• November 3, 2016

Today’s Mad Men: How Malvertising Hurts Advertisers

Malware-infected ads are the newest fad for hackers.

Earlier this year, tens of thousands of readers of several mainstream news sites, including The New York Times, BBC, MSN, and AOL, experienced malware-infected banner ads appearing on their screens. This is not only detrimental to users, but to publishers and advertisers alike.

The ads contained code capable of installing crypto ransomware and other malware that could be used to lock users out of their devices. Hackers could then ask for ransom to unlock users’ systems. The infected ads were unsuspectingly distributed by reputable ad networks, and users could be victimized without even clicking on the ads.

The Pain of Ad Injections

A common malvertising scheme known as ad injections posts ads on sites without the permission of the publisher or payment to the site. The unauthorized ads are layered over legitimate ads, popping up in places where they should not be seen. This plot typically tricks users into downloading an app containing code that allows this illegitimate ad placement.

“Ad injectors’ businesses are built on a tangled web of different players in the online advertising economy,” according to a Google blog post on the topic. Multiple organizations are involved in web ad placement. “The ad injection ecosystem profits from more than 3,000 victimized advertisers—including major retailers like Sears, Walmart, Target, and eBay—who unwittingly pay for traffic to their sites,” Google’s blog says. “Because advertisers are generally only able to measure the final click that drives traffic to their sites, they’re often unaware of many preceding twists and turns, and don’t know they are receiving traffic via unwanted software and malware.”

Corruption on Another Level

Publishers not only lose the value of site security, but they also lose money when ad space is hijacked by shady ad placement companies. Advertisers are often unaware their ads are being placed surreptitiously on their behalf, potentially on inappropriate sites.

Corrupted data is another major concern for marketers. If an ad is supposed to run on Site A, but doesn’t appear on some viewers’ screens, the ad buying strategy is compromised. Once this happens often enough, the analysis of which ads are working and where they are most effective may become inaccurate.

Attempts to Prevent Malvertising

Media companies are working to tamp down malvertising. Last fall, the Trustworthy Accountability Group (TAG) introduced the “Verified by TAG” system. This group creates a white list of advertisers and publishers that have been vetted and approved.

Security experts have also advised publishers to place limits on new advertisers, such as restricting their ads to simple text and only allowing dynamic features—which create possible avenues for malware—after they establish a legitimate track record.

Despite such efforts, there are no easy site security fixes. To better prepare for a hacker attack, marketers should engage with ad placement providers and find out what can be done to track, address, and eliminate malvertising incidents.

Like this story? Learn more about advanced threat protection and securing your enterprise.