Research / Insights on current and emerging industry topics
WebRTC is the newest, trickiest front in the fight against redirects
April 19, 2019 | By Tobias Silber, CBO – GeoEdge@tobiassilberOne of the great challenges in digital ad security is the fact that the bad actors always start this race in the lead. Whenever the legitimate ad industry gets to work eradicating one security threat, malvertisers find another point of entry to deploy their sinister wares.
For the past couple of years, the industry has had its sights on auto redirects, which can abruptly end the user’s session, prevent the affected publisher from monetizing that session, and potentially damage that user’s trust in the publisher’s site. The fight against redirects is ongoing. And now it’s complicated by a new attack vector—vulnerabilities in the commonly-used web WebRTC protocol. Those vulnerabilities are now responsible for a quarter of all identified redirects.
Exploiting a vulnerability
WebRTC is a framework that facilitates audio and video calls and chats across different web browsers and mobile apps, including VoIP tech (i.e., web phones). It’s used by a large number of major digital companies—Google, Apple, Microsoft, Mozilla, Opera. Back in 2015, media outlets reported WebRTC had a security flaw that could expose users’ real IP addresses. At that time, this was treated as a risk for users who wanted to browse anonymously. Now, malvertisers have gotten in on the game, using that same point of entry to unleash redirects on users.
This rash of redirect attacks is particularly sinister because they take advantage of WebRTC, which is a distributed peer-to-peer service. Blacklisting doesn’t work here as a security method, because there’s effectively no server or domain to blacklist. The perpetrator of the attack will send the request for a redirect to a STUN server, which itself can’t be blocked because it’s used by legitimate companies (Google, Microsoft and so on) running legitimate scripts. If you were to block these attacks, you’d block any data from major cloud-based services.
Targeted and tenacious
The scammers’ strategy gets sneakier from there. WebRTC allows bad actors to identify whether the user already has a public IP or is outside of the targeted range for their attack. It even allows them to identify whether the “user” is likely to be a real person or merely an emulator set up as a security measure. If the user does not seem to be a real person within the desired range, they’ll simply be shown a legit ad from a third-party programmatic ad platform. If they “pass muster,” they’re served a redirect code. And now the perpetrator also has logged their VPN, IP and local network addresses.
In short, blocking any one entity launching these redirects is nearly impossible. Their code is written to evade at several possible security points, using channels that are already difficult to moderate because of their decentralized nature. In researching this problem, GeoEdge found some of these bad actors will evade detection even if it means leaving revenue on the table that they could potentially hijack.
The trouble with header bidding
Technically, any form of malvertising could sneak through WebRTC. But so far, the attacks we’ve identified have been redirects. The bad actors are exploiting vulnerabilities in the programmatic marketplace. In particular, they use header bidding, which has been exploited in 87% of redirects through WebRTC. All told, our research has shown that redirects are costing the digital ad industry $325 million per year, and 24% of those redirect attacks exploit the WebRTC loophole.
GeoEdge studied how these malvertisers operate by reverse-engineering scripts, discovering the malicious code, and using it to launch trial attacks. From that point, researchers could investigate how to block attacks via WebRTC without also breaking WebRTC’s functionality. Ad blockers, they found, were one possible method. However, at times, ad blocking technology can prevent WebRTC from working properly.
The real-time approach
A more effective strategy is one that is already becoming industry standard—analyzing code, recognizing when an unfamiliar script show similar characteristics or behaviors to a known threat, and blocking the problem code before it reaches the publisher’s page. This real-time approach has been embraced by a growing number of publishers in the fight against redirects from other vectors. It’s proven similarly effective in guarding the WebRTC entry point, without impeding the user’s ability to communicate with others across various browsers and devices.
The fight against malicious and low-quality ads will always find its way to new fronts. As it does, all legitimate digital companies, including ad security providers, must find those fronts and engage. When the bad actors manage to evade security methods the industry has relied on in the past, it is time to develop new technology. We may not know what risks we’ll face in the future, but for now, the industry’s best bet is to move toward real-time risk detection and blocking as table stakes in the digital security game.
To learn more, download the GeoEdge white paper. WebRTC Malvertising: fighting a new form of obfuscated attacks.