On July 11, 2018, the Canadian Radio-television and Telecommunications Commission (CRTC) imposed sanctions against the installation of malicious software through online advertising for the first time in its history. This decision was taken under the provisions of the Canadian Anti-Spam Legislation (CASL), which came into effect on July 1, 2014. The federal agency issued Notices of Violation to Datablocks and Sunlight Media, for allegedly facilitating the installation of malware through online advertising. The companies are subject to penalties of $100,000 and $150,000, respectively.

Matthieu Faou, ESET’s malware researcher, specializes in online advertising fraud. This topic was the subject of his Master’s thesis in computer engineering at the École Polytechnique in Montréal.

He explains that these two companies act as intermediaries for online advertising. “They connect advertisers, either people or companies paying to display ads with publishers, i.e. websites that are enriched with the display of advertising to their visitors”.

Datablocks offers a real-time auction service (RTB). Sunlight Media operates an ad network and serves as a broker between advertisers and publishers (or their respective representatives), using Datablocks’ RTB system.

Matthieu Faou explains: “When a visitor arrives on a publisher’s website, the advertising space on that website for that particular visitor is auctioned on RTB’s platform. Advertisers automatically participate in this auction and the highest bidder pays. Then, its advertising is displayed in real time to the visitor.”

Datablocks and Sunlight Media businesses are vertically integrated. The two companies have close ties through ownership, directors and officers, as well as through their physical location. Sunlight Media is a major user of Datablocks services and benefits from significantly discounted rates for the use of these services.

These types of services are very common in the industry. They can potentially attract malicious advertisers, who may try to push platforms to accept advertising that contains code designed to spread malware. In most cases, the platform and their leaders are not held responsible for such malicious actions by customers abusing their services. However, they are required to protect their network and ban responsible actors as soon as they become aware of any malicious behavior.

In this case, however, the CRTC found that Datablocks and Sunlight Media have in fact facilitated such abuses by allowing advertisers to use their service anonymously, for example.

In a press release to announce the findings, Steven Harroun, Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission, stated the importance of the decision: “As a result of Datablocks and Sunlight Media’s failure to implement basic safeguards, simply viewing certain online ads may have led to the installation of unwanted and malicious software. Our enforcement actions send a clear message to companies whose business models may enable these types of activities. Businesses must ensure their commercial activities do not jeopardize Canadians’ online safety. ”

Among other things found, these two companies were not verifying their new customers and allowed payment by cryptocurrency. While both companies have been warned of these weaknesses in their practice in a 2015 report by cybersecurity researchers and then again in 2016 by the CRTC, neither implemented basic safety measures.

Specifically, the malicious advertisers used the platform to automatically redirect users of a legitimate publisher’s website to an exploit-kit, such as Magnitude or Angler, to install malware on the user’s computer without requiring any action or consent on their part.

When installed, this malicious software included click-fraud trojans, abusing the advertising ecosystem in the publisher side. These trojans aim to force victims’ devices to automatically click on ads on attackers’ websites in order to generate advertising revenue.

The redirection chain from a legitimate publisher’s website can be very long. This is because advertising agencies resell traffic in real time to other advertising agencies. Thus, many different advertising companies can be involved in a single malicious redirection.

While this CRTC fine is a first of its kind in Canada, this type of threat is nothing new in the industry. One of the most notorious trojans of this type is Boaxxe. If you want to know more about Boaxxe, a detailed analysis this infamous malicious malware is available on WeLiveSecurity.