ArticlePDF Available

Malvertising-A Rising Threat To The Online Ecosystem

Authors:

Abstract

Online advertising is a multi-billion dollar industry that supports web content providers around the globe. A sophisticated technology known as real time bidding (RTB) dominates the advertising landscape, connecting advertisers with specific online customers of interest. With RTB, when web visitors connect to a site, advertising networks are notified of space available on that site along with what can be gleaned about the visitor. These combinations of space and visitor are auctioned, and the winning bid’s ad content is served to the web visitor. The entire process, from a visitor landing on a publisher’s page to ads being auctioned, selected and served, takes 200 milliseconds, the time needed to snap your fingers. This tightly choreographed interaction is a technical marvel, but one with built in risks. The just-in-time collaboration between ever changing technology providers gives an opening to malicious actors, who through devious means, use ad networks to deliver malware rather than ads. Delivering malware as an ad is called malvertising, and its presence on otherwise credible sites is dangerous, undermining the business models of trustworthy publishers and legitimate online advertisers. The purpose of this paper is to introduce malvertising, describe its relationship with online advertising, and identify the risks RTB and malvertising bring to the online ecosystem.
Volume 10, Issue x
xx 2017
ISSN: 1946-1836
Journal of
Information Systems Applied Research
In this issue:
?. Malvertising - A Rising Threat To The Online Ecosystem
Catherine Dwyer, Pace University
Ameet Kanguri, Pace University
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 2
http://jisar.org; http://iscap.info
The Journal of Information Systems Applied Research (JISAR) is a double-blind peer-
reviewed academic journal published by ISCAP, Information Systems and Computing Academic
Professionals. Publishing frequency is currently semi-annually. The first date of publication was
December 1, 2008.
JISAR is published online (http://jisar.org) in connection with CONISAR, the Conference on
Information Systems Applied Research, which is also double-blind peer reviewed. Our sister
publication, the Proceedings of CONISAR, features all papers, panels, workshops, and
presentations from the conference. (http://conisar.org)
The journal acceptance review process involves a minimum of three double-blind peer reviews,
where both the reviewer is not aware of the identities of the authors and the authors are not aware
of the identities of the reviewers. The initial reviews happen before the conference. At that point
papers are divided into award papers (top 15%), other journal papers (top 30%), unsettled papers,
and non-journal papers. The unsettled papers are subjected to a second round of blind peer
review to establish whether they will be accepted to the journal or not. Those papers that are
deemed of sufficient quality are accepted for publication in the JISAR journal. Currently the target
acceptance rate for the journal is about 40%.
Questions should be addressed to the editor at editor@jisar.org or the publisher at
publisher@jisar.org. Special thanks to members of AITP-EDSIG who perform the editorial and
review processes for JISAR.
2017 AITP Education Special Interest Group (EDSIG) Board of Directors
Leslie J. Waguespack, Jr.
Bentley University
President
Jeffry Babb
West Texas A&M
Vice President
Scott Hunsinger
Appalachian State Univ
Past President (2014-2016)
Meg Fryling
Siena College
Director
Lionel Mew
University of Richmond
Director
Muhammed Miah
Southern Univ New Orleans
Director
Rachida Parks
Quinnipiac University
Director
Anthony Serapiglia
St. Vincent College
Director
Li-Jen Shannon
Sam Houston State Univ
Director
Jason Sharp
Tarleton State University
Director
Peter Wu
Robert Morris University
Director
Lee Freeman
Univ. of Michigan - Dearborn
JISE Editor
Copyright © 2017 by the Information Systems and Computing Academic Professionals (ISCAP). Permission to make
digital or hard copies of all or part of this journal for personal or classroom use is granted without fee provided that the
copies are not made or distributed for profit or commercial use. All copies must bear this notice and full citation.
Permission from the Editor is required to post to servers, redistribute to lists, or utilize in a for-profit or commercial use.
Permission requests should be sent to Scott Hunsinger, Editor, editor@jisar.org.
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 3
http://jisar.org; http://iscap.info
Journal of
Information Systems Applied Research
Editors
Scott Hunsinger
Senior Editor
Appalachian State University
Thomas Janicki
Publisher
University of North Carolina Wilmington
2017 JISAR Editorial Board
Jeffry Babb
West Texas A&M University
Ronald Babin
Ryerson University
Wendy Ceccucci
Quinnipiac University
Ulku Clark
University of North Carolina Wilmington
Gerald DeHondt II
Meg Fryling
Siena College
Biswadip Ghosh
Metropolitan State University of Denver
Audrey Griffin
Chowan University
Musa Jafar
Manhattan College
Rashmi Jain
Montclair State University
Guido Lang
Quinnipiac University
Paul Leidig
Grand Valley State University
Lionel Mew
University of Richmond
Fortune Mhlanga
Lipscomb University
Muhammed Miah
Southern University at New Orleans
Edward Moskal
St. Peter’s University
Alan Peslak
Penn State University
Doncho Petkov
Eastern Connecticut State University
James Pomykalski
Susquehanna University
Anthony Serapiglia
St. Vincent College
Li-Jen Shannon
Sam Houston State University
Karthikeyan Umapathy
University of North Florida
Leslie Waguespack
Bentley University
Bruce White
Quinnipiac University
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 4
http://jisar.org; http://iscap.info
Malvertising - A Rising Threat
To The Online Ecosystem
Catherine Dwyer
cdwyer@pace.edu
Ameet Kanguri
ak23433n@pace.edu
Seidenberg School of Computer Science & Information Systems
Pace University
New York, New York, USA
Abstract
Online advertising is a multi-billion dollar industry that supports web content providers around the globe.
