Mar 12, 2017

How Advertisement Hijack Ads-owner's contents

Overview

(update: they fixed the problem )

When I tried to read article in Nikkei, chrome in Android move without any notification to strange website. (caution: please don't access URLs in the pics)






What I tried to read (Japanese only): http://trendy.nikkeibp.co.jp/article/col/20030924/106051/?ST=trnmobile_f

This advertisement just hurt the brand image of owner website (this case it's Nikkei). And other users also have met the same problem: https://productforums.google.com/forum/#!msg/chrome/AzyvOJ1xcYg/L354tQk1BAAJ

Here is also interesting comment (https://productforums.google.com/d/msg/chrome/AzyvOJ1xcYg/6R8cSVk8BwAJ)

TNTBrian said:
Even if it is an advertiser, Chrome is still being exploited.
Also it does not happen on an older version of Chrome -- At least for me. Would love to see if the same is true for others.
After reading, I have two questions.
  1. How it works?
  2. Why does Chrome allow the problematic script to run?

track requests to know how it works

here is recorded *.HAR in Google Chrome when I read trendy.nikkeibp.co.jp
HAR.zip

In the response, one amazon ec2 instance sent response with javascript that includes the domain "comumx[dot]site" that is the original site of the above picture.
It does move webpage forcely to comumx[dot]site.
function(){top.window.location='http://comumx[dot]site/lpde1/index.php?s1=mas_jiami_de&pubid=B22CD7E7954F3EED828B3172748A31FA&bid=354163f6a3a632c304e2b91277de2f3b';}
After checking a bit, I realized this script was triggered in the following steps:
  1. trendy.nikkeibp.co.jp
  2. www.googletagservice.com
  3. securepubads.g.doubleclick.net
  4. ads.rubiconproject.com
  5. optimized-by.rubiconproject.com
  6. tags.mathtag.com
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
Now it's clear why it happens :)

why Chrome allowed this script to run?

According to the registory information in WHOIS, the domains belonged as follows.
  1. NIKKEI (trendy.nikkeibp.co.jp)
  2. Google (www.googletagservice.com)
  3. Google (securepubads.g.doubleclick.net)
  4. Rubicon project (ads.rubiconproject.com)
  5. Rubicon project (optimized-by.rubiconproject.com)
  6. MediaMath (tags.mathtag.com)
  7. ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
NIKKEI is a user of google advertisement network in their website.
Unfortunately I haven't heard anything about "Rubicon project" and "MediaMath". After googling, I realized they are advertise network company / agency.
Rubicon Project seems to belong to the IAB. Thus they should not allow such an advertisement generally. https://www.iab.com/news/iab-names-googles-jonathan-bellack-rubicon-projects-jay-sears-advertising-technology-council-co-chairs
MediaMath is described in crunchbase. (https://www.crunchbase.com/organization/mediamath#/entity) Their codebase also includes the requests against "*.mathtag.com" i.e. https://github.com/search?utf8=%E2%9C%93&q=org:MediaMath+mathtag.com&type=Code&ref=searchresults
HTTP response from Rubicon Project includes the following
{
    "pingdom_id": "2117306",
    "ttl": 7,
    "img": "http://pixel.mathtag.com/sync/img?redir=http%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D",
    "secure": {
 "img": "https://pixel.mathtag.com/sync/img?redir=https%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D"
    },
    "partner": "mediamath-pub"
}

Thus naturally MediaMath is a business partner of Rubicon Project.
NOTE:
this domain, "pixel[dot]mathtag[dot]com" has already raised some discussions before:
Now we know which companies related to this problem and their relations.
  1. Google shows advertisement from partner company, Rubicon Project
  2. Rubion Project loads some script from partner company, MediaMath
  3. MediaMath loads some (unfortunately malicious) scripts from their clients.
From the viewpoints of typical business contracts, MediaMath should take responsibility to check the codes from their client.
And I guess it's fatal if advertisement can hijack the contents of owner of the advertisement.

If you have any feedbacks, please leave a comment.