (3) the malware authors’ intent to test a campaign before a multi-phased, full-scale launch. Such a campaign will pave the way for harvesting CPU power and personal data from millions of Windows users. Now is the time for enterprise IT to fortify their defenses by identifying who is executing on their sites and flagging suspect executables that indicate unauthorized activity may be afoot. Otherwise, enterprises may find themselves running afoul of GDPR, a European privacy protection regulation that goes into force on May 25th and is poised to fine infringing parties up to four percent of their annual global revenue.”

Continue Reading

Data is Power: Wield it Wisely

This article originally appeared in Corporate Compliance Insights on April 16, 2018.

Read article 

The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.

Continue reading

 

5 Reasons to Swing by The Media Trust Booth at RSA 2018

While it might be the biggest cybersecurity event of the year, RSA 2018 can be overwhelming. The crowds, lectures, sparkly gadgets, and more can confuse the senses and make you forget about your top security priorities. Don’t worry, The Media Trust is there to answer your questions about digital security and compliance. No matter what your industry (banking, ecommerce, media, government, hospitality, etc.), your corporate mobile apps and websites have the potential to be your greatest business assets or largest source of security, revenue, and reputational risks. Learn how we close the gaps in your security and compliance posture that traditional web appsec tools don’t.

Here are five reasons to swing by our booth next week:

1. Identify and Remedy your Digital Shadow IT
   Many industry experts will caution you against shadow IT, only a handful will tell you where to look for it. We not only expose the shadow IT on your enterprise mobile apps and websites but also detect concealed threats like malicious code injection, unauthorized data collection, latency issues, as well as help remediate these issues via our Digital Vendor Risk Management platform.

2. GDPR Compliance – we walk the talk
Your mobile apps and websites are out of control – no, this isn’t a hyperbolic statement. With third parties contributing anywhere between 50-75% (sometimes as high as 95%) of your code base, controlling data collection activity that violates the GDPR directive isn’t straightforward. Speak to us about how to regain control of your digital assets.

Catch our session, GDPR Compliance–You forgot your digital environment, on Thursday, April 19, between 1:45 pm – 2:30 pm at Moscone West 2018. Session ID: GRC-R12.

3. Attack intel (not the just threat intel)
Our Malware Attack Data enables you to block active attacks targeting your endpoints through frequently whitelisted, premium websites – news, travel, social networks, and more. Let’s talk about how our attack data can augment your AVs, firewalls, web filters, and blocking solutions.

4. Free website audits
Want a sneak peek into your mobile app and website shadow IT? Get a free website audit and discover the surprising number of domains and cookies (including user identifying cookies) operating outside the perimeter of your IT and security tools

5. Coffee, martinis, and comfy couches
If you don’t want to talk security and compliance, and are just curious about The Media Trust or are badly in need of caffeine, drop by and say hi! Here are our Coffee and Martini Bar hours – 
Coffee Bar: 10:00 am – 1:00 pm, April 17-18, 2018
Martini Bar: 4:00 pm – 6:00 pm, April 18, 2018

We’ll be there at Booth #2507, South Hall, Moscone Convention Center, San Francisco. Enter the South Hall, turn right, and follow the inquisitive masses.

Top 10 Mistakes Companies Make in GDPR Preparation

This article appeared in the March 14, 2018 issue of ITBusinessEdge 

Read

With the EU’s General Data Protection Regulation (GDPR) only less than three months away from enforcement, organizations are (hopefully) pulling together their GDPR strategy. However, the nuances of GDPR are something most of us are still trying to understand – and we probably won’t grasp until the regulation is in effect and tested. In the rush to meet the compliance standards, errors will likely be made. I talked to security experts, and here are some of the more common GDPR prep mistakes.

“When it comes to GDPR compliance, the primary focus for most enterprises is on determining customer, partner, and employee-held data elements by the organization. Unfortunately, most have overlooked the significant amount of data collection activities occurring via the organization’s websites and mobile apps,” explained Chris Olson, CEO of The Media Trust. “This is a critical oversight since there are anywhere between tens to hundreds of unknown vendors not only executing code but also collecting personally identifiable information on website visitors. In fact, enterprises tend to find two to three times more vendor-contributed code on their websites than expected.”