A sophisticated technology known as real time bidding (RTB) dominates the advertising landscape,
connecting advertisers with specific online customers of interest. With RTB, when web visitors connect
to a site, advertising networks are notified of space available on that site along with what can be gleaned
about the visitor. These combinations of space and visitor are auctioned, and the winning bid’s ad
content is served to the web visitor. The entire process, from a visitor landing on a publisher’s page to
ads being auctioned, selected and served, takes 200 milliseconds, the time needed to snap your fingers.
This tightly choreographed interaction is a technical marvel, but one with built in risks. The just-in-time
collaboration between ever changing technology providers gives an opening to malicious actors, who
through devious means, use ad networks to deliver malware rather than ads. Delivering malware as an
ad is called malvertising, and its presence on otherwise credible sites is dangerous, undermining the
business models of trustworthy publishers and legitimate online advertisers. The purpose of this paper
is to introduce malvertising, describe its relationship with online advertising, and identify the risks RTB
and malvertising bring to the online ecosystem.
Keywords: malware detection, malvertising, online advertising, ad blockers, real time bidding (RTB).
1. INTRODUCTION
The term malvertising is constructed by
combining “malware” and “advertising”.
According to the SANS institute, malvertising is
the installation of unwanted or outright malicious
software through the use of internet advertising
media networks, exchanges and other user
supplied content publishing services common to
the Social Networking space,” (Salusky, 2007).
What makes malvertising a special threat to the
Internet? Malvertising cleverly uses the power of
targeted advertising to specifically deliver
malware to victims who visit trusted sites such as
forbes.com (Patrizio, 2016), Spotify (Hern, 2016)
the BBC or The New York Times (Mihalcik, 2016).
By using online advertising tools to target victims
of interest via algorithm, for example employees
in the defense industry (Invincea, 2015a), and
unsuspecting visitors to trusted sites (Ducklin,
2016), malvertising can upend the most
important economic driver for the Internet --
advertising revenue -- and damage the reputation
of well know sites.
The web as we know is it funded in large part by
advertising revenue. Most online content
providers, with very few exceptions, earn the bulk
of their revenue from digital advertising, with
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 5
http://jisar.org; http://iscap.info
little or no revenue from subscriptions or fees for
site access (Deloitte, 2016). The world’s largest
online companies, Google and Facebook, derive
most of their revenue from online advertising in
one form or another (Gjorgievska, 2016).
2. THE NATURE OF ONLINE ADVERTISING
The online advertising ecosystem is an
multifaceted technical network matching buyers
and sellers of ad space on pages currently under
view by web visitors who match specific profiles
of interests. Given this happens on millions of web
pages seen by millions of web visitors, all within
a window of 200 milliseconds (Lederer, 2014),
online advertising can be considered one of the
most technologically advanced information
systems ever developed.
Several recent technology drivers intersect in the
delivery of online ads. One is the data collection
and profiling of consumers based on their social,
mobile and online activities. Based on the
collection of terra-bytes of data, companies such
as Experian have developed specific customer
profiles. Experian has identified 19 categories and
71 sub-categories of consumer profiles. These
include the category called “Singles and Starters,”
and its six sub-categories, including “Digital
Dependents,” “Colleges and Cafes,” and “Striving
Single Scene,” (Experian, 2014).
The second technology driver is the development
of real time bidding (RTB) systems. Advertisers
have always been interested in finding the right
audiences for their products. RTB automates this
process. “RTB helps media buyers find audiences
at scale,” according to a Google white paper on
RTB (Google, 2011).
Google introduced bidding for ads associated with
specific search terms with AdWords in 2000
(Mehta, Saberi, Vazirani, & Vazirani, 2007). With
AdWords, advertisers could compete with each
other to serve ads to users based on search terms
and cookie data.
The next stage in the development of RTB was to
expand this bidding and audience targeting
system to other domains, such as display and
banner advertising. Companies such as
RightMedia and DoubleClick expanded the bidding
process beyond search advertising. By 2011 RTB
had become the dominant mechanism for online
advertising (Chen, Berkhin, Anderson, &
Devanur, 2011).
As of 2016, 23 different sub-categories of
companies have been identified that participate in
the market for online display advertising (Kawaja,
2016). For the purposes of this paper, we will
focus on these players:
1) Publisher - Companies or individuals that
generate content for consumption by consumers.
Publishers monetize their content by putting up
ads besides their content. Examples of publishers
include NYTimes.com and Forbes.com.
2) Supply Side Platform (SSP) - A supply-side
platform or sell-side platform (SSP) is a
technology platform hired by publishers to
manage their online advertising space inventory,
fill it with ads, and receive revenue. Examples of
SSPs include Rubicon and Pubmatic.
3) Demand Side Platform/Ad network (DSP) - A
demand side platform is hired by advertisers to
manage its bids for online ad space. Examples of
DSPs include MediaMath and InviteMedia.
