Record numbers for internet sales were reported in 2019, but online retailers aren’t the only ones laughing all the way to the bank. Cybercrime costs retailers a staggering $30 billion a year, and the sector is among the top ones targeted globally. Last year, three quarters of global retailers reported falling victim to cyberattacks.
Cyberattackers are constantly evolving and looking for opportunities to deliver malicious payloads to online shoppers. This activity is especially heightened during the shopping season. While several awareness campaigns have been launched this year, one most notably by Homeland Security to educate users on making smart and safe shopping choices, the conning of advertisers and publishers into delivering malware-laced advertisements is a growing issue.
Ad threats (not to be confused with ad fraud) is a form of so-called “malvertising” that can involve a JavaScript programming language exploit that thrives off advertisers and publishers who do not monitor their networks or their partners’ third-party code.
According to Devcon (via MediaPost), over 60% of ad threats during the recent holiday shopping period originated from advanced attacks (such as Lucky Star, Invisible Ink, Led Zelpdesk and Avid Diva). Such attacks are usually a combination of social engineering and JavaScript exploits that steal credit card information or manipulate shoppers to download a trojan, which could be used to access personal or sensitive information.
The Devcon report highlighted that hackers can use any of the following methods to exploit advertisers and consumers:
Abusing publisher’s code: Cybercriminals will create fraudulent accounts with ad networks and use an organization's ad tags to deliver payloads to target websites without even having to compromise the target company’s servers.
Exploiting a partner’s code: This attack method basically involves exploiting vulnerabilities in the source code of third-party partners that connect with the target website, publisher or advertiser. A similar pattern can be drawn with last year’s Magecart attacks that stole credit card information from more than 80 global e-commerce websites that were running an outdated version of the Magento platform. Or take the example of the eGobbler attack that affected more than a billion ads due to a browser flaw on Apple iOS devices.
Exploiting other code vulnerabilities: If the target company is using third-party JavaScript code or libraries that have vulnerabilities, hackers can exploit them to gain access to credit card information or other personal information.
Infecting JavaScript with malicious code: Also referred to as steganography, this technique involves embedding the ad creative (image ad or video ad) with a malicious script. Fraudsters can then use these creatives to spread malware across legitimate domains.
Per a 2019 report, one instance of malvertising is found in every 100 ad impressions. It is also estimated that malicious ad images alone cost ad networks more than $1 billion each year.
Service providers and consumers must ensure that they follow these best practices to ensure that they do not fall prey to ad threats.
The increased amount of money flowing into ad serving platforms is obviously going to attract more and more cybercriminals by the day. While service providers become more security savvy, hackers become more sophisticated than ever before. Understanding ad threats is necessary for staying one step ahead of these fraudsters.
This article was originally posted on the Forbes Technology Council. Click here to read