Malvertising


Advertising and Mining: Oil and water? Beer and Milk?

From clever brains to wicked skulls, from new-age Salons to dark alleys of malvertisers; many have tried to mix these two ingredients for more revenues. The right cocktail has still not come about though.

Neither cryptocurrency is egg yolk, nor a digital ad cottage cheese; but somehow these two end up turning into a ‘Cement Mixer’ or ‘Motor Oil’ when shaken together. There has to be some safe spot in this spectrum between a sticky mass and a black mess.

Well, a lot of shots have been taken at that.

And yet, we are staring blankly at a table that has set the same concoction of confusion again. On one side are announcements of mining services (and banner-ad alternatives) like Coinhive halting services (for purported reasons of economic viability, among others). On the other hand, malvertising continues to discombobulate users and publishers alike with new tricks like polyglot images, steganography, Kovter or Angler Exploit Kits displacing old ones even if the slice of malvertising in the big security-breach pizza keeps fluctuating every quarter. Incidentally, one of these many ploys recently married Google’s DoubleClick ad with malicious payload to cryptocurrency miners. Malvertisers have whipped mining with a bad connotation already.

In other words, there are two ways to define a service like Coinhive today.

One guy would swirl his glass and say – Come, on, it is, beyond doubt, a cryptocurrency mining service that can steal processing power for mining cryptocurrency by malicious injections. The other guy would adjust his glasses and ponder – maybe, it is that service that can use a visitor’s processing power to mine cryptocurrency in a transparent way so that publishers can still make revenue if users want to avoid irritating ads. “Wasn’t it something that UNICEF and Salon tried?” he would wonder. Both are right and both are not so sure.

True that. Mining and advertising - not a Martini exactly. At least, the olives seem to be missing.

On the Rocks – kind of

Right or wrong, believable or not, malvertising has come up as a major device in the spread of ransomware and coin mining as seen with payloads WannaCry, Petya, Cryptolocker and Locky. 2014 and 2015 have been years of the worst-possible peaks so far. That explains why even Amazon is putting so much legal weight behind fighting malvertisers. That also spells out why the Coinhive code has been abused so much without seeking user knowledge and permissions. The possibility of non-malicious crypto mining stayed glued to paper except for some pilots by publishers like Salon. Yes, its chief executive Jordan Hoffner actually peeled the lemons and piloted an unprecedented scheme for its users. This scheme allowed Adblock users an ad-free experience if they chose to opt for mining cryptocurrency during their visit duration on the site. So a site can spare a user the annoyance and action around unwanted ads but request the user to give some of their computer’s processor time (sandboxed, safe and without any installations) for calculations. The ice cube on the drink is that crypto mining would sit well for long-form video and text publishers so that the length of a user’s stay on the page helps with more processing time.

Of course, the twist was that these fair publishers were telling users upfront about the mining while folks like Pirate Bay played silent Jack and sites like those of Starbucks spilled the milk and got a lot of flak for alleged and surreptitious mining.

Urgh! Yes. But there is a reason that the spoon bent the wrong way.

A bad hangover

Malwarebytes has explained earlier in a report how drive-by download morphed into drive-by mining. The abuse of an easier-Monero mining alternative resulted in many torrent portals and video-streaming portals – these were brewing with sly tactics to by-pass adblockers and earn money through ads – and integrated web-based crypto mining sat on top of these ads. Not only them, even the people in cyber-uniforms, i.e. tech support guys, have been seen to lock victims under the fire-drill of a virus and then mining coins on these locked machines.

Malwarebytes has reckoned that the damage-control is as good as 8 million blocks per day and that speaks a lot for the total footprint of the attack out there. The US (32 per cent) and Spain (14 per cent) have been witnessed to have been on the suffering-side the most. Even France (12 per cent), Italy (9.3 per cent) and Canada (8.7 per cent) have been hit by drive-by mining.