4) Ad exchange Like a stock exchange, it brings
together buyers and sellers of online ad space.
Examples of ad exchanges include DoubleClick
(owned by Google) and OpenEx.
5) Digital marketer - Advertising agencies
representing large companies wanting to post
advertisements online. Examples include
OmniconGroup and WPP (Ju, 2013).
The interaction that takes place in online
advertising is diagrammed in Figure 1 (Kneen,
2015). When a web visitor lands on a web page
(labeled as step 1), the page is loaded along with
an ad tag embedded acting as a placeholder (step
2). This tag triggers a further call to an SSP,
passing along the ad dimensions and the identity
of the publisher (step 3 and 4). From there the
SSP reads the SSP cookie (step 5) from the user’s
machine (most users already have a SSP cookie
which is created while visiting an earlier site).
Major SSPs claim to have cookie coverage of 80%
across US users (Ad Ops Insider, 2010).
The SSP then requests bids through the ad
exchange from a host of DSPs (step 6 and 7). The
SSP cookie is passed on to each DSP and this
helps the DSPs value the impression. The DSP
matches the cookie data to their own cookie data
(step 8, 9 and 10), which in-turn is tied to a huge
cache of marketer data and third party data. In a
nutshell this data is a detailed browsing history of
the user that marketers and data brokers have
collected. The richer the data available about the
user, the higher the bids from DSPs (Ad Ops
Insider, 2010).
Using this information the DSPs place bids and
send an ad redirect link to the SSP in case it wins
the bid. The SSP selects the winning bid, and
sends the DSP link to the user, whose browser
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 6
http://jisar.org; http://iscap.info
then calls the marketer’s server to display the ad
(steps 11 and 12). The RTB ad serving process is
complete. The entire process takes about 200
milliseconds (Kneen, 2015).
3. MALVERTISING AND RTB
Malvertising is the seeding of malicious code in
online advertisements and delivering these to
unsuspecting users visiting common and trusted
websites, such as huffingtonpost.com,
twitter.com, and cnn.com (Mimoso, 2015).
The nature of the online advertising ecosystem
and the rapidly changing collection of companies
participating in online advertising has created an
opportunity for malicious actors to masquerade
as advertisers (Zarras et al., 2014), who can use
the RTB advertising ecosystem to quite effectively
deliver malware (Segura, 2015), and even
specifically target individuals of interest, such as
those that work in defense industries (Invincea,
2015a).
An example of targeted exploits delivered via an
advertising network is the 2014 hack of the
Reuters site, specifically news articles about
Syria. If a news article about Syria was selected,
the visitor was then redirected to a web page on
the hackers website (see Figure 2). The attack
was fine-tuned to ignore most of the website and
only act with specific content. This was achieved
via an advertising network named Taboola that
managed display ads on the website. Through
targeting, the attackers could determine
information on who was reading a specific article
on the website and target only those users
(Jacobs, 2014).
Cyphort Labs, a provider of anti-malware
services, issued a report that noted an increase in
documented malvertising campaigns of 325%
(2015). For example, MalwareBytes has
documented the presence of malvertising on
msn.com (Segura, 2016).
Online malware is a serious problem, one that
affects individuals and organizations. An
important element of safe internet use is avoiding
suspicious, criminal, or inappropriate websites
("Safe Internet Use," 2016). Another important
practice is vigilance with email, and staying away
from links that seem suspicious in any way
("Spam & Phishing," 2016).
It certainly is a safer practice to only visit
legitimate sites, those whose authenticity can be
independently verified. While this is excellent
advice, the use of online advertising networks by
malicious actors to distribute malware on
legitimate sites means that more rigorous
methods must be developed to control the
distribution of malware on the Internet.
Most sites and publishers rely heavily on online
advertisements to monetize visits to their sites.
According to the Interactive Advertising Bureau
(IAB), online advertising in the USA reached
$27.5 billion in the first half of 2015, a 19% rise
over first half of 2014 (IAB, 2015). It is expected
to continue to grow at a similar pace over the next
few years.
RTB is a sophisticated technological interchange
that has created a marketplace where many
technology companies exchange bids and serve
ads. The multi-party nature of this highly
automated bidding exchange has introduced a
risk in the form of malvertising.
Publishers are connected with advertisers by a
network of companies, and the entire process is
opaque to the end user. Ads are sold via a bidding
process, and apart from the type of ad displayed,
the publisher does not control which advertiser
wins the bid and post ads. This allows not just
legitimate parties but also miscreants to bid for
ads (Invincea, 2015a).
Attack methods delivered through malvertising
include deceptive downloads, link hijacking, and
drive by downloads. Deceptive downloads lure
their victims to download malicious software
components disguised as browser plugins and
other software add-ons. This happens by having
the user believe that to access some desirable
content they need to install a particular software
component.
In link hijacking the user is surreptitiously
redirected away from safe websites to sites with
exploits. This is done by inserting malicious code
in the ads that causes the redirect.
The most dangerous method is called a “drive-by-
downloads”. The risk from drive by downloads is
that the user may infect his or her computer by
merely visiting the website, even without directly
interacting with malicious part of the page. In this
scenario the malicious exploit originates from the
ad network server and probes for browser
vulnerabilities. The most common targets among
attackers are machines with outdated plugins for
Java and Flash (Zarras et al., 2014).
