The following incident response tactics are designed for a small to
medium-sized publisher. The steps below can even be implemented by
organizations with only one or two full time resources in advertising
- Objective: find the vector of the attack and stop it as quickly as possible—in this case, that means finding the affected ad or tag in your network and turning it off.
- Take it seriously—malvertising
is a threat to our industry, and a threat to your brand, your user-base
and your revenue stream. Learn as much as possible and educate your
organization about the threats; if an attack does occur, resolving
it must be your top priority.
- Develop a relationship with the security team at any relevant service or technology organizations you work with
(particularly your 3rd party adserver); often, issues can be escalated
and resolved more quickly if this group is involved early in the
- Have a
response plan in place with contact information before a problem occurs so you
can respond immediately to mitigate any threats. Develop and document an incident
response plan that identifies stakeholders, procedures for notification and
off-hours issue handling (who is on call, how are they contacted, who is
notified, etc.). Work with your internal team to establish what constitutes an
"incident"—how many user complaints in what time, etc. Review this
internally to make sure everyone knows how to respond should an attack occur.
- Work closely with customer service to gather information—your
first notification of an attack will likely come from your users, and
frequently customer service will be overwhelmed with confused and angry
responses. Since these users are your best opportunity to gather
information on the nature and source of the attacks, work with CS to
develop a system to capture relevant information. A sample script
is also provided below for Customer Service; work with your internal
teams to review this against corporate policies, site terms and privacy
policies before using. If you have a method of dynamically capturing
information in the CS pipeline (email forms, etc.), here are some
fields to consider:
- Exact time of incident
- Geo-location of user (especially Country)
- Detailed description of attack
- Did the user notice a particular ad?
- IP Address (review your privacy policies here)
- Any internal codes that can help you ID the mix of ads the user saw? (review your privacy policies here)
Keep in mind that malicious code embedded in Flash can be set to
deliver on a time of day and geo-targeted basis, making it extremely
difficult to replicate within your organization; it's imperative that
you collect enough information to establish an attack pattern.
communication—develop a list of people within your organization that
you should notify at time of attack and keep updated while you respond
to the attack.
- If you
work with a 3rd party adserver, notify them that you are being attacked
(file an urgent case) and follow their instructions wherever possible;
they should have specific technical tools you can use to help them ID
the malicious ad or tag.
- From your adserver, pull the prior few days' delivery by Ad/Tag—scan the data and "flag" any likely vectors in the list:
- New/unknown advertiser
- Ads/tags from self-serve business lines
- Ads/tags from ad exchanges
- Ads/tags from networks
- Run dates—did the ad/tag start on the same day as the user complaints?
- Other targeting—does the ad/tag fit the attack pattern based on user complaints?
your Ad Network partners that you are being attacked, and provide them
with relevant information (see sample script below) that could help
them identify the malicious ad/tag on their end. Demand a timely
response—threaten to deactivate tags if needed.
you don't get an affirmative response from your ad networks (for
example "yes, we did see a campaign for advertiser X that is suspicious
and we have deactivated it"), begin sequentially deactivating each
network's tags. Did the user complaints stop? If not, deactivate the
next group. If you can, keep going until you deactivate all
network/exchange tags. If the attacks continue, this is not the vector
of the attack, and you can reactivate.
- Using the same method, sequentially deactivate any other suspect tags from your list above.
Thank you for alerting us to this issue.
you may know, criminals perpetrate a number of online advertising
scams, which can include 1) browser based attacks (where a user's
infected computer serves ads over those scheduled by the website they
are viewing) and 2) ad based attacks, where scamware is distributed
through ads without the knowledge of the website. In both scenarios,
the attacks occur without the knowlege of the website the user is
visiting. It is not the policy of XX to deliver misleading, malicious
or offensive advertising to users (for more information, see our terms
the source of these attacks can be very difficult to identify, user
reports are often our best method for finding and stopping these
issues; with that in mind, would you mind answering a few questions?
1. What was the exact time of the incident?
2. Where are you located?
3. What browser are you using?
4. Did you notice a particular ad right before the incident happened? Who was the advertiser?
5. Did you notice anything else out of the ordinary—browser popped a strange warning dialog box, etc.?
We'd also like to be able to contact you for additional information, what is the best way to reach you?
Again, thank you for your time and attention to this matter.
Customer Service Lead
B) Sample Script for notifying Ad Networks and other intermediary parties who may have tags in your system (exchanges, etc.):
Dear Network Partners,
are currently experiencing a malvertising attack. As you know, ad-based
malware is a threat to the entire online advertising industry, and as a
publisher we take this threat to our business very seriously. These
attacks can involve malicious code in a creative that is being served
through a network to a publisher, and in these instances, the network
usually is not aware of the situation.
take the time ASAP to review the details below, and confirm via email
that you have reviewed the ads in your network, and nothing resembling
the ads described below is running through your network on our site(s):
- Description of attack
- Description of any ad(s) seen by users
If we do not hear back from you by X, we will deactivate your tags.
Thanks in advance for your time and attention to this matter.
Ad Ops Lead
Incident Response Tactics and Sample Scripts provided by Dan Dillinger, Allrecipes.com