Cybersecurity Firm Finds Increasingly Complex and Common Malware Inside of Ad Networks

Devcon says it's found several polyglots

Hackers' attacks on ad networks are evolving.
Getty Images

A cybersecurity firm says it’s uncovered an experimental and more complex form of malware than previously seen inside of several major ad networks, potentially signaling that mainstream hackers are looking to target the ad-tech ecosystem beyond siphoning revenue.

Devcon, a startup focused on cybersecurity for the media industry, says it found several polyglots—malware that uses complex code to disguise itself within an image—inside of what appear to be digital ads pretending to be from brands. The company didn’t disclose which websites served up malicious ads, but so far, the fraudulent ads have been seen in ad servers including GumGum and Yahoo, with a handful of sites attacked as many as 50,000 times over the past few weeks. So far, the company has identified five brands and seven pieces of ad creative used by polyglots.

The volume of attacks using polyglots in the past week has been as large as Devcon has seen take months with other exploits (code used to take advantage of software), according to Devcon CEO Maggie Louie. She said the complexity and scale of the attack might be a sign mainstream hackers are looking to take advantage of vulnerabilities within the ad-tech ecosystem. And that might mean moving beyond siphoning ad dollars into tactics like ransomware. Researchers say polyglots could be used to harness processing power from devices for use in cryptocurrency mining and to transfer money from one bank account to another using a supply-side server and a demand-side server.

While polyglots aren’t new to anyone familiar with cyberattacks, Devcon says it’s the first time they’ve been seen in digital advertising. And given the nature of digital advertising’s infrastructure, attaching malicious code to programmatic ads could pose a new threat to users. That’s because hackers could use demographic and other data for buying audiences they want to attack in a hypertargeted way.

While a similar exploit called steganography can hide a file within another file—such as by altering pixels within an image that are hidden to the human eye—a polyglot can operate as an image file but also execute JavaScript code. That’s something Devcon chief technology officer Josh Summitt says makes JavaScript-rich ad-tech systems especially vulnerable.

“It’s the missing link. … It’s a huge jump for a hacker group that we saw just two months ago using some known techniques that weren’t sophisticated at all to what is now a very sophisticated research project.” Louie said.

Summitt, who was skeptical at first as to whether the firm had actually identified a polyglot, said the images seemed innocent with what appeared to be a small payload that’s part of the ad. However, once the impression is served on a website, it will automatically deploy—perhaps sending a user what looks like an average pop-up scam about a software update or a coupon.

Devcon has been tracking this particular group of hackers since last summer and has seen the exploits evolve from less complex techniques. While some of the brands spoofed in this attack are lesser known—such as and a women’s online retailer called Bellelily—previous attacks included ads from better known brands like Carnival Cruises.

Once a user clicks on a malicious ad, they might be asked to input sensitive information such as medical history, credit card information or an email address.

“We’re aware and investigating the use of unauthorized polyglot technology affecting some ads on our network,” a Verizon spokesperson said via email. “Providing a trusted digital experience to our partners is a top priority. In tandem with our proprietary technology, partners and human reviewers, we’ve deployed new tools that can better detect these sophisticated threats that pose as legitimate ad content.”

Recommended articles