NCSC For Startups is tackling a new challenge: malvertising

Plexal and the National Cyber Security Centre (NCSC) have chosen malvertising as our next challenge for NCSC For Startups. Our director of innovation Saj Huq explains why…

The online ad ecosystem depends on trust, but ads that look legitimate and appear on official, trusted websites could include malicious code that can infect devices with malware and spyware.

In many cases malicious ads don’t require any user interaction to infect a computer with spyware or malware, allowing cyber criminals to run malicious code and execute ransomware campaigns that can cause significant harm. And if they’re able to use an ad on a legitimate site to take someone to a malicious site, the criminal can use that trust to harvest personal data, commit online fraud or sell data to a third party.

Bad actors find malvertising to be an extremely attractive tactic because it allows them to leverage a complex web of adtech operators, publishers, exchanges and platforms. They can harness the power of network effects to scale up these campaigns, reach a large number of people and avoid detection by platforms. It’s also hard to tell who is responsible for combatting malvertising or who orchestrated a campaign.

It’s a black hat dream, so cybercriminals are buying ad space for themselves for nefarious purposes.

This has led to several high-profile websites being compromised with malicious adverts, including trusted household brands and major media outlets. Most recently, an advertising attack targeting Internet Explorer users showed people fake advice about the pandemic and capitalised on people’s greatest fears. And ad security company GeoEdge claims to have found first-of-its-kind malware that was spread to connected smart home devices through a malvertising campaign on mobile. 

It’s such a pressing issue that the NCSC and Plexal have chosen malvertising as our next challenge for NCSC For Startups. If you’re a startup that could tackle this issue with the right support, we want you to apply to work with us as we’re bringing on new members throughout 2021. 

The ad and cyber sectors respond

The online ad industry itself hasn’t adequately grasped the threat that malvertising can pose – and even those who are aware of the threat aren’t equipped to defend themselves.

This is partly because malvertising can take many forms – it can be included in a video, be embedded into the creative of a banner ad itself or be contained inside a pixel on a landing page. In fact, many malvertising tactics involve an updated form of steganography: a millennia-old technique that conceals messages or images inside other text or images.

It’s easy to see how the balance of risk and opportunity is significantly tipped in favour of the criminals. But this is exactly why we, as an innovation ecosystem, need to come together.

We need to galvanise our startups around the challenge to help us maintain trust and protect people. We also have an opportunity to explore how companies working in adjacent and related sectors, including adtech startups, can help join the fight against this threat. 

This is especially important as more people come online (often on mobile) for the first time or spend more time shopping online. They are most vulnerable to malvertising – especially if they’re using an outdated browser, don’t have antivirus software and aren’t aware of the cyber risks they might face online. On mobile, it’s especially easy for people to click on something without thinking twice because we tend to be in a different frame of mind and aren’t as cyber aware. Throw in a crisis like a pandemic and it’s a perfect storm. 

So innovators, it’s over to you. Apply to join NCSC For Startups and we’ll work with you to help you develop or pilot your solution.