Rise of ‘malvertising’ adds to publishers’ woes

Some online advertising exposes Internet users to security risks. This is driving up adoption of ad blocking by readers, and causing further grief for publishers, writes David Barton of PageFair in this guest post.

by WAN-IFRA Staff | October 22, 2015

WAN-IFRA has organised an “Ad Blocking Action Day,” a one-day conference which will be held at the Frankfurter Allgemeine Zeitung (FAZ) in Frankfurt on 11 February. Case studies on actions taken to improve user experience, creating quality ad content and economic implications will be presented.

Global ad blocking has increased by 41 percent during the past 12 months, according to PageFair’s recent report. Internet users are turning to ad blocking to avoid annoying advertising and tracking. But a more troubling concern is gradually bubbling up into mainstream awareness and may lead more users than ever to ad block in future: malicious advertising, or “malvertising”.

Malvertising has been around for several years, but the number of attacks have already increased by 260 percent in the first half of 2015, according to cyber security firm RiskIQ. Users are exposed to malvertising when malware distributors piggyback on legitimate ad networks, buying slots and sending out ads loaded with malicious scripts. A user doesn’t even need to click on the ad to trigger delivery of the malware. Some are “ransomware” that encrypt the user’s files and demand a payment to decrypt them (e.g. “CryptoWall”), while others (e.g. “BEDEP”) are designed to turn machines into botnets – zombie armies that can be used to spread viruses or send out spam.

See this infographic from Malwarebytes for an overview of what “malvertising” is.

Victims great and small
As might be expected, porn sites are regularly affected, but a large number of high-profile sites have also been hit over the years, including the Huffington Post, AOL and TMZ. Yahoo visitors were exposed to CryptoWall in August 2014, then again almost a year later to an unknown payload (possibly CryptoWall or BEDEP) via the malvertising exploit called Angler in July 2015. Malwarebytes recently reported that a massive malvertising campaign “ran mostly uninterrupted for almost three weeks” in August 2015, infecting millions of machines.

It is difficult to defend against malvertising. Premium software such as Malwarebytes Anti-Exploit may be able to catch attacks by the Angler Exploit, but the free versions of anti-virus programs used by most users are probably not up to the task. Heavily-protected and fully up-to-date machines may in any case be vulnerable to so-called “zero-day” threats.

RTB and the rise of malvertising
Advertising networks have ended up as the unwitting distributors of malware because of the use of real-time-bidding (RTB) systems designed to allow the rapid deployment of targeted ads across a range of websites. Ad slots are bought and sold via the ad network in an instant, with publishers rarely aware of what ads their visitors will see or who paid for the impression. RTB has solved many problems for advertisers and publishers but at the cost of exposing the most important participant in the transaction – the consumer – to an unacceptable threat.

Growing awareness of the problem is leading some security experts to actively recommend that Internet users employ adblocking software. Ad blocking is becoming a security response, rather than just a way to block ads and stop tracking. It could even become the default security policy for company networks.

Any potential solutions, such as establishing a “circuit breaker system” of “trusted advertisers,” require advertising networks to accept that they are ultimately responsible for the problem. Advertisers can’t really expect consumers to beef up their security in order to receive ads. Considering that Internet users are more than willing to block ads for simply being annoying, this seems an optimistic expectation. In fact, security threats could be the tipping point that renders the web an ad-free zone. As AdAge’s Tim Peterson recently noted:

People often cite lethargic page-load speeds or general aesthetics as the reasons they install ad-blocking software on their web browsers. But hackers are making perhaps the best case for people to block banner ads – and for advertisers and publishers to take ad-blocking seriously. Ad Age

PageFair is opposed to ad blocking because we believe that it could ultimately lead to the demise of publishers and death of the open web. But we can find no valid alternative to blocking malvertising until the situation changes. The surge in malvertising attacks so far in 2015 suggest that more consumers will embrace ad blocking. And that’s bad news for publishers.

David BartonDavid BartonDavid Barton is a PageFair Contributing Analyst. He is a legal and finance editor and writer, a technology entrepreneur, and a designer. He has worked as a production manager, designer and writer for several DMG Media publications. He is @davidjbarton on Twitter.

Johnny Ryan of PageFair helped to launch an initiative with WAN-IFRA and Digital Content Next. A group of major publishers and key industry representatives met in London last month and the result of this meeting was a Call to Think for the industry in how to respond to this threat and make the most of the opportunity.

Share via
Copy link