GeoEdge Researchers Uncover Hacker Abuse of WebRTC Protocols via Behavioral Analysis

GeoEdge Researchers Uncover Hacker Abuse of WebRTC Protocols via Behavioral Analysis

The real challenge: WebRTC is a serverless communications protocol, and WebRTC malvertising is only detectable via behavioral analysis. Blacklisting – the most frequently used method to block malicious ads – won’t enable uncovering or blocking WebRTC-based malvertising.

Programmatic advertising is facing a new threat: WebRTC malvertising.

Security researchers at ad security and verification provider GeoEdge used proprietary behavioral analysis technology and discovered WebRTC malvertising attacks occurring via ads served through programmatic exchanges, predominantly through header bidding, in the last few months. WebRTC is a commonly used open-source framework for the web and mobile apps that enables Real Time Communications in the browser or app.  WebRTC-based malvertising attacks can only be detected by behavioral analysis since there isn’t an offending domain. Furthermore, the malvertising attack is launched through cloud services from industry giants such as Amazon AWS or Microsoft Azure. Therefore,  blocking that cloud service will block all of the ads originating from it, even though 99% of the ads are safe.

According to GeoEdge’s security researchers, WebRTC malvertising was found to be exclusively distributed through programmatic exchanges with 87% via header bidding. The company predicts that these attacks on ads served on mobile devices including tablets are expected to cost publishers $325 million in revenue in 2019, as well as providing a bad user experience for the users who become victims of the malvertising attacks, and are auto-redirected to the undesirable ads or content. With malicious actors undoubtedly developing new forms of WebRTC malvertising, the revenue loss to publishers will only increase in the coming years.

Read More: Ad Council Announces New Members of Board of Directors

Example of how a WebRTC Malvertising attack occurs

A user views an ad for Weight Watchers or a Trump Hotel (two recent victims) that won a bid in a programmatic header bidding auction via Rubicon, but that ad was simply found online and used by the malicious advertiser, and it is unconnected to either Weight Watchers or Trump Hotels. When the unsuspected user is exposed to the ad, they’re redirected to a malicious landing page, offering fake flash updates or gift card scams. Though the WebRTC malvertising seen by GeoEdge security researchers is auto-redirected to malicious landing pages, there is no reason other malvertising tactics, including malware, ransomware, phishing scams and more, won’t be used in future WebRTC malvertising.

The only way to uncover WebRTC malvertising is through behavioral analysis, which can detect suspicious ad behavior and only block the problematic tag.

Most ad security solutions use blacklisting to block malicious domains or other known sources of malicious activities. That tactic causes financial damage to publishers because many safe ads are also blocked. Nevertheless,  in the case of WebRTC malvertising, blacklisting has no value because there is no ad domain to block. The only server is the STUN server – the server used by the cloud computing solution and operated by companies such as Google or Mozilla.

Read More: Vidoomy Starts a Revolution With Completely Interactive Video Advertising

In order to detect Web RTC malvertising, GeoEdge’s security research team used the company’s proprietary behavioral analysis technology, which analyzes ad serving patterns in order to uncover and alert GeoEdge regarding suspicious ad activity. The behavioral analysis technology enables GeoEdge to stop only problematic ads without blocking entire campaigns or an entire network or exchange. And with GeoEdge’s real-time blocking, once an ad has been identified as malicious and blocked, the offending ad is replaced with a safe one, ensuring maximum publisher revenue.

“WebRTC Malvertising highlights the industry’s migration to ad security 2.0 – moving beyond merely blocking offending domains and instead relying on advanced behavioral analysis technology that can uncover difficult to track malicious activities,” said Amnon Siev, GeoEdge’s CEO. “With new strains of WebRTC malvertising and other obfuscated malicious activities being developed, I’m confident that GeoEdge has the team and technology to keep app developers,  publishers,  their users, and marketers safe.”

GeoEdge enables the supply side of the digital ad ecosystem to focus on publishing, instead of worrying about malvertising attacks. The company handles malicious and unsafe advertising so that publishers, app developers, and other supply-side clients can focus on optimizing their advertiser campaigns and provide better and more effective relations with their clients in the time saved. GeoEdge enabled clients to find a 90-95% reduction in complaints through the elimination of offensive and malicious ads, and gain full transparency and visibility of their entire ad inventory, beyond the blocked malicious ads, facilitating improved management of each partner’s brand safety needs.

Read More: everis and Infobip Partner to Offer Omnichannel Customer Experience