AT&T’s Ad Exchange is Overrun With Data Stealing Malware

Some predict that AT&T’s up-and-coming ad platform Xandr — formerly AppNexus — will eventually surpass Google and Facebook to become the next Big Kahuna of digital advertising. This should terrify all of us: two years after 65% of its demand-side inventory was exposed as fraudulent in 2014, AppNexus was caught in a cyberattack that flooded its supply-side partners with fake ads carrying ransomware and other nasty deliverables. But four years later, after an acquisition by one of the world’s largest telecom companies, it has surely learned it’s lesson — right? According to my research, no it has not: AppNexus is still a kind of digital Mos Eisley serving up infected ads with malicious redirects across its partner sites.

For background, I published an article just one month ago about the re-emergence of “IcePick-3PC” or “eGobbler” on Weather.com. This well-known spyware redirects mobile users to a malicious site where their data is scraped, either to be sold on the Dark Web or in preparation for an upcoming cyberattack. This is nasty stuff, and while the Weather Channel is partially responsible for carrying the ad, it’s upstream partners — in this case, Xandr/AppNexus — are even more responsible for sending it down the line. So before going any further, let me clarify what AppNexus actually does.

Programmatic or personalized advertising is a complicated technology. Not only does it require back-end infrastructure to identify a website’s visitors, but it also requires a real-time marketplace that matches users with perfectly-targeted ads. This is where AppNexus comes in: while the company provides multiple services, it is mainly known for its exchange, where ad networks line up to purchase website placement, and publishers line up to fill their ad slots.

Bringing so many advertising partners together in one place is an impressive feat which helps to drive down the cost of advertising while raising revenue for publishers. But the approach also comes with a serious downside: to infiltrate thousands of publications at once, all a hacker or malicious agent has to do is find a large enough exchange that can’t be bothered to check its own ads for malicious code. And — while AppNexus claims to use a malware detection system called “Sherlock,” — it hasn’t done a very good job over the past four years, and it’s not doing a good job today.

The IcePick-3PC adware continues to circulate through Alexa 500 websites two years after it’s initial discovery. Here’s how it works: when a visitor loads a site, that site makes a call to its advertising partners who pass along a seemingly legitimate ad that is actually laden with malicious code that redirects the user to a fake site.

While there, the malware runs various “checks” on the user to determine what kind of device they have, their operating system, battery level and location. Finally, it opens a remote-peer connection to steal the user’s IP address and store it for later use. The following screenshot shows the packets I received during an IcePick-3PC session, and the buck stops with AppNexus:

By now, IcePick-3PC is old news that should be on everyone’s radar. It should be immediately detected and eliminated by every decent AdTech company on the planet. If it were removed at the source, it would soon disappear — but clearly, that't not happening. Consequently, the malware has a wide circulation that impacts publishers, advertising agencies and — most importantly — end users.

In my previous article, I mentioned that IcePick-3PC loaded in nearly 1 out of every 1000 sessions on Weather.com. For this article, I was curious to find out how many malicious ads originated from AppNexus specifically, including IcePick-3PC and similar adware (which I will discuss in future articles). I set my scanner running on three different machines, and collected the data from twelve different websites.

In the end, I analyzed about 10,000 web sessions, and found that nearly 2 out of every 100 ads from AppNexus are infected by malicious code.

This is nearly double the average rate of malvertising for other ad networks, which ranges from 0.5 - 1%, depending on the source. And - considering that the average web user will see nearly 5,000 ads per day - the average rate is already unacceptably high. Unless something changes, Internet users are being exposed to between 175 and 300 infected advertisements each week.

If AppNexus is anything to go by, things are not changing for the better: is it any wonder that the number of financial theft victims has climbed in recent years?

To kill the monster of malicious advertising, you have to cut off its head. And in this case, the head is Xandr and its overlords at AT&T. Something huge is happening right under their noses, and they aren’t doing anything to stop it. Maybe they just need a push in the right direction — if so, that’s what this article is meant to provide them, because the fact that this is happening shows a systemic failure in the advertising ecosystem which users and publishers have to pay for.

Presumably, fake ads hog slots and provide little revenue to publishers. But that’s not the worst of it at all: the worst thing is that they jeopardize the financial information, identity and personal safety of visitors which AdTech depends on for revenue. Years ago, I started using the AdBlock extension alongside millions of other users, which caused a crisis for publishers who depend on advertising to stay afloat. If the industry wants to fix a crisis of user trust and keep programmatic advertising viable for the long term, they’ll have to start by taking responsibility for the quality of their inventory and eliminate malware at the source.

First published at InfoSec Write-ups