NCSC Publishes Tips to Tackle Malvertising Threat

Written by

Brands should demand their ad partners prioritize cybersecurity best practices, collaboration and transparency if they are to mitigate the threat of malvertising on their websites, according to the National Cyber Security Centre (NCSC).

The UK security agency wants brands to ask their digital advertising partners to follow the principles laid out in new guidance it published yesterday, and demonstrate compliance with independent industry-recognised certifications such as those from TAG or IAB UK.

“By putting in place defence-in-depth measures, digital advertising partners can help reduce the presence of malvertising,” it said. “These actions are transparent to the user and are consistent with the NCSC principles of secure by design, as each measure provides a layer of security which when deployed collectively, reduces harm to the end user.”

Among the principles outlined in the document are ensuring that digital ad partners:

  • Put robust “know your customer” (KYC) checks in place. Although these will add friction to onboarding, they can help prevent bad actors from using digital ad services
  • Employ strong cybersecurity practices covering hardware such as ad servers and bidders, and the integrity of code and information passing through the advertising supply chain
  • Use data only from reputable sources, which is processed lawfully under GDPR rules. Organizations may want to add extra assurance by buying inventory-only channels that are certified as meeting published standards
  • Are using industry-recognised initiatives. These include ads.txt – which allows publishers and distributors to show who is authorized to sell their inventory – and buyers.json and DemandChain Object – which provide transparency around the entities involved in the bid response for an impression
  • Provide information on the malvertising detection and removal services they use, such as how they monitor for unusual activity and escalate investigations
  • Collaborate with other stakeholders including advertisers and publishers to share threat intelligence, enabling all parties to respond faster to threats and build cyber resilience
  • Put in place reliable reporting mechanisms
  • Show a willingness to be transparent over how they reduce harm, and a commitment to securing end users and advertising spend

UK an Outlier on Malvertising

Research cited by the NCSC claims that less than 1% of ads served globally in 2023 were classed as a “security violation.” However, this still amounts to nearly three billion ad views, and the share in the UK was twice the global average, at 0.56%.

“The presence of malvertising puts a duty on the advertising industry and hosting platforms to squeeze out those with malign intent,” said the NCSC.

“This is best done with a defence-in-depth approach, where each defensive measure provides a layer of security which, when deployed collectively, makes a cyber-attack much less likely – and helps remove malicious advertisers from the ecosystem.”

Read more on malvertising: Fraudsters Conducting Malvertising Campaign Via Inactive Domains

What’s hot on Infosecurity Magazine?