Login is restricted to DCN Publisher Members. If you are a DCN Member and don't have an account, register here.

Digital Content Next


InContext / An inside look at the business of digital content

Malware and redirects: Publishers need to protect customers now more than ever

March 1, 2019 | By Steve Stup, CRO—The Media Trust @TheMediaTrust

As the programmatic revolution reaches its potential, bad actors continue to find innovative ways to exploit the system. The technological advances to increase advertising efficiency are the same ones targeted by bad actors who are incentivized to move at a faster pace in order to keep their revenue streams flowing. The result is an endless scourge of malware and auto redirects that threaten the viability of the overall digital advertising supply chain and the relationship the industry has with the end consumer.

Programmatic provides a green field to bad actors, who consistently evolve their attacks, bypassing defenses and attacking publishers and their digital customers. Once thought the answer to publisher woes, malware blockers have proven to be a short-term fix. Unfortunately, malware incidents have almost doubled since the solution’s relatively recent introduction. Clearly, something has to change. That’s why smart publishers are calling in the experts and forming a joint task force between their Ad Ops and the IT/security teams to combat the problem together.

Bad ads aren’t your only problem

Digital ads are not the only security issue that publishers need to watch. Digital publisher businesses have diversified their revenue streams, evolving from advertising-only models to introduce subscription services and merchandise stores such as the ones hosted by most major news outlets, like The New York Times, NBC, and the The Washington Post. These new revenue channels introduce a new significant security risk for publishers due to the storing of personal data and credit card information.

Publishers are an even more tantalizing target for cybercrime groups, especially those behind large-scale malicious campaigns like Magecart, ShapeShifter-3PC, and ICEPick-3PC. Cybercriminals increasingly use the digital ad supply chain targeting payment pages to steal personal data and payment card information. Publishers trust that the payment processing vendor provides perfect security. However, time and again, these vendors are compromised, either through a direct hack, employee error, outdated code or misapplied patches. Even worse, when a breach happens, the customer will hold the publisher accountable. Headline grabbing news regarding major breaches in the past year focus on the brand, not the vendor. That makes sense since the brand has the relationship with the consumer.

Cybercrime groups zero in on vulnerabilities in third-party code in the digital environment to execute their attacks. Digital ads serve as delivery vehicles for third-party code. Publishers also rely on third-party code to optimize and monetize the user experience. Beyond ad-related platforms, the use of analytics, content delivery systems, video platforms, and widgets carry the risk of being compromised, exposing the website and its users to harm. One recent example is the havoc wreaked by the JuiceChecker malware, which utilized vulnerabilities in third-party code to enable smart malware delivery, which evaded multiple detection efforts including malware blockers.

Interdepartmental partnership

These complicated scenarios leave publishers with difficult choices. While using ads and other types of third-party code help to generate more revenue, they also expose them customer base to more vulnerable code, ready to be exploited by cybercriminals who know how to find and exploit weaknesses. Exposing customers to these threats have long-term consequences. Failure to strike an appropriate balance between revenue and security kills the user experience and creates situations where customers don’t return.

Clearly, a modified approach is necessary if the balance is to be struck correctly. This approach involves bringing product and IT/security teams into the ad/revenue operations fold. An interdepartmental culture is already being fostered by many publishers in order to stay on the right side of legislation such as the EU’s GDPR and California’s upcoming Consumer Privacy Protection Act.

The need for digital security expertise

Moving forward, advertising and revenue operations must work with both product and IT/security teams to review publishers’ existing vendor relationships and strategize how to drive revenue without sacrificing security. Internal security teams are experts in the latest threats and can help develop a comprehensive plan to protect the digital environment and deliver a better user experience.

The ability to successfully generate revenue through multiple revenue streams is important. It is up to the revenue teams to engage with the security experts within your organization to make sure the Internet remains a safe place for advertisers, businesses, and users alike.

About the Author

Steve Stup is responsible for developing and overseeing the revenue and product strategy at The Media Trust. Previously, he ran digital strategy as the General Manager at The Washington Post. In this capacity, he was pivotal in the publication’s digital transformation effort and served on the leadership team that helped position it as one of the most innovative digital publishers in the industry. He led teams responsible for driving product strategy, ad innovation, and revenue operations. Prior to that, he was in technology sales at Lexis Nexis, and other recognized brands. He received his MBA from The George Washington University and is an alum of Virginia Tech.

Liked this article?

Subscribe to the InContext newsletter to get insights like this delivered to your inbox every week.