Malvertising is the use of online advertising as a
vector to deliver malware. It involves the
injection of malicious or malware laden
advertisements into legitimate, recognized web
sites such as Yahoo.com (Grandoni, 2015),
MSN.com (Segura, 2016), and dictionary.com
(Invincea, 2015b). By injecting malware via
advertising into high profile web sites, users not
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 7
http://jisar.org; http://iscap.info
typically vulnerable to malware can be targeted.
This infection can take place “silently,” through
techniques such as drive by downloads that do
not require any action by the web site visitor
other than opening the page in a browser.
A report by the IAB and Ernst and Young included
this sobering comment about malvertising: “the
need to click on the malware to be infected is a
common misconception of the public, ("What Is
An Untrustworthy Supply Chain Costing The U.S.
Digital Advertising Industry?," 2015). Through
malvertising, the profiling capabilities of online
advertising can be re-purposed to target
individuals and organizations of interest, for the
distribution of ransomware, and theft of
intellectual property.
The security firm Invincea has documented
dozens of these attacks taking place on sites such
as cbssports.com, match.com, answers.com, and
realtor.com (Invincea, 2015b).
4. MALVERTISING AND AD BLOCKERS
If malware can be delivered through advertising
networks, then it has been suggested that using
an ad blocker will also block malvertising. In 2015
Edward Snowden endorsed the use of ad blockers
to protect against attacks through malvertising,
saying “as long as service providers are serving
ads with active content that require the use of
Javascript to display, that have some kind of
active content like Flash embedded in it, anything
that can be a vector for attack in your web
browser you should be actively trying to block
these,” (Lee, 2015). While many claim that ad
blockers can protect you, no empirical studies
have been published to date that prove that ad
blockers protect against malvertising.
Ad blockers have been at the center of a dispute
between publishers and the developers of ad
blocking software. The head of the IAB has
criticized ad blockers, and the organization has
begun a public campaign against them, arguing
they “are stealing from publishers, subverting
freedom of the press, operating a business model
predicated on censorship of content and
ultimately forcing consumers to pay more money
for lessand less diverse—information.” (Heine,
2016). Some publishers prevent web visitors
using ad blockers from viewing content, including
wired.com and forbes.com (Schneier, 2016).
The use of ad blockers by online users has been
criticized by publishers. Ad blockers are found on
15% of all US internet browsers ("The 2015 Ad
Blocking Report," 2015). Most ad blockers are
installed as browser plugins, with the two most
popular versions being AdBlock and AdBlock plus.
Irrespective of the ad blocker used, most ad
blockers rely on a collaborative database called
EasyList ("AD BLOCKERS a guidebook for
publishers, advertisers and Internet users,"
2014) . EasyList gathers a list of regular
expressions that recognize an ad versus other
content. These are sequences of code written to
spot keywords or frameworks inside a webpage.
Contributors submit any new sequences to the
community who then reviews and approves it.
Having more than 80,000 expressions it is largest
reference database for all ad blockers.
Ad blockers do not differentiate between
legitimate ads and malvertising, they block both.
If the expression of code pattern is found on the
web page the ad is blocked. This acts like a
double-edged sword. While on one side with an
updated database and a vibrant community
adblockers block most malware, they also block
legitimate ad content that is displayed on
websites. But with ad blockers hurting earnings of
publishers, a few of them have resorted to not
displaying their content (or charging a fee) if they
detect an ad blocker installed on the browser.
Forbes (Patrizio, 2016) and Wired (Zorabedian,
2016) are more recent publishers who do not
allow those using an ad blocker to view content
for free on their site.
5. RISKS TO THE ONLINE ECOSYSTEM
The more automated online advertising is, the
greater the efficiencies built into the system, the
greater the opportunity for a malicious actor to
exploit RTB.
There are challenges for publishers and online
advertisers that make it more difficult to address
the risks of malvertising and RTB. For one,
publishers do not make as much money from
online content as they made with print versions
in the past and are vulnerable to any disruption
in online revenue.
Secondly, online advertising depends on speed.
One technique to disrupt malvertising is to place
stricter controls over what files can be served as
ads, however this can only slow the process
down. The actual ad content does not come from
either the publisher or the ad exchange, it comes
from a separate technology company that
optimizes its delivery. So there is a security
supply chain problem in place. Checking the
validity of ad content will only make the process
less efficient and more time consuming.
The proliferation of malvertising on trusted sites
has led businesses to turn to security solutions
such Blue Coat that maintains a blacklist of known
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 8
http://jisar.org; http://iscap.info
malware sites, including a number of ad
networks. This acts like a super ad blocker,
blocking any ad delivery to a corporate
environment (Mimoso, 2015).
For high income consumers visiting trusted sites
like Forbes.com, they are attractive bait for
exploits such as ransomware delivered through
advertising. The success of these exploits are
directly related to RTB, says Pat Belcher, director
of malware analysis at the security company
Invincea. “RTB has made it easier for malware
authors to target individuals. Before RTB, you had
to compromise the ad delivery network. Now, you
not only win bids and place ads, you can use the
same platform to pinpoint and target anyone you
want (Mimoso, 2015).
