The Spread of Malicious Internet Ads

Story first appeared in USA TODAY.

The online-advertising industry is scrambling to quell a long-standing problem that has taken a turn for the worse: the spread of malicious ads on the Internet's top commercial websites.

Several new twists have made so-called malvertisements a fast-rising threat to consumers — and a big headache for publishers, advertisers and ad networks, say technologists and security researchers.

The spread of infected online ads has spiked tenfold over the past year, according to research disclosed by security intelligence firm RiskIQ at a recent Online Trust Alliance conference in Washington, D.C.

RiskIQ documented a peak of 14,694 occurences of malvertisements in May of this year, up from 1,533 in May 2010. Each corrupted ad could have infected the PCs of thousands or millions of website visitors, based on how long the ad ran, says Elias Manousos, CEO of RiskIQ.


Organized crime gangs have streamlined the process of sneaking viral ads into the distribution system run by advertising networks, causing billions of tainted ad impressions to appear on the top 500 websites over the past 12 months, say technologists and security researchers.


Website security firm Armorize recently discovered criminals selling tutorials, tool kits and ad placement services to anyone who wants to get into the malvertising game. "There is a whole ecosystem designed to do this," says Matt Huang, Armorize's chief operating officer.

A recent rash of infections have been triggering bogus security warnings, followed by an offer for fake antivirus protection.

Last month, SpeedTest.net, a site that measures home broadband connection speeds, began displaying legit ads carrying instructions to load pitches for Security Sphere 2012. Simply navigating to the site launched the promos, which locked up the visitor's PC until he or she purchased worthless "protection" for $35.

Doug Suttles, chief operating officer of Web diagnostics firm Ookla, SpeedTest's parent, says his engineers spotted the attack and cleaned it up within three hours. The criminals, in this case, pioneered a novel technique. They corrupted legit advertisements as they arrived in the ad-handling program, called OpenX, used by the SpeedTest site.


However, tens of thousands of other websites that use the free OpenX ad-handling platform are wide open to this new type of attack, says Armorize's Huang.

In another twist, consumers bedeviled by bogus anti-virus pitches have started bad-mouthing websites they believe triggered the fake promos. Armorize has documented numerous consumer complaints that have gone viral on Twitter and other social networks, causing a drop in visits to the sites in question.


Some ad networks have begun participating in a working group discussing "information-sharing about malvertisers and their ads," says Steve Sullivan, the Interactive Advertising Board's vice president of digital supply chain solutions.

The Online Publishers Association, the industry group of major website publishers, has yet to closely examine malvertising. Obviously, stuff like this is disconcerting to the industry, says Pam Horan, OPA's president. They haven't done any research in this area, and she has not specifically heard anything from the members about this.

Even so, validating ads has become a major conundrum. Web publishers trust the ad networks to continually rotate ads to their Web pages. Meanwhile, the big ad networks, such as Google, Adobe, Microsoft and Yahoo, use automation to pull ads into rotation from a series of smaller networks and agencies.


Malvertisements are also used to spread stealthy infections that quietly take full control of the victim's PC, which is then used to steal data, probe deeper into corporate networks and pilfer from online financial accounts.

Consumers can protect themselves by making sure anti-virus programs and all updates for their Web browsers and popular applications, especially Adobe Flash and Adobe PDF, are current. Consumers who want to protect themselves further can use browser plug-ins, such as NoScript and AdBlock, that block all online ads.

Craig Spiezle, the Online Trust Association's executive director, says publishers, advertisers and the ad networks realize what's at stake.

The good news there is growing interest of some of the key stakeholders — including Yahoo, Microsoft and Google — on the need to employ countermeasures. It's clear that validating the ads everyone depends on is a shared responsibility. If consumers don't trust ads, they may not go to the site, or they'll start running ad blockers, and that will compromise everyone's ability to monetize.