visit
Xandr/AppNexus is serving up infected ads across major websites
Some predict that AT&T’s up-and-coming ad platform Xandr — formerly AppNexus — will Google and Facebook to become the next Big Kahuna of digital advertising. This should terrify all of us: two years after 65% of its demand-side inventory was in 2014, AppNexus was caught in a cyberattack that flooded its supply-side partners with and other nasty deliverables. But four years later, after an acquisition by one of the world’s largest telecom companies, it has surely learned it’s lesson — right? According to my research, no it has not: AppNexus is still a kind of digital Mos Eisley serving up infected ads with malicious redirects across its partner sites.AppNexus was acquired by AT&T in 2018 for
For background, I published an article just one month ago about the re-emergence of “IcePick-3PC” or “eGobbler” on Weather.com. This well-known spyware redirects mobile users to a malicious site where their data is scraped, either to be sold on the Dark Web or in preparation for an upcoming cyberattack. This is nasty stuff, and while the Weather Channel is partially responsible for carrying the ad, it’s upstream partners — in this case, Xandr/AppNexus — are even more responsible for sending it down the line. So before going any further, let me clarify what AppNexus actually does.
How Ad Exchanges work, courtesy of
Bringing so many advertising partners together in one place is an impressive feat which helps to drive down the cost of advertising while raising revenue for publishers. But the approach also comes with a serious downside: to infiltrate thousands of publications at once, all a hacker or malicious agent has to do is find a large enough exchange that can’t be bothered to check its own ads for malicious code. And — while AppNexus claims to use called “Sherlock,” — it hasn’t done a very good job over the past four years, and it’s not doing a good job today.
IcePick-3PC Lives
The IcePick-3PC adware continues to circulate through Alexa 500 websites two years after it’s initial discovery. Here’s how it works: when a visitor loads a site, that site makes a call to its advertising partners who pass along a seemingly legitimate ad that is actually laden with malicious code that redirects the user to a fake site.While there, the malware runs various “checks” on the user to determine what kind of device they have, their operating system, battery level and location. Finally, it opens a remote-peer connection to steal the user’s IP address and store it for later use. The following screenshot shows the packets I received during an IcePick-3PC session, and the buck stops with AppNexus:Test: AppNexus Malware Rate
In my previous article, I mentioned that IcePick-3PC loaded in nearly 1 out of every 1000 sessions on Weather.com. For this article, I was curious to find out how many malicious ads originated from AppNexus specifically, including IcePick-3PC and similar adware (which I will discuss in future articles). I set my scanner running on three different machines, and collected the data from twelve different websites.In the end, I analyzed about 10,000 web sessions, and found that nearly 2 out of every 100 ads from AppNexus are infected by malicious code.
To kill the monster of malicious advertising, you have to cut off its head. And in this case, the head is Xandr and its overlords at AT&T. Something huge is happening right under their noses, and they aren’t doing anything to stop it. Maybe they just need a push in the right direction — if so, that’s what this article is meant to provide them, because the fact that this is happening shows a systemic failure in the advertising ecosystem which users and publishers have to pay for.
Presumably, fake ads hog slots and provide little revenue to publishers. But that’s not the worst of it at all: the worst thing is that they jeopardize the financial information, identity and personal safety of visitors which AdTech depends on for revenue. Years ago, I started using the AdBlock extension alongside millions of other users, which for publishers who depend on advertising to stay afloat. If the industry wants to fix a crisis of user trust and keep programmatic advertising viable for the long term, they’ll have to start by taking responsibility for the quality of their inventory and eliminate malware at the source.First published at InfoSec Write-ups