Continue Reading

Cryptomining: the new lottery for cybercriminals

This article by Chris Olson, CEO at The Media Trust, was originally published on CSO, March 14, 2018

Read

Cryptomining has surpassed even ransomware as the revenue generator of choice according to a Cisco Talos report, which claims crypto-mining botnets can earn hackers up to $500 dollars a day and a dedicated effort could equate to more than $100,000 dollars a year. Representing the perfect balance of stealth and wealth for cybercriminals and some unscrupulous, but legitimate online businesses, cryptomining is quickly becoming a major concern for enterprise IT who frequently don’t know their digital assets have been compromised.

With stringent privacy laws coming online in 2018, it is imperative that organizations know all partners that execute code on the website. This information is critical for not only identifying the rogue source but also communicating expectations and enforcing compliance—key mitigating factors when it comes to regulatory penalties.

Continue Reading

Chrome Ad Filter: Publishers are you Compliant?

Authored by Alex Calic, Chief Strategy and Revenue Officer

Ad quality determines if your website is naughty or nice.

Did you get the letter from Google? Late last summer, Google notified 1,000 website owners that their ads were annoying, misleading or harmful to the user experience.[1] Directed to Google’s Ad Experience Report, website owners were encouraged to clean up their ads.

This encouragement is now a directive. As of February 15, the latest Chrome version (v64) began to filter all ads across every website with a failing status as listed on the Ad Experience Report. Considering Chrome dominates the browser market (60-65%, depending on the resource), this news has serious repercussions for ad-supported websites. Never has so much hinged on ad quality.

Defining bad ads

The classification of a bad ad is no longer in the eye of the beholder (or media publisher). Formed in 2016, the Coalition for Better Ads (CBA) researched the acceptable advertising experience of 25,000 consumers in North America and Europe. The result is the Better Ads Standards, released in March 2017.[2]

In a nutshell, 12 ad types regularly annoy consumers and correlate to the adoption of ad blockers: 4 for desktop and 8 for mobile. Google is using the Better Ads Standards to evaluate ads on ad-supported websites. Upon initial review last summer, less than 1% of 100,000 websites contained ads violating the standards.

Fixing bad ads before they fix you

When it comes down to it, meeting the CBA standards shouldn’t be that difficult, especially if you’re a premium publisher that knows all parties contributing content to the user experience. This knowledge makes it easier to communicate and enforce any policy—be it ad quality, security, data leakage, performance and more—and cease business with those that don’t have your—and, therefore, the user—best interests at heart.

What happens if you chose to ignore the Chrome audience? Your website will be assigned a “failing” status, and if this status remains for more than 30 days, then Chrome will filter all ads running on your website. Therefore, your choice directly affects the website’s ad-based revenue continuity.

Be proactive. Adopt a holistic creative quality assurance approach to continuously assess ads—creative and tags—for compliance with regulatory requirements, company policies and industry practices, like those promoted by CBA. By developing a tactical ad governance structure, you can codify what constitutes an acceptable ad and ensure compliance with multiple industry standards.

Check: What’s your status?

The CBA also announced a self-attested certification program[3] whereby publisher participants pledge to abide by CBA standards. The program is free during the trial period, with an expectation that it will run at least until July when fees will be announced. As of now, Google agrees to not filter ads for any company participating in the CBA program. With the program’s initial steps only requiring registration, self-attestation and no fees, it makes sense for publishers to participate.

Regardless if you register with CBA, all media publishers should verify their status and take steps to remediate offending ad quality as soon as possible.

1. Verify ownership of your website on Google Search console: https://support.google.com/webmasters/answer/34592  (note, your webmaster may have already done this.)
2. Initiate verification by selecting “Manage property” and downloading the HTML file to your site. (Note, there are alternative methods such as using your Google Analytics or Tag Manager)
3. Once your website is verified, Google will initiate scanning. The process may take some time.
4. Access the Ad Experience portal: by selecting “Desktop” or “Mobile” (https://www.google.com/webmasters/tools/ad-experience-desktop-unverified?hl=en )
5. Review your website’s status for both desktop and mobile
   1. Warning or Failing status requires immediate attention
6. Remediate all ad quality issues, especially those promulgated by CBA through these steps:[4]
   1. Identify the source of the issue
   2. Communicate digital policy requirements, i.e., CBA standards
   3. Demand correction or remove the source from your digital ecosystem
   4. Document your remediation steps in the “Request review” area of the portal
7. Submit for review by clicking “I fixed this”

As a member of Coalition for Better Ads, The Media Trust has various solutions to address ad quality, from creative policy enforcement to campaign verification.

