Threat Post recently reported that AOL's ad network was serving up malicious URLs on numerous websites including The Huffington Post. However, AOL's ad network wasn't actually hacked. The source of the malware was a malicious advertisement (malvertisement) that could have come from anywhere along the digital ad supply chain.
This chain is a free market made up of hundreds of suppliers offering various services. There are simply too many points of entry that can be exploited. Policing this market is incredibly difficult and adding restrictions could disrupt a lucrative and rapidly expanding RTB industry.
While AOL and the affected websites were named in the news report, they weren't the intended targets. The targets were end users who wound up visiting the infected websites while the malvertising campaign was live. The attackers weren't concerned with whether the ad network was Google, AOL, Yahoo, Facebook, etc., nor were they concerned with which websites their malicious ads appeared on.
In these types of cyber attacks, cybercriminals are only concerned with spreading malware and stealing information like logins, bank account numbers, social security numbers, personally identifiable information (PII) and personal health information (PHI), all of which are typically stored on people's computers. These types of cyber attacks create a PR problem for the brands that own the websites and the ad networks involved, even though their own networks were not compromised.
In malvertising attacks, cyber thieves use digital assets like websites produced by trusted brands to spread malware, but those digital assets are just proxies. The end goal is the end user's device. It's a tough position for brands to be in because although they weren't breached, they still suffer from unhappy customers and bad press.
Of course, a single individual isn't the treasure chest of valuable data that, for instance, a POS system at a major retailer can be. However, infect enough individuals and a single malware campaign can net large amounts of valuable information that can be converted into cash or traded as a commodity on black markets.
Brands should take note of the changing malvertising ecosystem because the digital world has become so much more focused on the individual consumer. Plus, the fallout from a bad customer review is far more impactful than ever before. The harm caused by the bad press from these types of cyber attacks extends beyond just information security. Sales and marketing efforts, and eventually the bottom line, are hampered as well.
This particular incident was discovered and addressed in a timely manner. However, instances of malvertisements running on websites large and small occur constantly. What steps has your company taken to manage this type of incident? Do your brand management and security resources align in order to address the technological and reputational challenges posed by cyber threats to customers?