UK government wants solutions for malvertising attacks

The UK National Cyber Security Centre has asked British startups to come up with "novel ideas" to provide visibility into malvertising campaigns, their size, and their origins.

"Equally, we want to hear from those startups who are able to identify bad ads, block them, track the attackers behind them and contribute to removing these attacks from the internet," the NCSC said on Wednesday.

The agency said it wants help from the private sector so it can crack down on malicious actors that have abused ads to spread malware and defraud users.

"In a perfect world, the malicious ads that direct you to that site would never appear on your screen in the first place; ad-networks would detect and block everything passing through their platform before they reached the user," the agency said yesterday.

The ad industry needs to vet and verify their customers

That opinion was also shared by Eliya Stein, a Senior Security Engineer at Confiant, a cybersecurity firm specializing in detecting ad fraud and malicious ads.

"Malvertising is at its core a supply chain problem, but vetting advertisers is difficult, especially when someone shows up and is willing to pre-pay in order to run an ad campaign," Stein told The Record in an online conversation.

"There's certainly room for tech innovations to help with this — for example, we are huge proponents of Buyers.json for this exact reason, which requires transparency on buyer information through ad delivery.

"I do think the biggest impact to be made right now is if the ad tech industry could mobilize to get on the same page around how to vet buyers and develop a well-defined protocol for doing so. There's a major challenge in onboarding smaller players to these initiatives, though, because they feel heavy pressure to take on new business from advertising partners that they might not know very well," he added.

As for what these startups would have to deal with today, Stein also provided an overview of the current malvertising scene and what startups will most likely have to deal with.

"A few years ago, the ad tech industry was plagued by malvertisements that did forceful redirections to malware, scams, or fraudulent affiliate marketing campaigns. Since then, ad-tech security and browser security has matured enough that this is no longer the most lucrative path for those attackers," Stein said.

"Instead, a lot of them have changed their tactics and are now running campaigns that heavily utilize cloaked clickbait. Cloaking is done either on the ad level, the landing page level, or both.

"So these days, an attacker might launch a campaign that looks like a benign e-commerce ad that links to what looks like a real e-commerce website, but once they have established a relationship as a valid advertiser, they will flip the switch. For example, the e-commerce ad becomes an investment opportunity promoted by a celebrity likeness, and the landing page will suddenly lure victims to a fraudulent investment platform instead of the store," Stein added.

"These same techniques are still being used to scam victims and spread malware as well. In addition, we are seeing that there are a lot of attackers that target search and social ads with their campaigns, targeting their campaigns against search terms for legitimate brands to lure victims to phishing pages.

"It's currently a huge problem for financial services and Web3 platforms. We also see a ton of malvertising chains leading to tech support scams," the Confiant researcher said.

Malicious ads could be used for targeted attacks

But the NCSC's move is not surprising and echoes similar efforts that have taken place in the US. For example, in November 2017, a US senator asked the White House to look into using network-based ad-blocking solutions to protect its staff while navigating the web.

Two years later, in November 2019, browser maker Brave warned US lawmakers that they could be targeted by foreign spies with malware using the advanced filtering and targeting capabilities of modern advertising networks and online ads.

In September last year, the NSA and CIA publicly admitted to using ad blockers to protect their employees from malicious ads.

A few months later, in December, the Pentagon also said it implemented similar ad-blocking systems following an inquiry from a US senator on the matter.