In some ways, this dilemma resembles the
troubles advertisers and publishers have
encountered with the collection of web browsing
data. It is the use of these vast troves of data to
serve carefully targeted ads that raises privacy
concerns, and trying to make a perfect match
instantly, millions of times a day, has created an
opening for malvertising that could undermine
the trust that is the foundation of ecommerce and
the online market.
In addition to the risk of malvertising, because ad
bids are higher if more can be discovered about
the digital profile of a web visitor (Ad Ops Insider,
2010), there is a perverse incentive for publishers
to collect and share as much information as
possible with ad networks. And ad networks then
collaborate through cookie sharing to precisely
identify who is the online viewer, whether that
person is at work, at home using a tablet, or on
the go using their smart phone (Schiff, 2016).
6. CONCLUSIONS
Computer security best practices encourage end
users to deploy strong passwords and avoid
suspicious links. These however do not protect
against drive-by downloads delivered by
malvertising. If you do have a strong password
and do avoid suspicious links, what else do you
need to do to avoid malvertising? It is critically
important to keep browsers and all plug-ins
updated. It has also been suggested that ad-
blockers can also protect the end user from
infection by malware, since the online ad is the
vector of delivery for the malware, since the ad-
blocker blocks the ad, in theory it also blocks the
malware.
Right now, the web depends on advertising for
most of its financial support. However, that
business model has opened the door to malware
attacks using online ads as a vector. While
publishers can say that the use of ad blockers
does hurt their revenue, is also means publishers
have an obligation to protect their site from
malvertising. Given that RTB depends on a
window of 200 milliseconds to deliver an ad
(Lederer, 2014), there needs to be another
control mechanism to ensure that bad actors
cannot exploit this bidding process to serve
malware.
Online advertising has grown into a multi-billion
dollar industry by allowing advertisers to serve
ads based on individual profiles, geolocation,
client machine, and even a specific range of IP
addresses. These precise targeting capabilities
also make malvertising an attractive option for
malicious actors. The customized delivery of ads
also allows malvertising to hide from detection by
employing stealthy targeting schemes that
alternate the placement of benign advertising
with the sporadic placement of malware (Cyphort,
2015).
Combatting malvertising will require an intricate
multi-platform effort. It will require vigilance and
adoption of best practices by multiple actors,
including publishers/web hosting sites, ad
networks, and web surfers. Publishers must
require ad networks to develop an active
prevention plan in place against malvertising. And
ad networks will need to be more vigilant about
the content of the ads they serve. As online ads
take on more dynamic properties, including
embedded scripts that customize the ad’s content
and appearance, then ad networks will need strict
controls to ensure those scripts do not inject
malware. Web surfers must protect themselves
by keeping their browsers up to date, and where
possible, disabling vulnerable plugins such as
Java and Flash. So it is up to publishers, online
advertisers, and the people who use those sites
to work together to ensure the security of the
web.
7. REFERENCES
The 2015 Ad Blocking Report. (2015). Retrieved
from https://blog.pagefair.com/2015/ad-
blocking-report/
AD BLOCKERS a guidebook for publishers,
advertisers and Internet users. (2014).
Retrieved from
http://www.secretmedia.com/whitepape
r/adblocker_whitepaper.php
Chen, Y., Berkhin, P., Anderson, B., & Devanur,
N. R. (2011). Real-time bidding
algorithms for performance-based display
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 9
http://jisar.org; http://iscap.info
ad allocation. Paper presented at the
Proceedings of the 17th ACM SIGKDD
international conference on Knowledge
discovery and data mining.
Cyphort. (2015). The Rise of Malvertising.
Retrieved from
http://go.cyphort.com/Malvertising-
Report-15-Page.html
Deloitte. (2016). The impact of web traffic on
revenues of traditional newspaper
publishers. Retrieved from
https://www2.deloitte.com/content/dam
/Deloitte/uk/Documents/technology-
media-telecommunications/deloitte-uk-
impact-of-web-traffic-on-newspaper-
revenues-2016.pdf
Ducklin, P. (2016). Malvertising When trusted
websites go rogue. Retrieved from
https://nakedsecurity.sophos.com/2016/
03/16/malvertising-when-trusted-
websites-go-rogue-security-sos-week/
Experian. (2014). Mosaic USA consumer lifestyle
segmentation. Retrieved from
http://www.experian.com/marketing-
services/consumer-segmentation.html
Google. (2011). The Arrival of Real Time Bidding.
