Tips For Ad Operations

The following incident response tactics are designed for a small to medium-sized publisher. The steps below can even be implemented by organizations with only one or two full time resources in advertising operations.
  • Objective: find the vector of the attack and stop it as quickly as possible—in this case, that means finding the affected ad or tag in your network and turning it off.
  • Take it seriously—malvertising is a threat to our industry, and a threat to your brand, your user-base and your revenue stream. Learn as much as possible and educate your organization about the threats; if an attack does occur, resolving it must be your top priority.
  • Develop a relationship with the security team at any relevant service or technology organizations you work with (particularly your 3rd party adserver); often, issues can be escalated and resolved more quickly if this group is involved early in the process.
  • Have a response plan in place with contact information before a problem occurs so you can respond immediately to mitigate any threats. Develop and document an incident response plan that identifies stakeholders, procedures for notification and off-hours issue handling (who is on call, how are they contacted, who is notified, etc.). Work with your internal team to establish what constitutes an "incident"how many user complaints in what time, etc. Review this internally to make sure everyone knows how to respond should an attack occur.
  • Work closely with customer service to gather information—your first notification of an attack will likely come from your users, and frequently customer service will be overwhelmed with confused and angry responses. Since these users are your best opportunity to gather information on the nature and source of the attacks, work with CS to develop a system to capture relevant information. A sample script is also provided below for Customer Service; work with your internal teams to review this against corporate policies, site terms and privacy policies before using. If you have a method of dynamically capturing information in the CS pipeline (email forms, etc.), here are some fields to consider:
    • Exact time of incident
    • Geo-location of user (especially Country)
    • Browser
    • Detailed description of attack
    • Did the user notice a particular ad?
    • IP Address (review your privacy policies here)
    • Any internal codes that can help you ID the mix of ads the user saw? (review your privacy policies here)
NOTE: Keep in mind that malicious code embedded in Flash can be set to deliver on a time of day and geo-targeted basis, making it extremely difficult to replicate within your organization; it's imperative that you collect enough information to establish an attack pattern.
  • Internal communication—develop a list of people within your organization that you should notify at time of attack and keep updated while you respond to the attack.
  • If you work with a 3rd party adserver, notify them that you are being attacked (file an urgent case) and follow their instructions wherever possible; they should have specific technical tools you can use to help them ID the malicious ad or tag.
  • From your adserver, pull the prior few days' delivery by Ad/Tag—scan the data and "flag" any likely vectors in the list:
    • New/unknown advertiser
    • Ads/tags from self-serve business lines
    • Ads/tags from ad exchanges
    • Ads/tags from networks
    • Run dates—did the ad/tag start on the same day as the user complaints?
    • Other targeting—does the ad/tag fit the attack pattern based on user complaints?
  • Notify your Ad Network partners that you are being attacked, and provide them with relevant information (see sample script below) that could help them identify the malicious ad/tag on their end. Demand a timely response—threaten to deactivate tags if needed.
  • If you don't get an affirmative response from your ad networks (for example "yes, we did see a campaign for advertiser X that is suspicious and we have deactivated it"), begin sequentially deactivating each network's tags. Did the user complaints stop? If not, deactivate the next group. If you can, keep going until you deactivate all network/exchange tags. If the attacks continue, this is not the vector of the attack, and you can reactivate.
  • Using the same method, sequentially deactivate any other suspect tags from your list above.
A) Sample Script for Customer Service (work with your internal teams on language/legal/privacy policy considerations):
Dear User,
Thank you for alerting us to this issue.
As you may know, criminals perpetrate a number of online advertising scams, which can include 1) browser based attacks (where a user's infected computer serves ads over those scheduled by the website they are viewing) and 2) ad based attacks, where scamware is distributed through ads without the knowledge of the website. In both scenarios, the attacks occur without the knowlege of the website the user is visiting. It is not the policy of XX to deliver misleading, malicious or offensive advertising to users (for more information, see our terms here.)
Since the source of these attacks can be very difficult to identify, user reports are often our best method for finding and stopping these issues; with that in mind, would you mind answering a few questions? 

   1. What was the exact time of the incident?
   2. Where are you located?
   3. What browser are you using?
   4. Did you notice a particular ad right before the incident happened? Who was the advertiser?
   5. Did you notice anything else out of the ordinary—browser popped a strange warning dialog box, etc.?
We'd also like to be able to contact you for additional information, what is the best way to reach you?
Again, thank you for your time and attention to this matter.
Customer Service Lead
B) Sample Script for notifying Ad Networks and other intermediary parties who may have tags in your system (exchanges, etc.):
Dear Network Partners,
We are currently experiencing a malvertising attack. As you know, ad-based malware is a threat to the entire online advertising industry, and as a publisher we take this threat to our business very seriously. These attacks can involve malicious code in a creative that is being served through a network to a publisher, and in these instances, the network usually is not aware of the situation.
Please take the time ASAP to review the details below, and confirm via email that you have reviewed the ads in your network, and nothing resembling the ads described below is running through your network on our site(s):
- Description of attack
- Description of any ad(s) seen by users
If we do not hear back from you by X, we will deactivate your tags.
Thanks in advance for your time and attention to this matter.
Ad Ops Lead

Incident Response Tactics and Sample Scripts provided by Dan Dillinger,