In recent years, as a growing number of security woes plagued Flash users, browser vendors and developers began to flee Flash for the more secure HTML5 and other open standards. Between 2014 and 2018, the percentage of people viewing a page in Chrome with Flash slid from 28% to 8%. Meanwhile, the percentage of websites that use HTML5 has grown to 70%.

In 2015, when the Interactive Advertising Bureau (IAB) updated its digital advertising guide with best practices for using HTML5, they cited security as the chief reason behind publishers’ adoption of HTML5. While the IAB was right that HTML5 offers far better security than Flash, it has a critical weakness. Hackers now use HTML5’s security functionality to hide malware. This should give pause to HTML5 devotees.

First identified in April, this malware appears to be part of a coordinated campaign that targets iOS devices. This is partly because they are popular, partly because they make detection even more challenging. It has produced at least 21 separate incidents affecting dozens of globally recognized online media publishers and at least 15 ad networks. Ironically, the malware by no means exploits an HTML5 vulnerability. Rather, it uses functionality that not only secures software from malicious attacks by making code difficult to understand, but also helps to deliver a rich experience.

Exploiting Weaknesses

In 2015, just as the exodus from Flash began in earnest, university researchers discovered several techniques to convert HTML5 into a safe haven for malware. The researchers found that if malware were written using the techniques to make code hard to read, it would avoid detection regardless of which browser web visitors used. When used to hide malware, these techniques were coupled with a drive-by download attack that followed these steps:

1. Redirection and Cloaking: The victim goes through a series of redirects that effectively hide attack’s source. The victim’s browser information is gathered and sent to a remote server. If the browser has any vulnerabilities commonly, a malware code is sent back to the client.
2. De-obfuscation: The malware code is obfuscated (broken into chunks) in order to prevent detection. Once vulnerabilities are found in the browser, the code is de-obfuscated (converted into clear-text and reassembled).
3. Environment Preparation: The malware puts together code that will exploit the vulnerabilities.
4. Exploitation: The malware injects the harmful code.

A Growing Problem

Over the course of the two years that immediately followed the publication of the research, malware developers appeared to make little use of HTML5. In 2016, they used a bug in HTML5 to freeze computers and obtain unsuspecting users’ phone numbers. Then, in 2017, The Media Trust malware team identified a small number of random HTML5 malware that made little to no impact on the broader digital ecosystem. It is possible that bad actors behind the malware were simply experimenting before staging a more coordinated attack in a larger scale.

What distinguishes this year’s HTML5 malware from earlier versions is the underlying campaign’s level of coordination and the style of attack. More specifically, the campaign reflects the malware developers’ understanding of the display advertising supply chain. In particular, they recognized the thousands of potential victims. They stage the attack without user interaction, relying instead on auto-redirection. The result is a quicker, much more widespread attack on numerous unsuspecting users.

The Malware Technique

1. Delivery:  When a user visits a targeted online publication, an ad network delivers the malicious ad to the webpage.
2. Checking Criteria: As the user’s device meets each criterion—namely, whether it’s iOS and whether it’s connected to the user’s carrier—the code serving the HTML5 creative checks the criteria. Once the criteria are met, the malware is reassembled in a way that allows the malicious code to execute.
3. Auto-redirection: The redirect is executed. The user is taken to another page that requests their input of personal information.

Preventing the HTML5 Malware Spread Through Campaigns

Should advertisers and marketers stop using HTML5? The answer is no. HTML5 is still far more secure than Flash. However, the HTML5 malware, along with a burgeoning number of malware, are proving more difficult to detect and will require marketers to change how they secure their digital supply chain.

HTML5 malware fly under the radar of traditional security measures like antivirus. Thwarting it requires a more holistic approach where organizations collaborate with their digital partners and third parties on improving the security of their digital ecosystem. It also requires marketers to work with a cross section of teams outside of marketing — cybersecurity, compliance, etc. — in order to improve the security of their creatives and digital assets.

In the digital marketing and media world, hackers prefer easy targets like third parties because they often have weaker security postures than their clients. Once hackers break through a third party’s security measures, they can enter the client’s secure networks undetected through a trusted connection. Another easy target are online ads, which let hackers spread malware to thousands of users without having to compromise or infect a website.

Organizations can avoid third-party and online ad risks by putting in place a robust digital vendor risk management program to police every actor and every code that executes in their digital ecosystem. Such a program enables organizations to develop and continuously update their inventory of direct and indirect vendors.

In today’s complex, dynamic digital ecosystem, an organization’s mix of vendors can change daily. Keeping track of these vendors will require continuous, real-time scanning of digital assets. Second, it helps assess and document the risks from each of these vendors. Third, it enables organizations to share policies and work with vendors and digital partners on resolving issues. Finally, it enables organizations to terminate vendors who continue to violate policy after they have been put on notice.

About the Author

Patrick Ciavolella is Digital Security & Operations Director at The Media Trust. He has been working at the company for over 11 years, protecting clients’ digital ecosystems from the ever-evolving threat landscape. His experience gives him a unique perspective on how companies can defend against rapid, sophisticated and targeted malware attacks.