Retrieved from
http://static.googleusercontent.com/me
dia/www.google.fr/en/en/doubleclick/pdf
s/Google-White-Paper-The-Arrival-of-
Real-Time-Bidding-July-2011.pdf
Grandoni, D. (2015). Hackers Exploit ‘Flash’
Vulnerability in Yahoo Ads. Retrieved
from
http://bits.blogs.nytimes.com/2015/08/
03/hackers-exploit-flash-vulnerability-in-
yahoo-ads/?smprod=nytcore-
iphone&smid=nytcore-iphone-
share&_r=0
Heine, C. (2016). IAB Chief Blasts Adblock Plus as
an 'Immoral, Mendacious Coven of Techie
Wannabes'. adweek. Retrieved from
http://www.adweek.com/news/technolo
gy/iab-chief-blasts-adblock-plus-
immoral-mendacious-coven-techie-
wannabes-169194
Hern, A. (2016). Spotify hit by 'malvertising' in
app. Retrieved from
https://www.theguardian.com/technolog
y/2016/oct/06/spotify-hit-by-
malvertising-in-app
IAB. (2015). Digital Ad Revenues Surge 19%,
Climbing to $27.5 Billion in First Half Of
2015. Retrieved from
http://www.iab.com/news/digital-ad-
revenues-surge-19-climbing-to-27-5-
billion-in-first-half-of-2015-according-to-
iab-internet-advertising-revenue-report/
Invincea. (2015a). A case study in successfully
defeating malvertising attacks. Retrieved
from
https://www.invincea.com/2015/09/whit
e-paper-a-case-study-in-successfully-
defeating-malvertising-attacks/
Invincea. (2015b). Fessleak: The Zero-Day
Driven Advanced RansomWare
Malvertising Campaign. Retrieved from
https://www.invincea.com/2015/02/fessl
eak-the-zero-day-driven-advanced-
ransomware-malvertising-campaign/
Jacobs, F. (2014). How Reuters got compromised
by the Syrian Electronic Army. Retrieved
from
https://medium.com/@FredericJacobs/th
e-reuters-compromise-by-the-syrian-
electronic-army-6bf570e1a85b -
.d54x8pbr8
Ju, R. (2013). Online Advertising Explained:
DMPs, SSPs, DSPs and RTB. Retrieved
from http://www.kbridge.org/en/online-
advertising-explained-dmps-ssps-dsps-
and-rtb/
Kawaja, T. (2016). Display LUMAscape. Retrieved
from
http://www.lumapartners.com/lumascap
es/display-ad-tech-lumascape/
Kneen, B. (2015). HOW REAL TIME BIDDING,
DSPS, SSPS, AND AD EXCHANGES
WORK. Retrieved from
http://www.adopsinsider.com/ad-
serving/how-dsps-ssps-and-ad-
exchanges-work/
Lederer, B. (2014). 200 Milliseconds: Life of a
Programmatic RTB Ad Impression.
Programmatic Insider. Retrieved from
http://www.mediapost.com/publications/
article/225808/200-milliseconds-life-of-
a-programmatic-rtb-ad-im.html
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 10
http://jisar.org; http://iscap.info
Lee, M. (2015). EDWARD SNOWDEN EXPLAINS
HOW TO RECLAIM YOUR PRIVACY.
Retrieved from
https://theintercept.com/2015/11/12/ed
ward-snowden-explains-how-to-reclaim-
your-privacy/
Mehta, A., Saberi, A., Vazirani, U., & Vazirani, V.
(2007). Adwords and generalized online
matching. Journal of the ACM (JACM),
54(5), 22.
Mihalcik, C. (2016). New York Times, BBC and
others inadvertently serve up dangerous
ads. Retrieved from
https://www.cnet.com/news/new-york-
times-bbc-dangerous-ads-ransomware-
malvertising/
Mimoso, M. (2015). Ad networks ripe for abuse
via malvertising. Retrieved from
https://threatpost.com/ad-networks-
ripe-for-abuse-via-malvertising/111840/
Patrizio, A. (2016). How Forbes inadvertently
proved the anti-malware value of ad
blockers. Retrieved from
http://www.networkworld.com/article/30
21113/security/forbes-malware-ad-
blocker-advertisements.html
Safe Internet Use. (2016). Retrieved from
https://www.getsafeonline.org/protectin
g-your-computer/safe-internet-use/
Salusky, W. (2007, Dec 06). Malvertising.
Retrieved from
https://isc.sans.edu/diary/Malvertising/3
727
Schneier, B. (2016, February 23). The Ads Versus
Ad Blockers Arms Race. Retrieved from
https://www.schneier.com/blog/archives
/2016/02/the_ads_vs_ad_b.html
Segura, J. (2015). Real-time Bidding and
Malvertising: A case study. Retrieved
from
https://blog.malwarebytes.org/malvertis
ing-2/2015/04/real-time-bidding-and-
malvertising-a-case-study/
Segura, J. (2016). MSN Home Page Drops More
Malware Via Malvertising. MalwareBytes
Blog. Retrieved from
https://blog.malwarebytes.org/malvertis
ing-2/2016/01/msn-home-page-drops-
more-malware-via-malvertising/
Spam & Phishing. (2016). Retrieved from
https://staysafeonline.org/stay-safe-
online/keep-a-clean-machine/spam-and-
phishing
What Is An Untrustworthy Supply Chain Costing
The U.S. Digital Advertising Industry?
(2015, February 26, 2016). Retrieved
from http://www.iab.com/insights/what-
is-an-untrustworthy-supply-chain-
costing-the-u-s-digital-advertising-
industry/
Zarras, A., Kapravelos, A., Stringhini, G., Holz, T.,
Kruegel, C., & Vigna, G. (2014). The Dark
Alleys of Madison Avenue: Understanding
Malicious Advertisements. Paper
presented at the Proceedings of the 2014
Conference on Internet Measurement
Conference, Vancouver, BC, Canada.
Zorabedian, J. (2016). Wired to ad blocker users:
pay up for ad-free site or you get nothing.
