Ad threat attacks continue to exploit JavaScript used ubiquitously across the internet, despite declining year-over-year in 2019, according to a new report by cybersecurity company DEVCON. During the critical holiday shopping period between Thanksgiving and Cyber Monday, the rate of digital ads containing lower-risk malvertising fell to .07% in 2019 compared to 1.25% in 2018. However, a rise in highly sophisticated attacks exposed in the 2019 Holiday Threat Report by DEVCON means that publishers must become more vigilant against security threats that steal private data and credit card information from consumers.
Ad threat is defined by DEVCON as the weaponization of ad tech to distribute malware, trojans and other malicious attacks to consumers, in addition to defrauding marketers and publishers. Ad threat is not to be confused with the more common term “ad fraud,” which is designed to defraud marketers into paying for fraudulent ad views.
“The spray and pray tactic of malvertising campaigns will simply never go away. Even as the overall occurrences drop, these guys just keep coming back,” said Mishunda ‘Mai’ Mathis, Senior Director of Risk and Revenue at DEVCON. “While it is easy to write them off as low-level and common attacks, these aggravating takeovers can cause publishers to lose their all-too-valuable readers and subscribers. The industry has finally accepted that the problem will not resolve itself and that defensive measures are needed at all levels of the pipeline.”
The report by DEVCON found that over 60% of malicious ad threat activity during the 2019 holiday shopping period came from highly sophisticated attacks like Led Zelpdesk, Lucky Star, Avid Diva, and Invisible Ink. These attacks use a combination of social engineering and exploited JavaScript to steal a user’s credit card information, have them download a trojan, or both. The report highlights the methods hackers use to exploit third-party JavaScript, including
- Abuse of a service provider’s code: in the case of ad threat, bad actors are creating fake accounts with ad networks and using that company’s ad tags to deliver exploits onto sites without ever needing to compromise the target company’s servers.
- Partner exploitation: in the case of Magecart attacks that are specifically looking to steal information from checkout and login pages, an attacker will look for third-party partners on those pages and find one that is more easily compromised. That code is then used to gain access and collect user data as users are entering it.
- Exploitation of Code Vulnerabilities: in the case that a company is using any third-party JavaScript or libraries that have a vulnerability, a hacker can exploit that vulnerability in the script itself.
- Infecting JavaScript with malicious code: in the case of infected assets like image files, fonts and ads, JavaScript being delivered back and forth can be used to hide exploits, like an image for an ad that has been infected with malicious script.
“While these less advanced hackers are being shut out of the ad threat game, the more advanced bad actors are not only becoming more stealthy in obfuscating these attacks, they have escalated the types of exploits, broadened the attack surface, and they are not limiting these attacks to the ad tag scripts,” said Maggie Louie, CEO of DEVCON. “The actual risk is data breach, which can lead to massive fines in the new regulatory environment. Ad threat is a security gap that should not be managed by marketing teams any more than phishing attacks should be managed by the email marketing teams. These security threats need to be managed and monitored by security teams.”
