Latest News and Viewpoints

Polyglots exploiting weaknesses in ad networks, exposing users to risks

Description of how a polyglot works. (c) DEVCON

Description of how a polyglot works. (c) DEVCON

The polyglot problem just keeps getting worse, with tens of thousands of exploits recorded in the past week.

AdWeek reported yesterday that tech startup - and partner in our study of ad fraud at the local media level - DEVCON had detected increasingly complex malware in several ad networks. To quote the article:

DEVCON “says it found several polyglots—malware that uses complex code to disguise itself within an image—inside of what appear to be digital ads pretending to be from brands. The company didn’t disclose which websites served up malicious ads, but so far, the fraudulent ads have been seen in ad servers including GumGum and Yahoo, with a handful of sites attacked as many as 50,000 times over the past few weeks. So far, the company has identified five brands and seven pieces of ad creative used by polyglots.”

This is increasingly significant because while polyglots - image files that also run malicious JavaScript without any prompting from the user - are nothing new, this marks the first time they’ve been detected hidden in ad creative.

“Researchers say polyglots could be used to harness processing power from devices for use in cryptocurrency mining and to transfer money from one bank account to another using a supply-side server and a demand-side server,” the article said.

In other words, you’re reading a news story about the city council while the kitty litter ad at the top of the page is installing malware on your computer, or redirecting you to a roulette-wheel scam site, or installing ransomware that will try to shake you down for $1,000 in BitCoin.

Said DEVCON CEO Maggie Louie: “It’s the missing link. … It’s a huge jump for a hacker group that we saw just two months ago using some known techniques that weren’t sophisticated at all to what is now a very sophisticated research project.”

Two things are clear:

  1. Bad actors are waking up to the fact that ad networks are vulnerable, and may be the most lucrative way to exploit millions of people.

  2. With no regulation and little expertise in law enforcement, consumers are on their own unless ad networks and publishers take the lead in providing protection.

Kudos to DEVCON and other ad-fraud detection/blocking companies that are riding the fence. For all of us.

Rusty Coats