Retrieved from
https://nakedsecurity.sophos.com/2016/
02/10/wired-to-ad-blocker-users-pay-
up-for-ad-free-site-or-you-get-nothing/
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 11
http://jisar.org; http://iscap.info
Appendix
Figure 1: How DSPs, SSPs and Ad Exchanges work
Journal of Information Systems Applied Research (JISAR) 10(x)
ISSN: 1946-1836 xx 2017
©2017 ISCAP (Information Systems and Computing Academic Professionals Page 12
http://jisar.org; http://iscap.info
Figure 2: Screenshot of Reuters website hacked through an Ad Exchange network
... Seeing an ad on a reputable site immediately imbues potential victims with a false sense of security because many victims are unlikely to be aware of the lack of verification required to create an advertisement online, and as a result are more likely to click it. The malvert can also make use of the ad hosting site's "customer profiles" and algorithms, which in turn allows the phisher to target specific demographics; for example, Experian has developed a 17-category system with 71 sub-categories allowing for refined targeting of specific groups of people [66]. ...
Full-text available
Article
Phishing attacks, which have existed for several decades and continue to be a major problem today, constitute a severe threat in the cyber world. Attackers are adopting multiple new and creative methods through which to conduct phishing attacks, which are growing rapidly. Therefore, there is a need to conduct a comprehensive review of past and current phishing approaches. In this paper, a review of the approaches used during phishing attacks is presented. This paper comprises a literature review, followed by a comprehensive examination of the characteristics of the existing classic, modern, and cutting-edge phishing attack techniques. The aims of this paper are to build awareness of phishing techniques, educate individuals about these attacks, and encourage the use of phishing prevention techniques, in addition to encouraging discourse among the professional community about this topic.
... A user that navigates to a web page hosting malicious content can be a victim to various attacks like malware of exploit kits [10]. The user can navigate to such a page either by being tricked to click on a link or by being redirected from a legitimate page that he is visiting, usually through malvertising [11]. An attacker can address generate content in two ways: by hosting his own website or by hacking a legitimate site. ...
... Starting at less than 100ms (Yuan, 2015;Chaudhuri, Bagherjeiran and Liu, 2017;Papadopoulos et al., 2017;Parssinen et al., 2018), to around 100ms (Callejo, 2015;Chen et al., 2017;Niu et al., 2017;Gupta and Mishra, 2018;Iordanou et al., 2018), the opinions end at longer than 100ms Kanguri, 2016, 2017;Kumar, 2017). (Chaudhuri, Bagherjeiran and Liu, 2017;Chen et al., 2017;Sayedi et al., 2017;Wang, Zhang and Yuan, 2017;Dwyer and Kanguri, 2017;Gardh and Amnäs, 2017;Högström and Wallin, 2017;Kumar, 2017;Niu et al., 2017;Papadopoulos et al., 2017;Wang, 2017a, 2017b) (Aksu et al., 2018;Alaimo and Kallinikos, 2018;Arab et al., 2018;Gupta and Mishra, 2018;Haider et al., 2018;Iordanou et al., 2018;Parssinen et al., 2018;Qin, Yuan and Wang, 2018;Zhang, 2018) 18th International Conference on WWW/Internet 2019 ...
... On the other hand, the proposed approach requires a large computation time, although this can be improved as discussed in Section IV-D. Secondly, existing approaches based on the similarity of domain name character strings simply classify communications with the same domain as identical malicious queries, whereas our proposed approach focuses on both malicious queries and the accompanying queries, enabling an extremely flexible (2) distinguish communications consisting of multiple domains in coordination, as typified by malvertising [44] and malware distribution network [45], as the same malicious query on the basis of similarity of the destination. Finally, the proposed approach is highly versatile, having a range of applications not limited to DNS query logs. ...
Full-text available
Article
Some of the most serious security threats facing computer networks involve malware. To prevent this threat, administrators need to swiftly remove the infected machines from their networks. One common way to detect infected machines in a network is by monitoring communications based on blacklists. However, detection using this method has the following two problems: no blacklist is completely reliable, and blacklists do not provide sufficient evidence to allow administrators to determine the validity and accuracy of the detection results. Therefore, simply matching communications with blacklist entries is insufficient, and administrators should pursue their detection causes by investigating the communications themselves. In this paper, we propose an approach for classifying malicious DNS queries detected through blacklists by their causes. This approach is motivated by the following observation: a malware communication is divided into several transactions, each of which generates queries related to the malware; thus, surrounding queries that occur before and after a malicious query detected through blacklists help in estimating the cause of the malicious query. Our cause-based classification drastically reduces the number of malicious queries to be investigated because the investigation scope is limited to only representative queries in the classification results. In experiments, we have confirmed that our approach could group 388 malicious queries into 3 clusters, each consisting of queries with a common cause. These results indicate that administrators can briefly pursue all the causes by investigating only representative queries of each cluster, and thereby swiftly address the problem of infected machines in the network.
... In fact, among a selection of popular news sites, over half the data loaded (in aggregate) was found to be ad-related [2]. In addition to boosting site performance, blocking ads reduces exposure to privacy and security threats associated with ads such as behavioral tracking and malvertising [14,19,28]. As well as being measurable quantitatively, these benefits are understood by users, as demonstrated by a number of user research studies on this topic [4,30,41,42]. ...
