With more rigorous monitoring, brands and publishers can fight back and reduce the cost of malware, writes Rebecca Muir, head of research at ExchangeWire.
Malware and ‘malvertising’ cost the digital economy billions of pounds a year, yet few marketers really understand how malware operates, how it is distributed, and how to prevent attacks. The cost of malware attacks is not only a financial burden – each media story about ads infecting devises causes consumers to lose faith in the digital advertising industry – making malware a mainstream, global issue.
As technology becomes increasingly sophisticated, and hackers invent new methods of attack, it becomes harder to distinguish malicious ads from genuine. The number of ad-delivered malware attacks has roughly doubled which presents the question: what are digital advertising professionals missing when it comes to malware, and how can they keep a cap on it?
Malware attacks on mobile and desktop devices are different
All devices can be attacked effectively through websites. However, there is one big difference between mobile devices and tablets: apps.
Apps are far more commonly installed by mobile and tablet users; and apps can easily be ‘weaponised’. When an app goes into an app store, the engineers who wrote the code have designed it to do certain things and ensured that it does not execute any actions that breach data protection laws.
“If your knowledge is not up-to-date then you won’t recognise a malware attack even if it’s starting you in the face”
However, over time apps can migrate to new app stores and attackers can alter the code, meaning the app does things that the creator did not intend it to do, such as asking for additional permissions. End users are not aware of this, nor do they understand what providing those permissions means.
Furthermore, mobile is an evolving field and if your knowledge is not up-to-date then you won’t recognise a malware attack even if it’s starting you in the face. And if you don’t know what it looks like, you can’t know if your website or app has been compromised.
Attacks do not only occur on non-premium and ecommerce websites
There is a tendency for media professionals to presume malware only exists non-premium sites and that ecommerce sites are more at risk compared to content sites. In fact, around 90% of malware attacks are launched via legitimate, mainstream websites and apps that have been compromised.
This means that publishers, advertisers and ad tech vendors – exchanges, SSPs, DSPs, DMPs, data analytics tools and ad/video serving platforms – are unwittingly complicit because the third-party code used for the purpose of ad serving may provide a loophole for malicious attackers to spread their malware.
The problem is, as the digital economy grows at such a fast pace, and technology advances rapidly alongside advertising budgets, people tend to focus on what is going well, rather than what is not. So security tends to take a back seat compared to brand awareness, return-on-investment and other popular measures of success.
No brand or publisher should ever presume their website is ‘safe’ but sadly many do. At a minimum, all website owners should:
1 – Continually review and control what renders on the browser
2 – Audit the third party tags on websites, and take steps to understand exactly what they do in order to ensure they are working as expected
3 – QA and verify ad creative before a campaign goes live and continuously work to deliver cleaner ads
Hackers will always attempt to harness the value of individual, personal details (name, passwords, financial data, etc) or control user devices with the intention of attacking individuals, websites or apps. Regardless of how malware is distributed, both the digital industry and consumers lose, but with more rigorous monitoring, brands and publishers can fight back and reduce the cost of malware to the digital economy.
