by Matt Gillis, on Nov 16, 2020 12:00:00 PM
clean.io was founded in 2017 with the mission of delivering our customers real-time protection from unwanted code within any digital environment across commerce and consumption.
We began by tackling malvertising, a problem that plagues online publishers. Today, our cleanAD code runs on over 7 million websites and we’re behaviorally analyzing tens of billions of ads every month.
This reach, and the volume of data it generates, gives us a really strong understanding of what is happening with the execution of third party code on millions of websites.
A New Challenge With Third Party Code
cleanAD is a behavioral deterministic solution for malvertising prevention, meaning that we automatically block threats in real time based on the malicious code behaviors we see executing on publisher's websites.
Our approach allows us the ability to analyze, line by line, the execution of code, to understand the actions of the code and identify all of the elements and bad actors involved in the call chain, all the way back to where the malicious activity originated in the advertising supply chain.
Over the course of the last year, we have been studying threats related to client side injections resulting from compromised browser extensions. While most forms of malvertising have historically come from the programmatic advertising ecosystem, we've recently seen a noted rise in threats emerging from client side injections.
What is a Client Side Injection?
Client side (as opposed to “server side”) injections occur when untrusted code from outside of a website is introduced to the site from someone other than the site’s owner.
There are three main ways that client side injections can be introduced:
- Via network level malware, which is found when a user’s router or ISP is compromised
- When the user’s device (desktop, laptop, etc.) is infected and injects malware into the network
- From browser extensions, installed by the user, that are either compromised or expressly designed to inject unauthorized code into the websites that a user visits
Client side injections from browser extensions are particularly problematic for two reasons. They are widely used, which makes them an attractive vehicle for the bad actors to deliver their attacks, and they enjoy a high level of privileges in the user’s browser, which allows them to bypass server-side security solutions and inject untrusted code into websites.
Not All Third Party Code is Malicious
In our cleanAD business, we analyze and prevent malvertising, which is a form of third party code that dynamically introduces malicious code from ad creative via an ad exchange. This and other types of malicious code can be used to steal users’ personally identifiable information (PII), inject outside ads, or hijack the user experience.
As we developed a deeper understanding of the increase in client side injections we were seeing, we recognized that some might not be considered malicious, but they were nevertheless untrusted and unauthorized.
Untrusted by site owners because they own their websites, but can’t control the code that is executing there, and unauthorized because the site owner didn’t permit them to occur.
With browser extensions, untrusted code is introduced because the user raises their hand and says “I’m okay with injections,” and there is typically little that a website owner can do to control or prevent that.
The Problem With Coupon Code Extensions
When we took a closer look at the code that was executing on the sites we examined, on top of the list of untrusted injections we saw were Honey, Wikibuy, and other popular browser extensions that auto-inject promo codes into shopping carts at checkout on ecommerce websites.
The code that Honey and similar extensions execute is a client side injection that is both untrusted and unauthorized because website owners haven’t authorized it to execute on their sites.
It also has serious implications for ecommerce businesses.
Coupon extensions function by scraping the discount codes that users manually enter into shopping carts and then sharing them with everyone else who uses that extension.
This means that the limited use codes that merchants give to their best customers, or award to newsletter subscribers, first time buyers, or certain classes of customer such as teachers, first responders or military veterans are now available to anyone, whether they have earned them or not.
Not only does this interfere with merchants’ ability to control their own sales and marketing strategies, it erodes revenue and profit margins, and makes it difficult—if not impossible—to accurately measure marketing attribution, particularly where codes have been distributed through affiliate or referral partners.
There hasn’t been anything that ecommerce merchants could do to prevent Honey and other coupon extensions from running on their websites—until now.
On the publisher side of our business, we gained an appreciation for how untrusted code impacts user experience, revenue and brand reputation, and now we’re applying what we learned there to helping ecommerce merchants protect their sites from these same types of risks.
Think about yourself as a user. When you’re on your laptop or PC and someone sends you an executable file, you would typically treat that as untrusted code and run it through an antivirus program or reach out to whoever sent it to you to verify that it is a legitimate file before opening it.
By contrast, publishers are forced to blindly accept untrusted code when they dynamically fetch ads from SSPs, and ecommerce merchants have no ability to control client side injections from their users’ browser extensions.
Building on our experience protecting publishers from malvertising with cleanAD, we’ve now developed cleanCART, a solution that allows ecommerce merchants to block coupon extensions such as Honey, Wikibuy, and others from auto-injecting coupons into shopping carts at checkout.
With cleanAD and cleanCART, One Plus One Equals Three
Until now, you may have seen clean.io as a cybersecurity company that analyzes tens of billions of events every month for the publishers and platforms whose sites we protect.
The threats that businesses face from bad actors are constantly evolving.
Having a broad perspective across Adtech and ecommerce makes us better at protecting ALL of our customers, regardless of industry, because the influx of new ecommerce traffic allows us to see more types of users, engagements, and code.
In short, every new piece of data is an opportunity for us to learn and get better.
The clean.io platform contains a threat network that underpins everything we do. With our expansion into ecommerce with cleanCART, we’re feeding more data into the platform, and it gets smarter with every single event it behaviorally analyzes.
As we look to the future, we’re excited to build a platform that will mitigate the dangers posed by the execution of malicious and untrusted code for businesses, and their users, across the connected world.
We call this “digital engagement security” and we see it as the foundation upon which the future of digital commerce will be built.