[05] A Critical Look at the Ethics, Technology and Security of Native Ads (2/2)

Technical Implementation (How It Works)

The creation and display of native advertising is a complex undertaking. It involves multiple technological layers to create the advertising content, set up parameters for targeting and run the content through platforms for pricing and bidding.

Even before the ad is served to the end user, an advertiser must use technology to handle geolocation targeting to reach users by country, state/province or city. Targeted native ads also allow the advertiser to choose the context of the page where ads will run and the types of devices (narrowed even to mobile operating system) and behavioral targeting that will push the ad to specic web surfers based on their browser or search history.

There are several categories of native advertising
platforms:

• Closed platform
The most common is the “closed platform,” which is created by brands to promote their own content on their own websites. Advertisements seen on these platforms are designed to exhibit ad units within the connes of the website’s specic agendas. Well-known examples of closed platforms include Promoted Tweets on Twitter, Sponsored Stories on Facebook and TrueView Video Ads on Google’s YouTube.

• Open platform
This type of platform involves the pervasive promotion of the same piece of branded content across multiple platforms, but through some variation of native ad formats. Unlike closed platform content, open platform content itself lives outside any particular website that it appears on and is usually distributed across multiple sites by a third-party company. This means that most advertisements appearing on open platforms are placed there by an advertiser.

• Hybrid platform
With this category, the content publishing platforms can install a private marketplace where advertisers have the option to bid on the inventory of ad space, either through direct sales or programmatic auction through real-time bidding (RTB).

This means that advertisements distributed on hybrid platforms are placed there by the platform itself, the space having been sold to an open platform advertiser. The majority of native ads are generated by reputable agencies and can be tailored to keep the ad unit within the publisher’s website or serve the ad to a third-party landing page.

The native ad unit is powered by a script that is generated to handle all the targeting parameters. What is most important to understand is that the data within the “related content” or “news from around the web” is hosted in ad servers belonging to **the publishing platform’s ad servers.

This has major security implications, since the publisher has essentially outsourced control of content hosted on its site. In addition, there are signicant risks involved when publishers take security into their own hands and struggle to cope with the epidemic of malvertising.

**Security and Malvertising Risks

Unfortunately, the technical implementations of native advertising are largely overlooked by an industry that has struggled to cope with the deluge of malvertising attacks over the years. The new format relies on scripts to handle delivery and targeting, and these introduce a wide range of security risks that need to be addressed. The current security problems are already severe. The IAB estimates that fraudulent impressions, infringed content and malvertising cost the U.S. digital marketing, advertising and media industry $8.2 billion annually. The IAB blames badly designed business processes and aws in the digital advertising supply chain for the skyrocketing losses.

Malvertising exposes web users to unknown or potentially dangerous third parties, and according to IAB estimates, losses from this threat surpassed $1 billion in 2015, with $781 million of this amount generated from ad blocking implemented due to security and malware concerns. The costs associated with investigating, remediating and documenting direct incidents of malicious advertising total $204 million, the IAB warns.

When publishers use native ads powered by third-party agencies, they basically are ceding control of their property to outsiders and could be serving malware if a hacker successfully executes a malvertising campaign.

**Malicious Post-Click Infections

While native ads have been shown to be low risk for malvertising pre-click, there is a high risk in the post-click, specically in the landing page, which may be infected with malware. How could a native ad direct a user to a malicious landing page? This can happen when the nal landing page is hacked, when a poisoned script is inserted into the delivery path to redirect the user to a dierent landing page, or when the whole campaign, including the ad, was designed by the cybercriminals themselves.

**Landing Page Hijacking

Cybercriminals can employ automated tools to discover third-party landing sites used in native ad campaigns and hijack those pages. Popular platforms like WordPress are known to have vulnerabilities. Many of these types of platforms are unpatched, so it is relatively easy for a cybercriminal to use o-the-shelf exploits to take control of the landing site. Once this happens, the site silently serves malware without the knowledge of the publisher or the reputable ad network.

**Delivery Path Corruption

Because native advertising units are basically scripts created to handle delivery and targeting, it is relatively easy for malware purveyors to insert third-party scripts and codes into native ads. Malicious actors hijack the delivery mechanism to serve scripts and use poisoned JavaScript to redirect users to sites hosting viruses, Trojans, spyware and ransomware. This is a threat closely associated with both closed and open platforms (see section above) that use third-party networks to handle the creation, targeting and distribution of native ads.

**Landing Page Dirty from the Get-Go

Cybercriminals have been known to actually create an ad campaign with clean content and its corresponding landing page, then use content recommendation platforms to buy trac. Since the content is clean, it passes the vetting process. Then, once the campaign is successfully running, the cybercriminal activates the malicious code in the landing page to infect the user.

Often, the attacks are target-specic, for example, by geolocation or device. The landing page that was approved is still available and accessed by certain users, while other users, who t the cybercriminal’s prole, are directed to the malicious version of the landing page. For example, the cybercriminal decides that anyone coming from the United States or Canada with an iPhone 4 is ideal for infection. The native ad campaign will be clean for every user except those tting the targeting criteria. (See picture 1 below.)

Native Ad Malware Protection

GeoEdge stands ready to prevent post-click malware in your native ads. We already work with leading content recommendation platforms and have developed agile technology that continuously scans native ads and their landing pages. Dynamically changing landing pages and malicious campaigns targeting certain users are detected and stopped. With GeoEdge, users are protected from malicious native ad campaigns.

Conclusion

The ad tech industry is looking to perfect a more targeted, more robust, more intelligent solution for users. Native advertising, when properly protected and implemented with adequate disclosure and church-state separation, can be a powerful tool for publishers and brands. However, it’s important for publishers and native advertising platforms to fully understand the security implications. Post-click malware puts site visitors and end users at risk. The industry needs to take a closer look at native advertising and its parameters to make sure the next big malvertising attack doesn’t come from native. In the meanwhile, you can turn to GeoEdge to keep your site and your users protected.

[출처:mobiinside.com]