There’s been a lot of chatter recently about the “dark side” of online advertising, in particular, the activities of companies like NebuAd and Phorm using somewhat shady techniques to gather behavioral data about users and using this data to target ads. I’ve even blogged about it myself. And click fraud remains a significant challenge to confidence in online advertising.
But whilst the term “click fraud” generates about 25 million results on the world’s best search engine, the term “malvertising” generates only 2,170. Since you may not be familiar with the term, I’ll offer you the definition I found on urbandictionary.com (sadly, there’s no Wikipedia entry for Malvertising):
Malvertising:
An Internet-based criminal method for the installation of unwanted or malicious software through the use of Internet advertising media networks and exchanges.
So Malvertising = malware + advertising. See? Clever (if ugly). But despite its goofy name and low profile, malvertising arguably represents a greater threat to the online advertising industry than either unscrupulous behavioral targeting or click fraud.
Malvertising can take a number of forms, typically along the following lines:
- Ads that try to trick you into going to a site, where malware is installed (e.g. those “Your PC is infected! Click here to install our anti-virus software NOW!” ads)
- Hijacking legitimate ad clicks and redirecting users to sites which encourage them to install malware
- Malware disguised as ads, that exploit security vulnerabilities in web client software (such as this one in Adobe Flash), either to install further malware, or to scrape PII from the browser
The enormous reach of modern ad networks, plus the ability to place malicious code on thousands of otherwise innocent sites, makes distributing malware via advertising networks a very attractive proposition.
The malware itself is usually focused on stealing users’ personal data (e.g.login details for broker accounts), taking control of the user’s machine for distributed denial-of-service attacks (turning it into a zombie), or convincing the user to spend their own money buying malware “removal” software after they have been “infected”.
But it’s not just the end user that suffers. The publisher who has unwittingly hosted the malvertising can find themselves besieged by angry users demanding to know why they’ve been served malware from their site. If the ad was served via an ad network, the publisher will possibly cancel their contract, depriving the ad network of their business (ESPN has already ditched ad networks altogether, although not ostensibly for this reason). And advertisers who want to use increasingly sophisticated ads with high levels of interaction may find that they are unable to because these ads are some of the ones most likely to contain malware, and so are blocked by the ad networks and publishers the advertiser wants to deal with.
Furthermore, if end users lose confidence in the ads they’re being shown, either in terms of where a click will lead, or whether the ad itself is malicious, this will drive down ad clicks and drive up the installation of ad blocking software – both of which will have a disastrous effect on the industry.
What can be done?
The malvertising problem is not insoluble, but it will demand a concerted effort from all industry participants to fix (or, at least, contain) it. I’ll blog about these topics again in more detail, but the main areas of attention will need to be:
Creative/URL scanning: Ad networks and third-party ad servers will need to start scanning creatives and destination URLs as a matter of course. The technical challenge of scanning Flash or Silverlight-based creatives is considerable, since malicious ads will take steps to cover their tracks, such as obfuscating code, and behaving normally if they detect they’re being scanned. Ultimately, the co-operation of Adobe and Microsoft may be required to put in place more robust systems for determining an ad’s provenance.
URL scanning is a more manageable problem – all ad networks should ensure that ad click destinations do not lead to sites which are known to host malware.
Creative template quality: Malware has been known to sneak into ads through sloppy management of creative templates – if an agency uses an infected template, then of course all ads created using that template will be infected. This problem will grow as larger numbers of smaller advertisers start to use online services which provide Flash templates that are customized to order – the advertisers will not have the technical sophistication to determine whether the resulting ads are safe or not. Some kind of ‘quality seal’ may be required for these services, though that will not stop bogus ones springing up.
Outlawing redirect-based tracking: At the moment, many ad networks use redirects to track ad clicks, meaning that a single ad click can be passed around many ad networks before the user is finally deposited at the advertiser site. This system is open to abuse via “click hijacking”, where a bogus network sends some clicks for legitimate ads to malware sites. Publishers should inform ad networks that redirects for tracking are unacceptable, which will mitigate this problem.
Ad isolation: At the moment, an ad which is served with a page (rather than via an iframe) has access to that page’s DOM, which means that if the ad is malicious, it can crawl the DOM, looking for user PII (such as usernames and passwords for the site the ad is on, or credit card details). Microsoft is working on some technology to isolate ads that are served on its network, so that even if they’re served in a first-party context (i.e. not via an iframe or redirect), they are unable to access the page DOM. Other publishers & networks should consider doing the same.
Industry co-operation: Currently, very little specific information about malware is shared within the industry, partly for noble reasons (it can be difficult to be specific about a malware instance without revealing user PII) but mostly for ignoble ones (no ad network wants to advertise the fact that they’ve been subject to a malware attack). This must change – the industry needs to find a way to share this kind of data without an individual network or publisher having to step into the firing line.
As I said, I’ll return to this subject with some more thoughts on some of the above issues. In the meantime, a great resource for information on malvertising is Spyware Sucks, a blog run by Microsoft MVP Sandi Hardmeier, who tirelessly chronicles various malvertising outbreaks. It makes for sobering reading.
Hello Ian! I recognise that picture of the yellow pop-up ;o) Malvertizing sure has changed since those days.
It is still amazing to me how many people are unaware of what can be done with just an ad. Good post. Keep up the good work.
I worked for Phorm – back before they were 121Media – I left after two days. They then asked me back with a bigger pay deal – I lasted a further day! In those days it was adWare. They’re clever cookies (no pun intended) just a bit too smooth and visionary 5 years ago – looks like they’re sorting themselves out now though…….
Ian,
Excellent post on this subject, and I totally agree that it is a big threat. Dismal CTRs support the notion that many people decline to click on ads out of fear that they are not what they appear. Personally, I never click on a banner ad. If it looks interesting, I figure out a different way to get there. Looking forward to your next installment on this topic.
Sandi –
Thanks for stopping by! Yes, that ad at the top is a little long in the tooth, but it’s actually quite difficult to find a graphic which sums up the problem – most modern malware ads are indistinguishable from regular ads.
Ian
Thanks for the post Ian. It is a very concise and accurate representation of the issues. I like how you have driven home the point that the whole industry suffers from the inaction of any one player. In the mind of the affected end user there is one and only one defense and that is blocking ads. Which of course affects us all, whether or not it was our network that let the malware slip by.
It is reassuring to read that the issues are starting to be taken seriously. This causes a lot of frustration to publishers that get hit by malvertising in its most extreme form (browser hijacks). I have expanded on the publisher perspective:
http://timhowgego.com/infecting-the-ad-pool.html
The underlying cost model is such an attractive target for malware writers that this behaviour will spread until it is dealt with. And if internet users are forced to deal with it, internet advertising will look very different in the future.
I believe there is a viable market for an advertising network to charge a small premium to guarantee “malverts” will never appear. Do any such networks exist?
Malvertizing might be an increasing problem but there is a bigger privacy thereat lurking in the shadows… Google search tracking combined with Google analytics site tracking and Gmail identification. imagine the profiling you could do – what did you search for? which sites do you like? who are your friends? see this
Anti-virus Software: PC-Safety For All Rounds
We reached on computers in our everyday lives and are dependent. Therefore it becomes necessary to be definite safety. It is used as an important factor in communication with a web connection for their own purposes. They have great confidence in this t…