When the site owner itself does not know about the presence of a crypto-miner at work, then things get all the more eerie. Ex- CBS Showtime, compromised sites of Magento and WordPress.

The mining space seems to pack a lot of potential for another double-dipping tactic to be used by rogue advertisers. They are not only inflicting malvertising attacks but also tiptoeing around with clandestine crypto mining code.  Imagine the reputation damage of or drop in web traffic of a site when this stealth-mining comes into play. But the scene can be a big train-wreck in the case of a website that knows about its cracks but fails to (/chooses not to) inform its visitors about this monetization tool. It is not rare to come across critics who point out fingers at legitimate digital marketers who are ready to line their pockets with this malicious-mining money. Publishers are also not doing too much. Brands cannot play ostrich or helpless when rogue advertising is coming up in longer-stemmed glasses with every next new ruse. Complaining of a headache the next morning is not what the industry expects them to do.

It is an acquired taste

Founder & CCO, Hyper CollectiveKV Sridhar (aka Pops) does not dilute his candour when he maintains ‘if the reason is bad, the device or outcome does not matter’. He talks about user permission and transparency in an empathic voice here. “Anything done without the permission and clear knowledge of a user is just not right. How many people actually end up reading the endless rolls of T&C fine-print?” He also holds the glass for users when he urges an average user to pay utmost attention to privacy. “Use of data for hidden purposes is rampant and serious today.”

Pops, as people in the industry fondly call him, does not lift any weight off the shoulders of brands looking for excuses here. “Any brand or platform should be very careful about use of any radical idea about data. We are already facing so much information-abuse that we cannot afford to be negligent anymore.”

Gaurav Gulati, an avowed specialist in personal branding, brand building and brand engagement suggests precaution as the best way to get rid of malvertising. “The malicious ads can appear on any site, even on reputed websites. If an ad looks explicitly promising, just ignore it. Avoid any ad that promises you likes of money, discount coupons, scholarship, gifts etc. for free. Few cloud-based malvertising detection platforms and solutions provide control over the online ads being shown on the website.”

There is another pertinent, but seldom-discussed, topic that floats up here. It is important to understand for the brands that ad-blocking is not just about the percentage of people have ad-blockers, but rather the percentage of quality ads that are blocked. Both are two very different things. Brands must focus that they need to learn what type of ads visitors like and don’t like.

Gulati captures the real cringe-worthy smell well. “People hate malvertising and no one wants the unwanted pop-up to happen again and again. Brands need to be very cautious and must do every possible thing to keep themselves away from malvertising. It is not just harmful to website visitor but can be very damaging for brand reputation.”

This is where this possibility of making the bad drift into the good holds a lot of steam. Coinhive itself believed in, or touted, responsible use of the mining tool. It has been heard to have stated that browser-mining could be a viable alternative for intrusive and annoying ads when stamped with the consent of the user. 

Ad-blocking, YouTube fiascos, misspent and out-of-context digital advertising etc. are just some of the blows that have mashed online advertising industry into a nervous jelly. A revenue stream in the form of ethical mining (with compulsory opt-in communication to the user) could really have been a helping hand here, as long as answers are found for toothpicks like – slowing down of a user’s machine, faster wear of user’s gadget or system and scope-creep of a user’s consent (i.e. mining longer or in a different way or for a different purpose than what is stated). Not to forget - Hackers and their eyes on this concoction of mining and malvertising continue to condense around this glass.

“There is no wonder that the classic online ad industry is starting to move in favour of cryptocurrency mining, which is nonconsensual use of website visitor’s computer to create more imaginary coins. Domain Generation Algorithm (DGA) to another way in the world of advertising network to assure both ads and the crypto jacker reach the target audience.” Gulati reckons.

Until the right mix and other 69 ingredients are figured out though, the coming together of good mining and good advertising would be something that is tough to make – but is the ultimate bartender’s pride.

The Commonwealth.



Posted from my blog with SteemPress : https://coinatory.com/2019/03/28/malvertising/
H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now
Logo
Center