×

GeoEdge Researchers Uncover Hacker Abuse of WebRTC Protocols to Distribute Malvertising

The real challenge: WebRTC (Web Real-Time Communications) is a serverless communications protocol, and WebRTC malvertising is only detectable via behavioural analysis. Blacklisting – the most frequently used method to block malicious ads – won’t enable uncovering or blocking WebRTC-based malvertising.

Programmatic advertising is facing a new threat: WebRTC malvertising.

Security researchers at ad security and verification provider GeoEdge used proprietary behavioral analysis technology and discovered WebRTC malvertising attacks occurring via ads served through programmatic exchanges, predominantly through header bidding, in the last few months. WebRTC is a commonly used open-source framework for the web and mobile apps that enables Real Time Communications in the browser or app. WebRTC-based malvertising attacks can only be detected by behavioural analysis since there isn’t an offending domain. Furthermore, the malvertising attack is launched through cloud services from industry giants such as Amazon AWS or Microsoft Azure. Therefore, blocking that cloud service will block all of the ads originating from it, even though 99% of the ads are safe.

According to GeoEdge’s security researchers, WebRTC malvertising was found to be exclusively distributed through programmatic exchanges with 87% via header bidding. The company predicts that these attacks on ads served on mobile devices including tablets are expected to cost publishers $325 million in revenue in 2019, as well as providing a bad user experience for the users who become victims of the malvertising attacks, and are auto-redirected to the undesirable ads or content. With malicious actors undoubtedly developing new forms of WebRTC malvertising, the revenue loss to publishers will only increase in the coming years.

Example of how a WebRTC Malvertising attack occurs

A user views an ad for Weight Watchers or a Trump Hotel (two recent victims) that won a bid in a programmatic header bidding auction via Rubicon, but that ad was simply found online and used by the malicious advertiser, and it is unconnected to either Weight Watchers or Trump Hotels. When the unsuspected user is exposed to the ad, they’re redirected to a malicious landing page, offering fake flash updates or gift card scams. Though the WebRTC malvertising seen by GeoEdge security researchers is auto-redirected to malicious landing pages, there is no reason other malvertising tactics, including malware, ransomware, phishing scams and more, won’t be used in future WebRTC malvertising.

The only way to uncover WebRTC malvertising is through behavioural analysis, which can detect suspicious ad behavior and only block the problematic tag.

Most ad security solutions use blacklisting to block malicious domains or other known sources of malicious activities. That tactic causes financial damage to publishers because many safe ads are also blocked. Nevertheless, in the case of WebRTC malvertising, blacklisting has no value because there is no ad domain to block. The only server is the STUN server - the server used by the cloud computing solution and operated by companies such as Google or Mozilla.

In order to detect Web RTC malvertising, GeoEdge’s security research team used the company’s proprietary behavioural analysis technology, which analyses ad serving patterns in order to uncover and alert GeoEdge regarding suspicious ad activity. The behavioural analysis technology enables GeoEdge to stop only problematic ads without blocking entire campaigns or an entire network or exchange. And with GeoEdge’s real-time blocking, once an ad has been identified as malicious and blocked, the offending ad is replaced with a safe one, ensuring maximum publisher revenue.

“WebRTC Malvertising highlights the industry’s migration to ad security 2.0 – moving beyond merely blocking offending domains and instead relying on advanced behavioural analysis technology that can uncover difficult to track malicious activities,” said Amnon Siev, GeoEdge’s CEO. “With new strains of WebRTC malvertising and other obfuscated malicious activities being developed, I’m confident that GeoEdge has the team and technology to keep app developers, publishers, their users, and marketers safe.”

GeoEdge’s security researchers have published a report on WebRTC (https://go.geoedge.com/l/384522/2019-03-25/bj369p), which follows the company’s report on auto-redirect attacks published in early 2018 (http://go.geoedge.com/security/auto-redirect).

GeoEdge enables the supply side of the digital ad ecosystem to focus on publishing, instead of worrying about malvertising attacks. The company handles malicious and unsafe advertising so that publishers, app developers, and other supply-side clients can focus on optimising their advertiser campaigns and provide better and more effective relations with their clients in the time saved. GeoEdge enabled clients to find a 90-95% reduction in complaints through the elimination of offensive and malicious ads, and gain full transparency and visibility of their entire ad inventory, beyond the blocked malicious ads, facilitating improved management of each partner’s brand safety needs.

About GeoEdge

GeoEdge is the premier provider of ad security and verification solutions for online and mobile advertising ecosystems. The company ensures high ad quality and verifies that sites and apps offer a clean, safe and engaging user experience. GeoEdge guards against non-compliance, malware, inappropriate content, data leakage and operational and performance issues.‎ Leading publishers, ad platforms, exchanges, and networks rely on GeoEdge’s automated ad protection solutions to ‎monitor and protect their ad inventory. The company was founded in 2010 by a team that has over two decades of hands-on technical and on-line media experience.