1d0022aOnline advertising has become a major component of the Web, leading to large annual revenues ($40 billion plus in US alone in 2013). Online advertisements are an effective means for promoting products and targeting wide audiences. Online advertisements also provide a convenient platform for spreading malware.

Malvertising attacks are the use of online advertising channels to infiltrate malware into the computers of unsuspecting users by embedding malicious code within legitimate advertisements on trusted websites.
The Online Trust Alliance (OTA) placed an estimate that nearly 10 billion ad impressions were compromised by malvertising.

A new Senate report revealing troubling vulnerabilities in online ad networks that have exposed consumers to malware attacks is the first step in a new bipartisan effort to tighten online security.

This is not a new vulnerability, however, the stakes are getting higher. Implications more serious.
For Publisher's Revenue
For Business’s doing the advertising &
For Consumers

Clearly the issue is significant due to the potential for negative impact and monetary loss.

Consider the impact on advertisers if business’s and users start blocking advertisements on their browsers as a way of reducing their risks.

The impact on consumers is clear -Malvertising attacks are the use of online advertising channels to infiltrate malware into the computers of unsuspecting users by embedding malicious code within legitimate advertisements on trusted websites. By simply visiting a site, users can get infected via “drive-by download”. There is no visible indication that the trusted site is compromised. As most advertising on trusted sites comes from a variety of ad networks – different visitors will see different ads from different places, not all of which will be malicious – Malvertising attacks are particularly hard to detect.

How do attackers infiltrate the websites? How does it work?

Attackers use various techniques to add malicious content to the ads on legitimate websites. These include:

  • Direct Purchase: Criminal syndicates often disguise themselves as legitimate organizations and purchase ad space directly with the website. Typically this is the first time the syndicate has engaged the publisher and they will usually purchase a short-term campaign at the last minute in an attempt to evade detection.
  • Leverage Ad Exchanges: Attackers position their malicious ad within an ad network or exchange, which automatically distribute ad space on websites. This automated ad distribution process through a complex network of exchanges makes it incredibly difficult to track down the original source of the ad, as well as determine on which sites the ad was published.
  • Exploit Technical Vulnerabilities: Attackers leverage vulnerabilities in the ad servers or other infrastructures to compromise ad networks, DSPs, etc., and through this compromise, replace legitimate ads with malicious ads, which are then sent out to any number of destinations.

Can we meet the challenge - How?

This risk can only be eliminated if addressed systematically – at all points of the porous online advertisement supply chain.

Large advertisers are the ones most impacted, and are in a position to leverage a strategic approach to the solution, such as the following:

- First, ensure online advertising networks are following strict security controls and processes around content creation and sharing;
This includes a secure scheme that relies on cooperation between web servers and advertising networks to thwart in-flight modification of ad traffic – it must provide a means of proving authenticity and integrity of the traffic.

- Second, perform appropriate and regular checks of advertisements to verify the advertising content providers for all types of active or malicious code. If any unexpected or unwanted behavior is detected, such as automated redirections, the ads should not be published to the end users.

- Finally, malware monitoring system should be used on dedicated and shared hosting servers in order to trace malware infections at inception.

In conclusion, all entities involved in the advertising networks (advertisers and publishers) have to secure their internal systems internally and perform due diligence on their partners’ systems. Merely signing an SLA does not ensure security and integrity in a shared network. There is a pressing need to ensure that there are rigorous security policies and procedures in place to curb these risks.


Pamela is a senior security strategist and actively speaks at security forums.She can be reached at Pamela.gupta@outsecure.com and her Twitter handle is @pamegup