Malvertising rise pushes ad industry to action

Hidden malware within ads on websites has advertisers scrambling to come up with a coordinated response.

1 2 3 Page 3
Page 3 of 3

But when the user clicks on the pop-up to take action, she is prompted to change her settings to allow installation of a third-party app -- delivered outside of the protected walled garden of Google Play -- so that the malware payload can be delivered undetected. Because these "scareware" messages look like they were generated by the operating system, they're very effective, Botezatu says.

Malvertising could also cost the online advertising industry, and web publishers that depend on it, in other ways that are even more difficult to measure. "These threats are undermining the integrity of the interactive advertising ecosystem," says Spiezle. Users cite a lack of trust in the safety of online advertising as one reason for using ad blocking software, even though the use of such software eliminates all ads -- good or bad -- along with the primary revenue source for many web publishers. "Blocking all ads and scripts will most likely keep the user safe," but would reduce revenue for web publishers, Spiezle says.

One Blue Coat Systems client, which Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. "They were concerned about malware coming in from this vector and not being able to stop it," he says.

Fixing the problem

One way to put a big dent in the malvertising problem would be an outright ban on JavaScript ads, says Larsen, but that's unlikely to happen. JavaScript lets advertisers do more innovative things with the creative aspect of their content and helps with analytics, says Sullivan.

Spiezle wants to see changes in the process for vetting online advertising. "If we don't do this we'll see increased use of [ad] blockers, calls for regulation and potential lawsuits for failure to take steps to help protect users from harm," he says.

"I agree absolutely," says Sullivan. Today, a well-managed ad network that knows every one of its affiliated sites and monitors them constantly may still sell its excess inventory to a secondary ad network that doesn't operate at the same level.

And there's no consistent mechanism by which to grade all of the players in the market and no visibility as to which players have good practices in place and which do not, Sullivan says. For example, one network might be using ad verification technologies to bolster security while another uses nothing at all. That led IAB president Randall Rothenburg, in a recent opinion column, to declare that "the digital advertising industry must stop having unprotected sex."

Malware

"If all of the networks in a trustworthy supply chain operated [to the same standard], we wouldn't have the problem at scale that we have today," Sullivan says. "In an opaque marketplace the inventory for a company that doesn't follow best practices sits side-by-side with a company that does -- and they're treated equally."

The IAB's five-year plan, which includes quality assurance guidelines and the establishment of a "Traffic of Good Intent" task force, isn't fully developed yet, and many details have yet to emerge.

Nonetheless Spiezle says, he's encouraged, although he'd like to see the IAB open up the process to all affected parties. "An effective solution needs to include a multi-stakeholder approach including the advertising community, ad networks, publishers and the security community. We look forward to working with the IAB and others towards this goal."

Related: Ad blockers: A solution or a problem?

This article, Malvertising rise pushes ad industry to action, was originally published at Computerworld.com.

Copyright © 2014 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon