Infecting the Ad Pool

Malicious Advertising (Malvertising) is becoming a problem. This is the practice of purchasing advertising space on unsuspecting websites, then using that space to run adverts which automatically redirect the user’s browser to a malware site – a site that distributes viruses, spyware, and other computer nasties.

The practice first emerged in 2006. Already 2008 has seen may large publishers (website operators) attacked, including Classmates, USA Today, Photobucket, and MySpace.

Late last night I visited one of my own websites and got immediately redirected off to a domain already blacklisted by Google, which in turn redirected to another site that was intent on installing a scareware “virus checker”. ZAM (a gaming network), already plagued by “XP Online Scanner” adverts earlier this year, had again been hit by malicious adverts. The timing, just after midnight UTC Saturday, was impeccable: Advertising networks tend to work sensible business hours, ensuring 48 hours of infestation before anyone starts to investigate it. [Although I should add that in this case I did get a positive resolution within 24 hours.]

My response was to temporarily abandon the advertising network that had delivered the “malvert”, and switch to affiliate advertising I control.

This article explains why publishers have a very low tolerance of malverts, and consequently why it is in the best interests of advertising networks to deal with malvertising before it becomes widespread.

Valuing Users

The cost to a malware writer of placing a single malvert is in the order of $0.001, with the publisher receiving somewhat less than that. The pricing model assumes a high volume of advertising is ignored by users: An advertiser might need to screen thousands of adverts to get any referrals (click-throughs). It does not assume that the adverts will immediately refer every user to the advertiser’s site, without user interaction.

For malware writers this is both cheap and highly effective: Quantcast and Compete suggest xponlinescanner.com (a recent case of malicious advertising) attracted 1-2% of all US internet users in May: A dominance achieved by less than 500 other sites worldwide. Something advertising agencies can only dream about. Quantcast’s demographic analysis also indicates that the old, poor or poorly educated are more likely than other internet users to be caught by malware.

The publisher got a fraction of a cent, and may have lost 1 or more customers forever:

New visitors essentially bounce straight into “virus hell”. They are never coming back; not after “what you did to their computers”. Regular visitors assume your site was “hacked” (a security breach on your servers), and loose confidence. Even if they stay, they’ll think twice about typing their credit card number in again. If the site relies on viral traffic, they will be sure to tell their friends not to visit as well.

So Block the Advert!

Unless the publisher has a very strong community, they might never realise why their users are leaving: Malverts may be targeted by location or time of day, such that the publisher never sees them.

Assuming the publisher knows about the malvertising, finding the source transpires to be exceptionally hard. Malicious adverts may be embedded in an advert that looks perfectly normal, but only triggers an automatic redirect under certain circumstances. So even in simple cases, where the publisher has a direct relationship to advertisers, finding malware requires the advert to be tested.

But adverts are increasingly run via networks, who increasingly rely on advertising exchanges. So a large publisher could be running practically any advertising campaign in existence. I was running over 2,000 different campaigns (many of which have multiple adverts), and my site is small fry.

So once a malicious advert enters the system, it can spread like a virus throughout online advertising networks, almost unchecked.

Reactions

Publishers who care about their customers (and consequently also tend to have the most valuable advertising inventory) are likely to avoid any advertising network that delivers malvertising:

  • They might establish direct relationships with reputable advertisers, which cuts the networks out of the loop completely. Only viable for large publishers or those in specific niches.
  • Or perhaps they will change to text or non-interactive adverts? Advertisers that rely on being able to communicate using imagary will have problems: The only publishers to remain with malware-infested networks will be those that do not care about their users. Precisely the sites that were probably not good places to advertise anyway.

Users will gradually grow more paranoid. Pop-up advertising is a perfect example: Browsers gave too much control to scripts, and not enough control to the user. The result was that pop-up blocking features became commonplace, and pop-ups became a redundant technology.

What are users’ “solutions” to malvertising? Completely blocking all adverts and disabling all scripting. How does that help advertisers, networks or publishers? It doesn’t.

Sadly users’ solutions will not include disabling Flash, the poor design of which seems to be at the heart of the malicious advertising (something countered by Adobe). Flash is so critical for online video most users cannot browse the internet without it.

Solutions

There still seems to be a lack of appreciation of the damage potential of malicious advertising. But there are solutions available to the industry collectively, as many of the authors below demonstrate: