Malvertisements: Who should kill them off?

Website adverts that conceal malicious content are on the rise. But deciding where responsibility lies for stamping them out is not so obvious, says Rik Ferguson.

Online advertisements are part of our daily browsing experience and an essential element of companies' online marketing strategies. So how do we know, when visiting websites that carry these networked advertisements, whether we are opening ourselves up to criminal compromise through malicious ads?

Website owners use trusted content networks to provide advertisements for their websites. Criminals are actively targeting this trust relationship because it represents a weak link in the chain of content control.

Criminals create shell companies that hide malicious content, such as JavaScript or Adobe Flash exploits, in banner ads that are subsequently placed with high-profile advertising networks. These malvertisements are then syndicated across many hundreds of websites, silently infecting as many victims as possible.

Growing threat of malvertisements

Malvertisements, as these malicious adverts are referred to, have become increasingly common over the past few years and continue to be a growing problem. The potential number of victims available to criminals through a syndicated ad will often far outstrip the potential return from compromising an individual website.

Internet users are unknowingly putting themselves at risk when they visit legitimate websites that happen to be carrying malvertisements, designed to invisibly and automatically infect visitors through drive-by downloads.

Once infected, a PC is compromised in a number of ways. These methods range from pushing fake security software that fools victims into believing their PC is infected with any number of entirely bogus pieces of malware — which only this paid-for application can remove — to stealing personal or financial details, or obtaining remote access to the PC.

Responsibility for malicious online adverts

So where does the responsibility lie? Is it with the website that is hosting the malicious adverts, the network distributing them, or the consumer who visits the website? Really, the responsibility, as well as the potential for damage, is shared.

Website owners and ad networks alike suffer embarrassing brand damage when their customers are infected.

Website owners and ad networks alike suffer embarrassing brand damage when their customers are infected — and of course the victim suffers the pain of information or identity theft and financial loss.

It is certainly true to say that if the right checks and balances were in place, the problem would largely cease to exist, at least on legitimate websites. Clients of ad networks should be applying pressure to their provider of choice to ensure the appropriate checks are made before the advert goes out.

Ideally, automated systems need to be in place at the advertising content provider to run the ads through a sandbox before they are released into the public domain, checking for any kind of active or malicious code.

Specific checks for unexpected or unwanted behaviour

Third-party providers should perform specific checks to verify URLs and detect any unexpected or unwanted behaviour such as automated redirections, even if not malicious. No web user wants to be bounced off to a third-party website simply as a result of rendering an ad in their browser and no website owner would want their visitors stolen in this way either.

In the meantime, internet users should ensure that they have the appropriate anti-malware software installed on their PC to minimise the risk.

When choosing anti-malware software, it's important not to focus purely on tools that will scan for bad files, but also ones that will stop PCs — and not just browsers — from connecting to malicious destinations.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.