Conference Paper
Web users are increasingly turning to ad blockers to avoid ads, which are often perceived as annoying or an invasion of privacy. While there has been significant research into the factors driving ad blocker adoption and the detrimental effect to ad publishers on the Web, the resulting effects of ad blocker usage on Web users' browsing experience is not well understood. To approach this problem, we conduct a retrospective natural field experiment using Firefox browser usage data, with the goal of estimating the effect of adblocking on user engagement with the Web. We focus on new users who installed an ad blocker after a baseline observation period, to avoid comparing different populations. Their subsequent browser activity is compared against that of a control group, whose members do not use ad blockers, over a corresponding observation period, controlling for prior baseline usage. In order to estimate causal effects, we employ propensity score matching on a number of other features recorded during the baseline period. In the group that installed an ad blocker, we find significant increases in both active time spent in the browser (+28% over control) and the number of pages viewed (+15% over control), while seeing no change in the number of searches. Additionally, by reapplying the same methodology to other popular Firefox browser extensions, we show that these effects are specific to ad blockers. We conclude that ad blocking has a positive impact on user engagement with the Web, suggesting that any costs of using ad blockers to users' browsing experience are largely drowned out by the utility that they offer.
Full-text available
Conference Paper
In this reflection paper, we suggest the need for a standardization of digital advertising ecosystem conceptual flow visualizations. We do so, because of the diversity of available visualizations of both concepts in literature and the accompanied risk of wrong conclusions. We therefore recommend a visualization in the field of digital advertising, which should be challenged in future research.
Full-text available
Conference Paper
Online advertising drives the economy of the World Wide Web. Modern websites of any size and popularity include advertisements to monetize visits from their users. To this end, they assign an area of their web page to an advertising company (so called ad exchange) that will use it to display promotional content. By doing this, the website owner implicitly trusts that the advertising company will offer legitimate content and it will not put the site's visitors at risk of falling victims of malware campaigns and other scams. In this paper, we perform the first large-scale study of the safety of the advertisements that are encountered by the users on the Web. In particular, we analyze to what extent users are exposed to malicious content through advertisements, and investigate what are the sources of this malicious content. Additionally, we show that some ad exchanges are more prone to serving malicious advertisements than others, probably due to their deficient filtering mechanisms. The observations that we make in this paper shed light on a little studied, yet important, aspect of advertisement networks, and can help both advertisement networks and website owners in securing their web pages and in keeping their visitors safe.
Article
Abstract How does a search engine company,decide what ads to display with each query so as to maximize its revenue? This turns out to be a generalization of the online bipartite matching problem. We introduce the notion of a tradeofi revealing LP and use it to derive an optimal algorithm achieving a competitive ratio of 1 ¡ 1=e for this problem.
EDWARD SNOWDEN EXPLAINS HOW TO RECLAIM YOUR PRIVACY
  • M Lee
Lee, M. (2015). EDWARD SNOWDEN EXPLAINS HOW TO RECLAIM YOUR PRIVACY. Retrieved from https://theintercept.com/2015/11/12/ed ward-snowden-explains-how-to-reclaimyour-privacy/
New York Times, BBC and others inadvertently serve up dangerous ads
  • C Mihalcik
Mihalcik, C. (2016). New York Times, BBC and others inadvertently serve up dangerous ads. Retrieved from https://www.cnet.com/news/new-yorktimes-bbc-dangerous-ads-ransomwaremalvertising/
Ad networks ripe for abuse via malvertising
  • M Mimoso
Mimoso, M. (2015). Ad networks ripe for abuse via malvertising. Retrieved from https://threatpost.com/ad-networksripe-for-abuse-via-malvertising/111840/
How Forbes inadvertently proved the anti-malware value of ad blockers
  • A Patrizio
Patrizio, A. (2016). How Forbes inadvertently proved the anti-malware value of ad blockers. Retrieved from http://www.networkworld.com/article/30
Malvertising. Retrieved from https://isc.sans
  • W Salusky
Salusky, W. (2007, Dec 06). Malvertising. Retrieved from https://isc.sans.edu/diary/Malvertising/3
The Ads Versus Ad Blockers Arms Race Retrieved from https://www.schneier.com/blog/archives Real-time Bidding and Malvertising: A case study. Retrieved from https
  • B Schneier
Schneier, B. (2016, February 23). The Ads Versus Ad Blockers Arms Race. Retrieved from https://www.schneier.com/blog/archives /2016/02/the_ads_vs_ad_b.html Segura, J. (2015). Real-time Bidding and Malvertising: A case study. Retrieved from https://blog.malwarebytes.org/malvertis ing-2/2015/04/real-time-bidding-andmalvertising-a-case-study/
MSN Home Page Drops More Malware Via Malvertising. MalwareBytes Blog
  • J Segura
Segura, J. (2016). MSN Home Page Drops More Malware Via Malvertising. MalwareBytes Blog. Retrieved from https://blog.malwarebytes.org/malvertis ing-2/2016/01/msn-home-page-dropsmore-malware-via-malvertising/
Wired to ad blocker users: pay up for ad-free site or you get nothing
  • J Zorabedian
Zorabedian, J. (2016). Wired to ad blocker users: pay up for ad-free site or you get nothing. Retrieved from https://nakedsecurity.sophos.com/2016/ 02/10/wired-to-ad-blocker-users-payup-for-ad-free-site-or-you-get-nothing/