The ubiquitous presence of various forms of advertising in online content represents what has become a multi-billion dollar industry. However, cybercriminals have found ads from companies like Google and Yahoo can also be used to pose malware threats to unsuspecting visitors.
Increased dangers posed by such malicious advertising, or “malvertising,” gained the attention of the US Senate, where the Permanent Subcommittee on Investigations for the Committee on Homeland Security & Government Affairs recently held a hearing on the issue, “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy.” With the online ad industry enjoying a 2013 year that brought in $42.8 billion in revenue, it’s not surprising the highest levels of government have involved themselves in looking into any potential dark side of the business.
The Senate report fretted on the “rise in cybercriminals attempting to seek out and exploit weaknesses” in online advertising. Further testimony before the Senate claimed 2013 saw over 209,000 incidents generate over 12.4 billion malicious advertising impressions, a wave of attacks that may have affected more than half of website publishers.
The hearing illustrated one December 2013 example where a visitor to an unnamed “popular, mainstream website” ended up with an infected computer. This attack arrived via an advertisement delivered by Yahoo’s ad network, with no interaction needed by the visitor.
Alex Stamos, chief information security officer for Yahoo, said at the hearing the malvertising affected people using Microsoft Windows and out of date versions of a Java browser plug-in. Yahoo quickly moved to remove the malware from their network.
“We successfully block the vast majority of malicious or deceptive advertisements with which bad actors attack our network,” Stamos said. He also noted how Yahoo works continuously on improving its testing, and inspects all ads running on Yahoo’s sites and ad network.
“Advertising is only one method of distribution, and distribution is only one part of the problem,” Stamos also remarked, citing how vulnerabilities in browsers, plug-ins, office software, and operating systems have roles in the issue of security too.
Online advertising giant Google wasn’t immune to malvertising either. February 2014 saw criminals engage in a similar attack on YouTube, the video hosting service Google owns. The criminals used an ad delivered by Google to attempt to deliver their malware; Google quickly responded to ending that attack.
George Salem, senior product manager, Ads Policy, at Google, told the hearing “we proactively scan tens of millions of ads each day across multiple platforms and browsers, disabling any ads we find to have malware.”
The report based on the Subcommittee’s investigation made several recommendations to better combat the security threat. One recommendation that the online advertising industry share information about security threats may require Congress to enact legislation to permit such sharing without companies being accused of violating antitrust laws on cooperating with competitors.
Another recommendation would put a greater burden on the ad networks themselves to put “circuit breakers” in place to further protect consumers. These would make advertisers work to catch malvertising at an earlier stage, before such ads get distributed across a network. Further, the hearing called for the online ad industry to “thoroughly vet new advertisers” and do ongoing checks of submitted ads to ensure they remain legitimate ones after the initial submission.