MY TAKE: Why the next web-delivered ad you encounter could invisibly infect your smartphone

By Byron V. Acohido

Google, Facebook and Amazon have gotten filthy rich doing one thing extremely well: fixating on every move each one of us makes when we use our Internet-connected computing devices.

Related: Protecting web gateways

The tech titans have swelled into multi-billion dollar behemoths by myopically focusing on delivering targeted online advertising, in support of online retailing. This has largely shaped the digital lives we’ve come to lead.

Turns out all of this online profiling has a dark side. Cybercriminals have begun escalating their efforts to bend the legitimate online advertising and retailing fulfillment ecosystem to their whims.

This development is unfolding largely off the radar screen of the website publishers who depend on this ecosystem, says Chris Olson, CEO of the Media Trust, a 15-year-old website security vendor, based in McLean, VA that is on the front lines of mitigating this seething threat.

Meanwhile, billions of consumers who participate in this ecosystem each minute of every day remain blissfully ignorant of how they are increasingly being placed in harm’s way, simply doing routine online activities, Olson told Last Watchdog.

Losing control of risk

Like most other pressing cybersecurity challenges today, the problem is rooted in digital transformation. Specifically, to make their digital operations ever more flexible and agile, enterprises have grown ever more reliant on third-party software developers.

Hark back two decades, Olson says, and the software that website publishers deployed to conduct online advertising and retail transactions was 80 percent homegrown. Today, that percentage has flipped around; virtually all of the myriad software services that make up modern-day online advertising and retail fulfillment is supplied by third-party developers.

“Today, 90 to 95 percent of the source code that renders on a consumer’s laptop, smartphone, Xbox or smart TV comes from a third-party developer,” Olson observes. The upshot, he says, is that “publishers have lost control over what the consumer actually is exposed to.”

A typical website or mobile web app consumer experience today gets cobbled together with software components supplied by dozens of different software contractors. Any sort of general best practices protocols or standards are, in effect, non-existent. This has translated into an expanding attack surface, with manifold fresh attack vectors, Olson says.

Smart attacks

Organized crime rings with a cyber bent are moving to take full advantage. One example is the so-called PayLeak caper, a large-scale phishing and redirect campaign targeting those using their smartphones to visit the websites of premium newspapers and magazines.

The attackers insinuated tainted ads into the flow of legit ads appearing on these websites. Anyone clicking on an ad embedded with PayLeak, silently got their device thoroughly scrutinized. PayLeak checks whether the compromised device is an Android or an iPhone; whether the phone is protected by antivirus; and even whether it is positioned upright, or lying down.


Under predetermined conditions, PayLeak then redirects Android users to a phishing site, using an Amazon gift card giveaway as a lure; iPhone users receive successive popups –  first an update alert, followed by instructions to update their Apple Pay account.

In yet another recent cutting-edge attack, cyber criminals targeted smaller online retailers with stealthy malware, dubbed CartThief, designed to exploit websites using the open-source Magento ecommerce platform.

CartThief goes into action as soon as a consumer clicks to a checkout page and submits an online payment; the malware copies, encrypts and sends personal and financial details from the transaction to the attacker’s command-and-control server.

Threats like PayLeak and CartThief raise larger questions: Have we arrived at a state of complacency?Are lurking threats – attacks that press in each time we go online —  the new norm? Is anything going to compel the tech giants and web publishers to do better? Will consumers demand better?

I had a fascinating discussion with Chris Olson about all of this. Below are excerpts, edited for clarity and length:

LW: Website publishers today rely heavily on third party software; why is that bad?

Olson: What you’re referring to is what I call third-party code, the code embedded in website apps and mobile apps that renders on a consumer’s computing device to make a service or tool work. We’re talking about things like consumer data collection, data management platforms and retargeting enablement systems. This includes smart content delivery systems that factor in demographics, geography and behavior profiles, even the type of device and browser the consumer is using, those sorts of things.

For 20 years now, we’ve been on a continuous march towards outsourcing the software development that make worldwide web and mobile web functions possible. Twenty years ago, roughly 80 percent of that source code was owned and operated by the website publisher. Back then, if you visited a big travel website, most of what happened on your laptop was developed and maintained by that company. Today, 90 to 95 percent of the source code that renders on a consumer’s laptop, smartphone, Xbox or smart TV comes from a third party.

LW: That’s a huge bucket of technology.

Olson: Take the fulfillment area. When you use your credit card, there are probably 30 companies, doing myriad functions, rendering code on your device the moment you type in your credit card number. The largest bucket is probably targeted advertising and marketing communications technologies. And then there is the core architecture of the website you’re visiting, which in many cases today is outsourced, as well.

If you visit a large retail website, you may encounter 100 or 150 third party companies that get access to your computing device. For the most part, no one is really thinking about the security of all of this third-party to nth-party code. It’s only lightly monitored. It is one of the biggest security misses in cyber.

LW: Does the consumer have to do anything to get victimized?

Olson: The attacks we’re seeing usually happen without the consumer doing anything. Credit card skimming is really hot right now. The bad guys are insinuating their malicious code as part of the code that renders on the victim’s device during fulfillment. In the CartThief attack, for instance, they actually used an overlay that renders only on the victim’s laptop or phone to get the victim to type in credit card information. So the publisher doesn’t see it, and the bank doesn’t see it. And the retail transaction actually gets completed. Now the bad guy has the credit card number and no one knows anything has happened.

They then sell 10,000 credit card numbers for whatever the going rate is. The amazing part is they’re doing this by leveraging tools like cookies, data tracking and overlay coding– all of the commoditized software being developed by third-parties.

LW: Has this become a cost-of-doing-business issue; is that why enterprises aren’t doing more to stop this?

Olson: This is definitely something that enterprises can do something about. It’s just that they don’t understand the digital ecosystem, and the complexities involved in digital transformation. Eventually, as enterprises work through their third-party risk management, they are going to realize that their supply chain includes these third-party software developers, and that they are going to have to step up and do the proper level of security vetting of their digital assets.



Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

( LW supplies consulting services to some of the vendors included in our coverage.)




Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone