The online ad industry is under threat, not just from falling ad rates, ad blockers, and potential regulation. It is facing a big security problem, one that will demand close industry cooperation to repress.
Distributing malicious software through spam emails has become harder for cybercriminals. Spam filters continue to improve and botnets that send junk mail are tracked and blocked. There's a far more powerful alternative: piggybacking on the $50 billion online ad industry.
Malvertising is very appealing to cybercriminals because the distribution channel is already set and will never be shut down. Involving thousands of companies worldwide, network delivering billions of ads daily to websites is penetrable and easily infiltrated. Many digital ad distributors don't have the capability to keep the undesirables out.
The gravity of the problem is massive. It is evident based on Google's data. In just a single month in 2014, the multinational tech company which runs one of the most diligent checks on ads disabled 400,000 ads due to malware concerns.
Last month, Trustworthy Accountability Group (TAG), a digital ad industry group, released the first ever set of guidelines for how ad companies can inspect their content to ensure they're not distributing malware. It marks an important progress if the industry wants to keep regulators at bay, even if the recommendations are voluntary.
Chris Olson, co-founder and CEO of The Media Trust, a security provider focused on high-traffic digital media, stated that governments "are starting to understand that the delivery vector for ransomware is the internet. It's not email, it's the web."
Emerging Regulations
Privacy and data security have been the main concern for regulators around the world, which are moving toward stricter laws that govern how companies handle data.
According to BankInfoSecurity, the U.S. Federal Trade Commission is progressively taking action against companies that fail to protect customers even before a data breach or malware infection is made and has recently filed 60 enforcement actions. Realizing the change, the ad industry is worried, whether it wants it or not, it's on the horizon.
The industry also takes note of the European Union's General Data Protection Regulation, which could charge fines of 4 percent of revenue or $22.5 million - whichever is greater - for violations. The GDPR "is finally being paid attention to," said Olson.
Infection Per View
Simply viewing a malicious ad is enough to infect a computer with ransomware, the file-encrypting malware that is proven to be devastating to organizations and users.
A high-traffic website carrying malicious ad could potentially expose thousands of computers in a short period of time. It is only after computers have been exposed that the malicious ads are detected and removed.
This can be prevented by filtering out malicious ads before publishing, but only a few large digital advertising suppliers are implementing this.
The technical relationships of ad companies are blurry and complicated, which makes it nearly impossible for strict quality control. Oversight on the part of one company can cause a negative domino effect.
When a user's computer obtained a malware through an advertisement, each party could possibly claim they're not responsible due to the complexity of the online advertising industry.
Scanning Procedure
TAG's "Best Practice for Scanning Creative for Malware" proposes that ad companies should carefully scrutinize ads sometimes even hourly.
Part of the goal is to try and spot when a legitimate ad might have been swapped with a malicious ad after the screening. But doing these security measures would slow the advertising industry down. Something that is counterintuitive with how highly automated ads are bought and placed now in real-time auctions.
One major concern is the referral tags, which are bits of HTML code that delivers personalized, targeted ads. When someone visits a publisher's website, a tag with the user's information is sent to an advertising network, in which they would decide about what ad to deliver. The ad itself could come from any number of third parties. Those tags often rapidly change, which poses security issues.
Work Work Work
While TAG's recommendations address some major concerns with malicious ads, the guidelines don't address social engineering. In attempts to do last-minute swapping of ads, cybercriminals are known to pose as well-known companies and brands with complete fraudulent Linkedin profiles for employees. Taking advantage of the human element will always have the edge, no matter how good your security providers are.
It is estimated as many as a quarter of web surfers use ad blockers, which marginalizes the industries revenue. Finding a solution to the security concerns around online ads would give the industry a better reason to persuade consumers of giving up their ad blockers.
Share your thoughts and comments regarding the online ad industry below!