Nov. 6, 2011 -- The online advertising industry is scrambling to quell a long-standing problem that has taken a turn for the worse: the spread of malicious ads on the Internet's top commercial websites.
Several new twists have made so-called malvertisements a fast-rising threat to consumers — and a big headache for publishers, advertisers and ad networks, say technologists and security researchers.
The spread of infected online ads has spiked tenfold over the past year, according to research disclosed by security intelligence firm RiskIQ at a recent Online Trust Alliance conference in Washington, D.C.
RiskIQ documented a peak of 14,694 occurences of malvertisements in May of this year, up from 1,533 in May 2010. Each corrupted ad could have infected the PCs of thousands or millions of website visitors, based on how long the ad ran, says Elias Manousos, CEO of RiskIQ.
"In 2011 we observed malvertisements on major sites such as weather.com, foxsports.com, monster.com and usnews.com, just to name a few," Manousos says.
Organized crime gangs have streamlined the process of sneaking viral ads into the distribution system run by advertising networks, causing billions of tainted ad impressions to appear on the top 500 websites over the past 12 months, say technologists and security researchers.
"Malvertisements are a popular and extremely effective mechanism that take advantage of weaknesses within Web browsers," says Vincent Liu, managing partner of security consultancy Stach & Liu. "The average home computer user faces a high risk of being attacked by malvertisements."
Website security firm Armorize recently discovered criminals selling tutorials, tool kits and ad placement services to anyone who wants to get into the malvertising game. "There is a whole ecosystem designed to do this," says Matt Huang, Armorize's chief operating officer. "It's all automated and all on the Internet."
A recent rash of infections have been triggering bogus security warnings, followed by an offer for fake antivirus protection.
Last month, SpeedTest.net, a popular site that measures home broadband connection speeds, began displaying legit ads carrying instructions to load pitches for Security Sphere 2012. Simply navigating to the site launched the promos, which locked up the visitor's PC until he or she purchased worthless "protection" for $35.
Doug Suttles, chief operating officer of Web diagnostics firm Ookla, SpeedTest's parent, says his engineers spotted the attack and cleaned it up within three hours. The criminals, in this case, pioneered a novel technique. They corrupted legit advertisements as they arrived in the ad-handling program, called OpenX, used by the SpeedTest site.
"Most websites aren't as on top of this as we are," says Suttles. "We were surprised someone got in. We quickly stripped it out and locked things down."
However, tens of thousands of other websites that use the free OpenX ad-handling platform are wide open to this new type of attack, says Armorize's Huang.
In another twist, consumers bedeviled by bogus anti-virus pitches have started bad-mouthing websites they believe triggered the bogus promos. Armorize has documented numerous consumer complaints that have gone viral on Twitter and other social networks, causing a drop in visits to the sites in question.
"Publishers are seeing their traffic and transactions drop in real time," says Huang. "They are seeing an immediate financial impact from warnings appearing all over Twitter not to visit their site."
Some ad networks have begun participating in a working group discussing "information-sharing about malvertisers and their ads," says Steve Sullivan, the Interactive Advertising Board's vice president of digital supply chain solutions.
The Online Publishers Association, the industry group of major website publishers, has yet to closely examine malvertising. "Obviously, stuff like this is disconcerting to the industry," says Pam Horan, OPA's president. "We haven't done any research in this area, and I haven't specifically heard anything from the members about this."
Even so, validating ads has become a major conundrum. Web publishers trust the ad networks to continually rotate ads to their Web pages. Meanwhile, the big ad networks, such as Google, Adobe, Microsoft and Yahoo, use automation to pull ads into rotation from a series of smaller networks and agencies.
"The process isn't flawless, and thus malvertisements end up running in the wild," says Manousos. "I think awareness is growing and more players in the ad supply chain are committed to working on reducing the number of malvertisements that reach the public."
Malvertisements are also used to spread stealthy infections that quietly take full control of the victim's PC, which is then used to steal data, probe deeper into corporate networks and pilfer from online financial accounts.
Consumers can protect themselves by making sure anti-virus programs and all updates for their Web browsers and popular applications, especially Adobe Flash and Adobe PDF, are current. Consumers who want to protect themselves further can use browser plug-ins, such as NoScript and AdBlock, that block all online ads.
Craig Spiezle, the Online Trust Association's executive director, says publishers, advertisers and the ad networks realize what's at stake.
"The good news there is growing interest of some of the key stakeholders — including Yahoo, Microsoft and Google — on the need to employ countermeasures," says Spiezle. "It's clear that validating the ads everyone depends on is a shared responsibility. If consumers don't trust ads, they may not go to the site, or they'll start running ad blockers, and that will compromise everyone's ability to monetize."