How Secure Is Your Ad Server?
Yesterday’s news that OpenX shut down OnRamp due to a malware attack only serves to amplify the sound of an alarm that’s constantly ringing in the realm of online media.
“This is another great example of the power of the Internet and the effects of poorly secured applications,” said Anthony J. Ferrante, a member of the Computer & Information Science faculty at Fordham University in New York. “What’s more, this application is designed to distribute advertisements across the Internet, making it an excellent platform for malicious actors to potentially gain access to millions of computer systems.”
Nathan Thomas, CTO for Sonobi Media, a digital display advertising company, noted that as an open-source platform, OnRamp was especially vulnerable.
“Open-source software has its place, but it’s not always the right fit for enterprise level software or services,” said Thomas. “It may be that OpenX was running OnRamp on their own servers without any extra proprietary precautions and fail-safes added to their service or environment. It’s quite possible that one or more of the hackers that perpetrated the intrusion was able to submit code to the project and exploit their own security hole. It all comes down to how thorough OpenX was with submitted code before committing to the project and running it in their own environment.”
Does “Free” Equal “Unsafe”?
The sudden shutdown of OnRamp left its customers scrambling to find an alternative ad server. There are a few other free solutions, such as Google’s DoubleClick for Publishers (DFP) Small Business, ADTECH Lite, AdSpeed’s basic Ad Server, and MobFox’s mAdserve. But given how quickly things unraveled at OpenX, should publishers and advertisers be wary of such free platforms?
Julian Zehetmayr, CEO of MobFox Mobile Advertising GmbH, offered assurances yesterday that the malware scenario that ultimately doomed OnRamp could not occur with mAdserve.
“mAdserve does not have a feature that allows users to register on the ad-server on a self-service basis, and advertiser accounts can only be created by authorized users from within the mAdserve administration panel,” said Zehetmayr via e-mail. “The administration and all user/campaign related functions are therefore secured and only accessible for authorized users. Although mAdserve supports the integration of certified third-party ad network modules, the ad server does not currently provide support for third-party modules that change the architecture of the ad-server itself. Although this can be seen as a weakness in terms of ease of customization, it also makes the software more secure, since there is less risk that potential security holes are opened by badly secured third-party modules.
“The only part of the mAdserve application that is always available to the public is the script/framework that allows publications to request/display advertisements and track consumer response on ads,” Zehetmayr continued. “Since this is a relatively small part of the mAdserve software itself, it is easy to keep secure and protect from hackers.”
Zehetmayr noted that the MobFox network itself is separate from mAdserve; however. mAdserve comes with a module that allows to integrate into MobFox for monetization. He said the MobFox network has algorithms in place that allow the company to detect invalid/fraudulent traffic and clicks. Among the techniques MobFox is using are:
- Manual verification of ownership for every single publisher on the network (either by comparing the e-mail of the Android developer registration with the e-mail of the MobFox account or by requesting proof of ownership).
- Scoring of referer URLs on the network.
- Manually checking publishers with unusually high/low performance (CTR/Conversions).
“We take fighting malware very seriously and maintain the strongest protections possible for our DFP and DFP SB users,” said the Google spokesperson.
Requests for comments from ADTECH and AdSpeed for insight into the security of their free platforms have so far gone unanswered.
Ferrante, who specializes in cyber security and serves as co-director of a group of researchers dedicated to the design and function of secure cyber networks, said the malware attack that prompted OpenX to shut down OnRamp “has the potential to have far-reaching repercussions, which we may not know for some time, if at all.
“We already know the scope and scale of this compromise, but what should be determined are the motivations of these malicious actors,” he said. “Given the function of the application and the millions of users, I would theorize that these actors were either seeking financial gain through advertisement hijacking, or much worse, spreading malware to unsuspecting Internet users in an effort to build an botnet army.”
You’re probably not going to get much in terms of official response from any of the larger players. Why? Because Malware is a HUGE problem for every ad server and network/exchange. None were built with any security in mind and none offer any assurances of cleanliness.
The nature of ad tags and the proliferation of so many servers and delivery agents, means that at any time, any ad server can become a distribution point for malware / malicious intent.
Malware and the vulnerability of the online ad ecosystem is a dirty secret of the online ad world and one that is not spoken about in public very often.
Leave a Comment
- SXSW News: Kenshoo Integrates with Oracle for Social Marketing March 7th 2014 AUSTIN, March 7, 2014 (ADOTAS) –- Kenshoo, the global leader in [...] more »
- Study: Consumers Want a More Personalized Mobile Home Screen March 7th 2014 ADOTAS – New research from mobile analytics company Flurry shows noteworthy [...] more »
- Twelvefold Introduces Spectrum for Video: Real-Time, URL-Level Video Ad Placements Across All Screens March 6th 2014 SAN FRANCISCO, March 6, 2013 (ADOTAS) – Twelvefold, a big [...] more »
- DataXu Adds Video to Private Exchange Capabilities March 6th 2014 BOSTON, March 6, 2014 (ADOTAS) – DataXu, a leading provider [...] more »
- YuMe, Magid and Razorfish Reveal CTV Creative Best Practices in Latest Study March 6th 2014 REDWOOD CITY, Calif., March 6, 2014 (ADOTAS) – YuMe, Inc. [...] more »
- RR Donnelley Announces $350 Million Debt Offering March 6th 2014 CHICAGO, March 6, 2014 (ADOTAS) – RR Donnelley & Sons [...] more »
- Getty Images to Showcase Free, Legal Embed Capability at SXSWi March 6th 2014 NEW YORK and AUSTIN, March 5, 2014 (ADOTAS) – Global digital [...] more »
- You Have My Data, Now Stop Retargeting Me! March 7th 2014
- The Top 5 New Video Ads: Snickers, Pepsi, HUVr, Hugo Boss March 7th 2014
- Spotlight on Search: Yahoo! Gemini vs. Google Enhanced Campaigns March 6th 2014
- 6 Trends That Reinforce the Need for Unified Data Collection March 6th 2014
- 4 Important Lessons B2B Marketers Learned in 2013 March 5th 2014
- Marketing Operations Manager - Healthcare
- Director Digital Engagements
- Website Designer
- Online Account Manager
- Online Media Buyer
- SXSW News: Kenshoo Integrates with Oracle for Social Marketing - Responsivemts | Responsivemts: [...] Report Rattles Currency's WorldBrands' Organic Facebook Reach Has Plummeted Since OctoberSXSW News: Kenshoo Integrates
- #DailyDigital It’s Friday. Facebook Is Doing Something to the Newsfeed. Again. | Trey Peden - Digital. Marketing. Management.: [...] Five Things the FTC Will Get Tough on in 2014 I wanted to read
- Jeff Yablon: of course ... there's always the question of revenue split ... interesting new service just
- Articles Written by Bob Bentz | Bob Bentz: [...] 7/14/08 — Adotas [...]