How Secure Is Your Ad Server?


Yesterday’s news that OpenX shut down OnRamp due to a malware attack only serves to amplify the sound of an alarm that’s constantly ringing in the realm of online media.

“This is another great example of the power of the Internet and the effects of poorly secured applications,” said Anthony J. Ferrante, a member of the Computer & Information Science faculty at Fordham University in New York. “What’s more, this application is designed to distribute advertisements across the Internet, making it an excellent platform for malicious actors to potentially gain access to millions of computer systems.”

Nathan Thomas, CTO for Sonobi Media, a digital display advertising company, noted that as an open-source platform, OnRamp was especially vulnerable.

“Open-source software has its place, but it’s not always the right fit for enterprise level software or services,” said Thomas. “It may be that OpenX was running OnRamp on their own servers without any extra proprietary precautions and fail-safes added to their service or environment. It’s quite possible that one or more of the hackers that perpetrated the intrusion was able to submit code to the project and exploit their own security hole. It all comes down to how thorough OpenX was with submitted code before committing to the project and running it in their own environment.”

Does “Free” Equal “Unsafe”?

The sudden shutdown of OnRamp left its customers scrambling to find an alternative ad server. There are a few other free solutions, such as Google’s DoubleClick for Publishers (DFP) Small Business, ADTECH Lite, AdSpeed’s basic Ad Server, and MobFox’s mAdserve.  But given how quickly things unraveled at OpenX, should publishers and advertisers be wary of such free platforms?

Julian Zehetmayr, CEO of MobFox Mobile Advertising GmbH, offered assurances yesterday that the malware scenario that ultimately doomed OnRamp could not occur with mAdserve.

“mAdserve does not have a feature that allows users to register on the ad-server on a self-service basis, and advertiser accounts can only be created by authorized users from within the mAdserve administration panel,” said Zehetmayr via e-mail. “The administration and all user/campaign related functions are therefore secured and only accessible for authorized users. Although mAdserve supports the integration of certified third-party ad network modules, the ad server does not currently provide support for third-party modules that change the architecture of the ad-server itself. Although this can be seen as a weakness in terms of ease of customization, it also makes the software more secure, since there is less risk that potential security holes are opened by badly secured third-party modules.

“The only part of the mAdserve application that is always available to the public is the script/framework that allows publications to request/display advertisements and track consumer response on ads,” Zehetmayr continued. “Since this is a relatively small part of the mAdserve software itself, it is easy to keep secure and protect from hackers.”

Zehetmayr noted that the MobFox network itself is separate from mAdserve; however. mAdserve comes with a module that allows to integrate into MobFox for monetization. He said the MobFox network has algorithms in place that allow the company to detect invalid/fraudulent traffic and clicks. Among the techniques MobFox is using are:

  1. Manual verification of ownership for every single publisher on the network (either by comparing the e-mail of the Android developer registration  with the e-mail of the MobFox account or by requesting proof of ownership).
  2. Scoring of referer URLs on the network.
  3. Manually checking publishers with unusually high/low performance (CTR/Conversions).

In response to our inquiries, a Google spokesperson directed us to two pages at the DFP help center (“Respond to malvertising alerts” and “About malvertising“).

“We take fighting malware very seriously and maintain the strongest protections possible for our DFP and DFP SB users,” said the Google spokesperson.

Requests for comments from  ADTECH and AdSpeed for insight into the security of their free platforms have so far gone unanswered.

Further Fallout?

Ferrante, who specializes in cyber security and serves as co-director of a group of  researchers dedicated to the design and function of secure cyber networks, said the malware attack that prompted OpenX to shut down OnRamp “has the potential to have far-reaching repercussions, which we may not know for some time, if at all.

“We already know the scope and scale of this compromise, but what should be determined are the motivations of these malicious actors,” he said. “Given the function of the application and the millions of users, I would theorize that these actors were either seeking financial gain through advertisement hijacking, or much worse, spreading malware to unsuspecting Internet users in an effort to build an botnet army.”


  1. You’re probably not going to get much in terms of official response from any of the larger players. Why? Because Malware is a HUGE problem for every ad server and network/exchange. None were built with any security in mind and none offer any assurances of cleanliness.

    The nature of ad tags and the proliferation of so many servers and delivery agents, means that at any time, any ad server can become a distribution point for malware / malicious intent.

    Malware and the vulnerability of the online ad ecosystem is a dirty secret of the online ad world and one that is not spoken about in public very often.


Please enter your comment!
Please enter your name here