There’s been a lot of chatter recently about the “dark side” of online advertising, in particular, the activities of companies like NebuAd and Phorm using somewhat shady techniques to gather behavioral data about users and using this data to target ads. I’ve even blogged about it myself. And click fraud remains a significant challenge to confidence in online advertising.
But whilst the term “click fraud” generates about 25 million results on the world’s best search engine, the term “malvertising” generates only 2,170. Since you may not be familiar with the term, I’ll offer you the definition I found on urbandictionary.com (sadly, there’s no Wikipedia entry for Malvertising):
An Internet-based criminal method for the installation of unwanted or malicious software through the use of Internet advertising media networks and exchanges.
So Malvertising = malware + advertising. See? Clever (if ugly). But despite its goofy name and low profile, malvertising arguably represents a greater threat to the online advertising industry than either unscrupulous behavioral targeting or click fraud.
Malvertising can take a number of forms, typically along the following lines:
- Ads that try to trick you into going to a site, where malware is installed (e.g. those “Your PC is infected! Click here to install our anti-virus software NOW!” ads)
- Hijacking legitimate ad clicks and redirecting users to sites which encourage them to install malware
- Malware disguised as ads, that exploit security vulnerabilities in web client software (such as this one in Adobe Flash), either to install further malware, or to scrape PII from the browser
The enormous reach of modern ad networks, plus the ability to place malicious code on thousands of otherwise innocent sites, makes distributing malware via advertising networks a very attractive proposition.
The malware itself is usually focused on stealing users’ personal data (e.g.login details for broker accounts), taking control of the user’s machine for distributed denial-of-service attacks (turning it into a zombie), or convincing the user to spend their own money buying malware “removal” software after they have been “infected”.
But it’s not just the end user that suffers. The publisher who has unwittingly hosted the malvertising can find themselves besieged by angry users demanding to know why they’ve been served malware from their site. If the ad was served via an ad network, the publisher will possibly cancel their contract, depriving the ad network of their business (ESPN has already ditched ad networks altogether, although not ostensibly for this reason). And advertisers who want to use increasingly sophisticated ads with high levels of interaction may find that they are unable to because these ads are some of the ones most likely to contain malware, and so are blocked by the ad networks and publishers the advertiser wants to deal with.
Furthermore, if end users lose confidence in the ads they’re being shown, either in terms of where a click will lead, or whether the ad itself is malicious, this will drive down ad clicks and drive up the installation of ad blocking software – both of which will have a disastrous effect on the industry.
What can be done?
The malvertising problem is not insoluble, but it will demand a concerted effort from all industry participants to fix (or, at least, contain) it. I’ll blog about these topics again in more detail, but the main areas of attention will need to be:
Creative/URL scanning: Ad networks and third-party ad servers will need to start scanning creatives and destination URLs as a matter of course. The technical challenge of scanning Flash or Silverlight-based creatives is considerable, since malicious ads will take steps to cover their tracks, such as obfuscating code, and behaving normally if they detect they’re being scanned. Ultimately, the co-operation of Adobe and Microsoft may be required to put in place more robust systems for determining an ad’s provenance.
URL scanning is a more manageable problem – all ad networks should ensure that ad click destinations do not lead to sites which are known to host malware.
Creative template quality: Malware has been known to sneak into ads through sloppy management of creative templates – if an agency uses an infected template, then of course all ads created using that template will be infected. This problem will grow as larger numbers of smaller advertisers start to use online services which provide Flash templates that are customized to order – the advertisers will not have the technical sophistication to determine whether the resulting ads are safe or not. Some kind of ‘quality seal’ may be required for these services, though that will not stop bogus ones springing up.
Outlawing redirect-based tracking: At the moment, many ad networks use redirects to track ad clicks, meaning that a single ad click can be passed around many ad networks before the user is finally deposited at the advertiser site. This system is open to abuse via “click hijacking”, where a bogus network sends some clicks for legitimate ads to malware sites. Publishers should inform ad networks that redirects for tracking are unacceptable, which will mitigate this problem.
Ad isolation: At the moment, an ad which is served with a page (rather than via an iframe) has access to that page’s DOM, which means that if the ad is malicious, it can crawl the DOM, looking for user PII (such as usernames and passwords for the site the ad is on, or credit card details). Microsoft is working on some technology to isolate ads that are served on its network, so that even if they’re served in a first-party context (i.e. not via an iframe or redirect), they are unable to access the page DOM. Other publishers & networks should consider doing the same.
Industry co-operation: Currently, very little specific information about malware is shared within the industry, partly for noble reasons (it can be difficult to be specific about a malware instance without revealing user PII) but mostly for ignoble ones (no ad network wants to advertise the fact that they’ve been subject to a malware attack). This must change – the industry needs to find a way to share this kind of data without an individual network or publisher having to step into the firing line.
As I said, I’ll return to this subject with some more thoughts on some of the above issues. In the meantime, a great resource for information on malvertising is Spyware Sucks, a blog run by Microsoft MVP Sandi Hardmeier, who tirelessly chronicles various malvertising outbreaks. It makes for sobering reading.