How Secure Is Your Ad Server?
Yesterday’s news that OpenX shut down OnRamp due to a malware attack only serves to amplify the sound of an alarm that’s constantly ringing in the realm of online media.
“This is another great example of the power of the Internet and the effects of poorly secured applications,” said Anthony J. Ferrante, a member of the Computer & Information Science faculty at Fordham University in New York. “What’s more, this application is designed to distribute advertisements across the Internet, making it an excellent platform for malicious actors to potentially gain access to millions of computer systems.”
Nathan Thomas, CTO for Sonobi Media, a digital display advertising company, noted that as an open-source platform, OnRamp was especially vulnerable.
“Open-source software has its place, but it’s not always the right fit for enterprise level software or services,” said Thomas. “It may be that OpenX was running OnRamp on their own servers without any extra proprietary precautions and fail-safes added to their service or environment. It’s quite possible that one or more of the hackers that perpetrated the intrusion was able to submit code to the project and exploit their own security hole. It all comes down to how thorough OpenX was with submitted code before committing to the project and running it in their own environment.”
Does “Free” Equal “Unsafe”?
The sudden shutdown of OnRamp left its customers scrambling to find an alternative ad server. There are a few other free solutions, such as Google’s DoubleClick for Publishers (DFP) Small Business, ADTECH Lite, AdSpeed’s basic Ad Server, and MobFox’s mAdserve. But given how quickly things unraveled at OpenX, should publishers and advertisers be wary of such free platforms?
Julian Zehetmayr, CEO of MobFox Mobile Advertising GmbH, offered assurances yesterday that the malware scenario that ultimately doomed OnRamp could not occur with mAdserve.
“mAdserve does not have a feature that allows users to register on the ad-server on a self-service basis, and advertiser accounts can only be created by authorized users from within the mAdserve administration panel,” said Zehetmayr via e-mail. “The administration and all user/campaign related functions are therefore secured and only accessible for authorized users. Although mAdserve supports the integration of certified third-party ad network modules, the ad server does not currently provide support for third-party modules that change the architecture of the ad-server itself. Although this can be seen as a weakness in terms of ease of customization, it also makes the software more secure, since there is less risk that potential security holes are opened by badly secured third-party modules.
“The only part of the mAdserve application that is always available to the public is the script/framework that allows publications to request/display advertisements and track consumer response on ads,” Zehetmayr continued. “Since this is a relatively small part of the mAdserve software itself, it is easy to keep secure and protect from hackers.”
Zehetmayr noted that the MobFox network itself is separate from mAdserve; however. mAdserve comes with a module that allows to integrate into MobFox for monetization. He said the MobFox network has algorithms in place that allow the company to detect invalid/fraudulent traffic and clicks. Among the techniques MobFox is using are:
- Manual verification of ownership for every single publisher on the network (either by comparing the e-mail of the Android developer registration with the e-mail of the MobFox account or by requesting proof of ownership).
- Scoring of referer URLs on the network.
- Manually checking publishers with unusually high/low performance (CTR/Conversions).
“We take fighting malware very seriously and maintain the strongest protections possible for our DFP and DFP SB users,” said the Google spokesperson.
Requests for comments from ADTECH and AdSpeed for insight into the security of their free platforms have so far gone unanswered.
Ferrante, who specializes in cyber security and serves as co-director of a group of researchers dedicated to the design and function of secure cyber networks, said the malware attack that prompted OpenX to shut down OnRamp “has the potential to have far-reaching repercussions, which we may not know for some time, if at all.
“We already know the scope and scale of this compromise, but what should be determined are the motivations of these malicious actors,” he said. “Given the function of the application and the millions of users, I would theorize that these actors were either seeking financial gain through advertisement hijacking, or much worse, spreading malware to unsuspecting Internet users in an effort to build an botnet army.”
You’re probably not going to get much in terms of official response from any of the larger players. Why? Because Malware is a HUGE problem for every ad server and network/exchange. None were built with any security in mind and none offer any assurances of cleanliness.
The nature of ad tags and the proliferation of so many servers and delivery agents, means that at any time, any ad server can become a distribution point for malware / malicious intent.
Malware and the vulnerability of the online ad ecosystem is a dirty secret of the online ad world and one that is not spoken about in public very often.
Leave a Comment
- How Interactive Video is Helping Brands Engage with Their Customers
- Is Putting Digital First Still Paramount for Advertisers?
- Revenge of the Data Nerds: Who Will Be the Next Heartthrob of the B2B Data Market?
- Paid to Post? What the Social Workforce Means for All of Us
- Take the Time to Do Native Right
Adknowledge Announces Launch of ‘AdStation International’KANSAS CITY, Mo., November 25, 2013 (ADOTAS) – Adknowledge is pleased to announce the launch of AdStation International, a global [...] more...
- Sprint and DigitasLBi Develop First-of-its-Kind Gesture-Based Retail Experience December 5th 2013 CHICAGO, December 05, 2013 (ADOTAS) — DigitasLBi, a global marketing [...] more »
- The Exchange Lab Secures $8 Million in Growth Capital Funding From BGF December 5th 2013 LONDON, NEW YORK & TORONTO, December 5, 2013 (ADOTAS) – The [...] more »
- Zimmerman Advertising Has What White Castle Craves December 4th 2013 FORT LAUDERDALE, Fla., December 4, 2013 (ADOTAS) -– Zimmerman Advertising [...] more »
- IAB Releases Native Advertising Playbook December 4th 2013 NEW YORK, December 4, 2013 (ADOTAS) — Native has become [...] more »
- Appia Launches Native Ads for App Discovery December 4th 2013 DURHAM, NC, December 4, 2013 (ADOTAS) – Appia, the leading mobile user [...] more »
- Kitara Media Acquires Healthguru.Com; Combined Business 2014 Revenues Estimated At $50MM December 4th 2013 Kitara Media Acquires Top Health Video Site HealthGuru.com from Kitara [...] more »
- Lenovo Names TubeMogul Its Global Partner for Programmatic Video Advertising December 4th 2013 EMERYVILLE, Calif., December 4, 2013 (ADOTAS) – Today, TubeMogul was [...] more »
- How Interactive Video is Helping Brands Engage with Their Customers December 5th 2013
- Is Putting Digital First Still Paramount for Advertisers? December 5th 2013
- Revenge of the Data Nerds: Who Will Be the Next Heartthrob of the B2B Data Market? December 4th 2013
- Paid to Post? What the Social Workforce Means for All of Us December 4th 2013
- Take the Time to Do Native Right December 2nd 2013
- Publisher Services Manager
- Social Media Manager (Part-Time)
- Social Media Manager
- Audience Development Manager
- Marketing Manager
- Big Brands Have the Edge in Search Engine Results « egy: [...] Permalink [...]
- How to improve your website's SEO - Business Record |: [...] the sites don't really …The 10 Most Cringe-Worthy SEO Myths Ever ToldBusiness 2 CommunityBig
- Gamers Gain Elite Status with Cadillac Campaign | Raldo Loijens: [...] a push to brand the elite gamers as Cadillac Elite. Cadillac Elite is being
- David: I hope my SEO-customers with semi-big brands do not read this - they might be