Ad Threat Attacks Are Evolving: How Your Strategy Needs to Shift

In the era of digital transformation, every company needs a CISO. In the ongoing war against ad threat attacks, there’s good news and bad news. The good news: Between Thanksgiving and Cyber Monday in 2019, the rate of digital ads containing lower-risk malvertising declined to .07 percent compared to 1.25 percent in 2018. The bad news: More than 60 percent of holiday ad threat attacks were far more malicious exploits.

Now more than ever, publishers and advertisers must remain vigilant to combat online security threats that constantly seek to steal the private data and credit card information of consumers. Preparedness begins with an understanding of the threat itself, and what it means for a company’s security efforts.

Read more: Malvertising: How It Ruins a User’s Day, and Destroys Their Trust in Digital Advertising

Understanding Ad Threats

First things first: What is an ad threat?

Many executives are well aware of ad fraud, in which bad actors manipulate marketers into paying for fraudulent ad views. Ad threat, however, is a different breed of trouble. Ad threat represents the weaponization of AdTech to distribute malware, trojans and other malicious attacks to consumers, in addition to defrauding marketers and publishers.

Ad fraud typically refers to efforts by criminals to steal advertising revenue from publishers and advertisers, victimizing brands and website owners. Ad threat instead refers to attacks that victimize audiences, users, and citizens who interact with websites and online applications. By exploiting ad tech vendors, cybercriminals can run scams, collect sensitive data, and distribute malware. Given the ever-tightening regulatory environment around consumer data and privacy, these attacks are increasingly exposing companies to huge potential fines, not to mention alienated customers.

While less advanced hackers are now being shut out of the ad threat game, the advanced bad actors are becoming more stealthy in obfuscating their attacks as they simultaneously escalate their activities. These sophisticated hackers are looking for any potential third-party JavaScript opportunities to exploit, which include:

• Abuse of a service provider’s code: Bad actors abuse service provider code by creating fake accounts with ad networks and using that company’s ad tags to deliver exploits onto sites, without ever needing to compromise the target company’s servers.
• Partner exploitation: In the case of attacks that look to steal information from checkout and login pages, attackers look for third-party partners on those pages and identify those that are most easily compromised. That code is then used to gain access and collect user data as consumers are entering it.
• Code vulnerabilities: When a company is using a third-party JavaScript or library with a vulnerability, hackers can exploit that vulnerability in the script itself.
• Infecting JavaScript with malicious code: When it comes to infected assets like image files, fonts and ads, JavaScript being delivered back and forth can be used to hide exploits, such as an image for an ad that has been infected with a malicious script.

Shoring Up Vulnerabilities

While the proliferation of ad fraud has long been viewed as a problem for Marketing teams to address, ad threat security gaps represent serious potential breaches that must be monitored and managed by security teams. After all, it’s not just ad revenue and user experiences that are at stake.

When it comes to ad threat attacks, we’re talking about potential data breaches, which have serious implications for not only ad revenue, user experience, and brand trust, but also for the long-term health and survival of the company itself. In recent high-profile breach cases, companies not monitoring and mitigating threats related to third-party JavaScript security received record-setting fines.

Executives looking to avoid similar fates need to start by creating cultures of security within their companies. That means ensuring CTOs, CISOs or CIOs—whoever spearheads data security within your organization—have the resources needed to maintain site safety and security across all emerging areas of threat. (You might even consider appointing your CISO or CIO to sit on the board.)

As a rule, code should not be tested or installed without going through the security team, and security teams should take lead on monitoring and mitigating all third-party JavaScript risks.

It’s also important for companies to regularly evaluate security risks and mitigators across all departments and emerging technologies. Meanwhile, be sure to review your cybersecurity insurance to make sure that your organization has the right controls and mitigators in place to meet the requirements.

Finally, consider having an independent security company perform a full audit of all third- and fourth-party JavaScript on your site and decide how you will manage the monitoring of that code going forward. An independent security company can also perform tests to surface any new gaps in your overall security model.

Above all, remember: Online security is an ongoing journey, not a destination. As bad actors evolve, it’s imperative that company executives be constantly reevaluating their practices to ensure they’re always one step ahead.

Read more: Looking Forward: What Will 2020 Bring for Digital Advertising?