Whatever your decision, you can achieve ad revenue objectives while delivering a clean and regulatory-compliant user experience. Clearly, a more positive ad experience benefits everyone—publishers, ad/martech and agencies and, most of all, consumers.

[1] Google letter: http://adage.com/article/digital/google-send-publishers-email-stop-serving-annoying-ads/310057/

[2]  [2] Better Ad Standards: https://www.betterads.org/standards/

[3] https://www.betterads.org/coalition-for-better-ads-opens-publisher-enrollment-in-better-ads-experience-program/

[4] https://support.google.com/webtools/answer/7305902

 

5 Reasons Why: DSPs need more than an ads.txt aggregator

Authored by Jason Bickham, Vice President, The Media Trust

The Media Trust’s Ads.txt Manager for DSPs puts the muscle in managing ads.txt files.

Even as the digital ad ecosystem finds its footing in 2018, the winds of change are more of a gale than a gentle breeze. Perhaps, one of the most crucial and welcome change that is underway, is the industry-wide push for trust and transparency. The IAB Tech Lab’s Ads.txt initiative does its part by addressing one element of fraud: inventory fraud or the use of spoofed domains to mask illegitimate or counterfeit inventory. As a simple file publishers post to their domain containing a list of their inventory’s authorized direct sellers and resellers, the ads.txt initiative enjoys unprecedented adoption rate among digital publishers.

Adoption by publishers is a good start but only half of the solution. What about their upstream partners who now need to leverage this information, especially DSPs?

We quizzed some DSPs over the past few weeks and learned that while many have built their own crawlers, they are also looking for more color in open source feeds – hoping to derive benefits beyond the fodder collected by their in-house solution. There is key truth here that is hard to ignore: an ads.txt aggregator just isn’t going to cut it when it comes to managing ads.txt files and reconciling payment issues with SSPs.

That’s why The Media Trust took file aggregation a step further and created an Ads.txt Manager for DSPs. This centralized tool supports three mission-critical tasks for prime business impact by helping DSPs:

• validate digital advertising inventory
• swiftly reconcile payment issues
• build trusted relationships with downstream partners and publishers

But, don’t just take our word for it. Here’s what Ari Paparo, CEO of Beeswax, a leading provider of bidder-as-a-service programmatic solutions has to say about the Media Trust’s Ads.txt Manager: “Ads.txt can be confusing, but with The Media Trust’s tool you can quickly see a clean version of a publisher’s most up-to-date ads.txt file.”

Why go beyond a simple ads.txt file aggregators that are mushrooming across the industry? Here are five top reasons why you should adopt our Ads.txt Manager for DSPs:

You do you
DSPs need to focus on what they do best – securing the best ad placements possible for their clients! True, while checking ads.txt files definitely helps in vetting and validating advertising inventory, these files change more often than you think. Managing the growing number of ads.txt files shifts focus away from DSPs’ core competencies.

1. What about file accuracy?
The issue of accuracy when it comes to ads.txt files is critical – to fight inventory fraud you need up-to-date file versions. Our solution to the question of accuracy is simple – inaccuracies may come in but they don’t have to go out. Formatting errors and invalid content are stripped from any usable content so DSPs can make the most of what’s available without wasting time handling inadequate files.

2. Retroactive lookup and change notifications
In addition to providing access to near real-time versions, Ads.txt Manager archives every captured version of a publisher’s ads.txt file and notifies on file content changes – critical information for billing reconciliation. The tool’s query parameters include domain, key, action, “as-of” date and the DSP’s specified format for easy lookup.

3. A quick check should be quick
Verification of an ads.txt file should be quick and simple. While DSPs are welcome to open several browser tabs/ windows to manually access open source feeds or spend resources building their own tools and troubleshooting as required, The Media Trust offers a centralized platform to access the internet’s continuously updated database of accurate ads.txt files in an easy-to-parse format.

4. Trust and transparency isn’t a one-way stream
We believe that the ads.txt initiative is a step in the right direction, but DSPs need to know more than just surface-level insights about the SSPs listed in these files. Keeping this in mind, Ads.txt Manager provides access to our growing digital vendor network, a group of 200+ entities dedicated to creating a better, more robust digital ecosystem.

For these five crucial reasons we decided to go further than building an ads.txt file aggregator and create a more actionable tool for DSPs. And, more is coming. So watch this space for more updates, but in the meantime,register to use our Ads.txt Manager (FREE until June 30, 2018) if you haven’t already!