Facebook Doubles Bug Bounties For Ad-Related Flaws

Is it a sign that online brands are treating malvertising more seriously?

As malicious attackers continue to target the online advertising ecosystem that drives todays Internet economy, increasing numbers of large online brands have been forced to find ways to stem the fraud of malvertising. Facebook made one such step today, announcing that it plans to offer big incentives to white hat hackers who find and report flaws in its advertising platform through the companys bug bounty program. Facebook says that for the rest of 2014 it will offer double bounties for vulnerabilities found in its advertising platform UI, API, analytics tools, and in the backend code that helps it target, deliver, bill, and measure ads.
We hope to encourage researchers to become more familiar with the surface area of ads to better protect the businesses that use them,
Facebook said in a blog announcing the bounty increase
.
The move can be seen as evidence that large Internet firms like Facebook understand the challenge they face as the criminals have found attacking advertising platforms to be highly profitable endeavors for a number of reasons.
Ad platforms have been a major channel for real damage against both users and the companies that service them, says Dan Kaminsky, chief scientist for WhiteOps. Malvertising pops up as a method for distributing malware, and the trend of click and impression fraud can bankrupt a firm while deeply enriching fraudsters.
While malvertising is often most associated with click fraud, some security researchers now believe it is gaining prevalence as a distribution method and
may rival current exploit kits as a distribution method
. Because of the way attackers abuse these platforms, some security experts wonder how effective simply doubling the bounty on flaws within Facebooks ad platform code will really be at solving the malvertising problem for Facebook customers and users.
Todays malvertising campaigns are not due to flaws in any given ad bidding platform. The issue is that real-time ad bidding allows advertising bid winners to redirect to self-hosted content outside the control of the ad platform, explains Pat Belcher, head analyst of security analytics for Invincea. Malvertisers are winning ad bids, redirecting visitors to exploit kits that are online for just a few minutes, and delivering malicious payloads to whomever they wish to target using the targeting capabilities of the real-time ad bidding platform providers.
Invincea
reportedly
also is seeing a rise in malvertising targeting defense contractors in cyber espionage attacks. The company plans to publish a report tomorrow on these attacks.
In this case, Facebook may simply be going through a CYA process, but the fundamental problems with how the platform works arent necessarily going to be fixed.
The problem with malvertising will continue, but at least Facebook can say it is not a flaw in their actual platform, Belcher says.
However, as Kaminsky explains, every step to thwart attackers offers some positive benefits.
The fewer places for bad guys to hide, the better. And this has been a very profitable place for them to hide, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Facebook Doubles Bug Bounties For Ad-Related Flaws