The online ad industry, like virtually every other internet industry, feels threatened by various security issues.
Significant security issues are facing the online ad industry. So-called malvertisements have become very appealing to cyber-criminals because the distribution channel is already in place and will, at least in the foreseeable future, never be shut down. That network – involving thousands of companies worldwide and delivering billions of ads daily to various websites – is porous and seemingly easily infiltrated. Most digital ad distributors don’t have the electronic equivalent of a bouncer to keep the riff-raff out.
The scale of the problem is enormous: In just a single month in 2014, Google, which runs one of the most diligent checks on ads, disabled 400,000 ads due to malware concerns.
Earlier this month, a digital ad industry group, the Trustworthy Accountability Group, or TAG, released the first-ever set of guidelines for how ad companies can scan their content to ensure they’re not distributing malware. The recommendations are voluntary. But they mark an important step forward if the industry wants to keep regulators at bay. TAG’s recommendations do address some of the main concerns with malicious ads, says Jerome Segura, a security expert with Malware bytes who has extensively studied malvertising. He says some risky practices still appear to be acceptable under the guidelines. These include third-party hosting of ads and arbitrage.
“There is a tough balance between business and security,” Segura says. “The ad ecosystem exists the way it does because the rules and guidelines have always been expanded to satisfy the business side, not to reinforce security.”
Governments “are starting to understand that the delivery vector for ransomware is the internet. It’s not email, it’s the web,” says Chris Olson, co-founder and CEO of The Media Trust, a security and compliance vendor focused on digital media. In 2014, a U.S. Senate investigation found that a single visit to a tabloid news site triggered interactions with 352 other web servers, all of which would be potential entry points for sneaky tracking code or malware.
“The online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user’s computer through an advertisement,” according to the committee’s report.
Merely viewing a malicious ad is enough for a computer to be infected with ransomware, the file-encrypting malware that has proven to be devastating to organizations and users.
When a malicious ad is carried by a high-traffic website, thousands of computers could potentially be exposed. This breach usually takes place in a short period of time. The malicious ads are eventually detected and removed. But usually, that’s only after computers from the online visitors have been exposed. The better approach is to filter out malicious ads before they’re published. But just a handful of large digital advertising suppliers do this.
Cyber-criminals have been known to impersonate known companies and brands. This they do in an attempt to create last-minute substitutions of ads. They’ve also created fake ad companies, complete with bogus LinkedIn profiles for employees, to try to appear legitimate. First timers and online professionals have been hacked.
Solving the security problems around online ads would give the industry a more compelling reason to persuade consumers to give up their ad blockers, which threaten their revenue. It’s estimated as many as one-fourth of all web surfers use one. When people start blocking ads, advertisers have to create other ways to market their products.
Most people use ad blockers because they’re irritated with some of the intrusive ways ads are presented. But there are also compelling security arguments behind ad blockers. By blocking ads, consumers are better insulated against security risks from infected advertisements.
The social media site Reddit can be a rich traffic source for publishers. It warns users of links to content that demand that people disable their ad blockers. This includes publishers such as Forbes and Wired. “Warning! Disabling your ad blocker may open you up to malware infections and malicious cookies. These can expose you to unwanted tracker networks,” Reddit’s warning says. “Proceed with caution.”
Many publishers are pushing back, warning users that they can no longer access free content if an ad-blocker software is enabled. That forces security-conscious users to make an uncomfortable choice. They can open up their computer to attacks or forgo the content. This is a choice more and more online visitors are having to make. Many are making the choice to leave sites that make them look at ads. That’s because of the fear of malvertisements. This is especially true if the site isn’t scanned on a daily basis to search for potential security holes.
Special thanks to bankinfosecurity.com for its article on the subject.