Online ads can be annoying, but increasingly they're malicious, too. In the wake of a highly publicized "malvertising" incident last December, during which attackers were able to deliver malware through online ads published on Yahoo.com, that question is now top of mind for some.
That incident, in turn, came just a few months after security researchers at Blue Coat Systems discovered a group of sites that were delivering drive-by malvertising payloads through ads embedded in many "name brand" websites, including Salon.com and The Los Angeles Times.
The issue is starting to get high-level attention. A recent report (PDF) by the U.S. Senate said the problem endangers the security and privacy of users and recommended that the U.S. Federal Trade Commission should force the industry to offer better protections through comprehensive regulation.
But it is the advertising industry, rather than end users, that has the most to lose.
"As an industry we've been reluctant to talk about these problems in the past," says Steve Sullivan, former vice president of ad technology at the Interactive Advertising Bureau (IAB), a consortium of more than 600 online advertising media and technology companies. (Sullivan recently moved to fraud detection company White Ops.)
But over the past year, the problem has risen to a level where the hundreds of businesses that make up the online advertising ecosystem are both talking about it openly, and actively supporting the IAB's Trustworthy Digital Marketing Supply Chain. That effort, part of a five-year plan (PDF) announced by the IAB in February, could set the bar for best practices and require a level of oversight for all IAB members to help reduce the incidence of malvertising, fraud and other issues.
It's a pocketbook issue, Sullivan says. Most malvertising, he explains, is designed not to harm the individual consumer but instead to recruit personal computers and mobile devices into large-scale botnets used to generate revenue by producing false advertising impressions and clicks online. In the case of the Yahoo malware, users were redirected to domains related to Paid-To-Promote.net. "The real money," Sullivan says, "is in advertising fraud."
But malvertising is also used to steal user data, says Bogdan Botezatu, senior e-threat analyst at antivirus vendor Bitdefender. "Malvertising is one of the few techniques that allow cyber criminals to silently attack unsuspecting users."
If a user's machine is infected with a botnet designed for advertising fraud, the owner of that botnet may try to monetize it by offering to install other software — in reality malware that steals the user's information — on the infected computer, says Chris Larsen, research architect at security software vendor Blue Coat Systems. That's what happened with Crytolocker, which initially used spam to trick users into downloading it. "Then [the authors] shifted to underground forums and paid someone to install it on already infected computers," Larsen says.
Sign up for CIO Asia eNewsletters.