Remember meForgot password?
    Log in with Twitter

article imageOp-Ed: Are online ads safe? Senate committee grills Yahoo, Google

By Paul Wallis     May 19, 2014 in Internet
Washington - The risk of malware contained in online ads (malvertising) affects everyone, including Google and Yahoo. Consumer online safety is now an official issue. A Senate sub-committee took the two Internet giants to task, and got some interesting answers.
Sydney Morning Herald IT Pro:
Yahoo’s advertising network was compromised in December by hackers, resulting in a virus being installed on computers of users when they visited ads on legitimate websites, according to a report released by Levin’s panel. In February, cybercriminals carried out a similar attack on Google’s YouTube video service through an ad delivered by the company, the report found.
...The attack on Yahoo's advertising network lasted from December 27, to January 3. Yahoo briefed Senate staff on the attack, which was possible because a hacker gained access to an employee's account and was able to approve a malicious ad.
"The malware in question spread without the need for user interaction," according to the report. "When a user visited a website with Yahoo ads delivered, the user's browser, at Yahoo's direction, contacted the advertiser's server, which delivered malware to the user's browser instead of the image of an advertisement." The malware took control of computers to create bitcoins, a digital currency.
Users didn't need to click on any ads on YouTube during the February attack on Google's network. Just watching a video was enough to get infected, according to the report.
The malware was designed to break into online bank accounts and transfer funds to the criminals.
If you’re getting the impression that there’s no real working defence, for consumers you’re right, to a considerable degree. A consumer would have to actually “track down” the cybercriminals to even begin to have a chance of action against offenders.
The video of the hearings, via Bloomberg, is an interesting bit of viewing. Senator McCain, a main speaker, points out that security testing, notably scanning, can find viruses, but these ads can simply go elsewhere.
Site owners also have no control over what ads are shown, nor any idea where the ads originate. Yahoo and Google themselves are not involved in direct control of advertising, meaning there’s no scrutiny there, either. The ad companies also don’t have any pre-screening worthy of the name.
A number of companies, about five or six, are typically involved in processing an ad, making it easier for companies to disclaim responsibility. Assigning responsibility is in fact “virtually impossible,” according to McCain.
These ads also have a real “epidemic” nature. One malware laden-ad infected an estimated 27,000 computers.
A video shown to the committee indicates that sites based on ad revenue connect automatically to many more third parties/advertisers than sites which don’t use ads as a revenue source.
Self-regulation, according to McCain, has been ineffectual. The FDA has in contrast undertaken several prosecutions against companies related to online practices. “Do not track notices” are considered only partially effective.
So- Are online ads safe?
The short answer is "Not very, in an environment where this type of access is comparatively risk free for criminals". This is an extremely important issue. Online ad revenue is a major driver for major businesses, and consumers have few safeguards. Having hundreds of third parties with access to consumer browser information is hardly a recipe for online safety. About a billion trillion GB or a “zeta byte” of information, is transferred online every year.
It’s interesting, given the amount of information provided, that basic security protocols aren’t built in at all stages of ad management. In theory, an auto scan of ads could test and filter ads, costing no more than the price of electricity.
Yahoo: Ad pipeline to filter malware. Yahoo identified Java issues in recent malware attacks, specifically in Europe, and user installation of deceptive software. Uses encryption globally, “every ad running on Yahoo” is inspected, when created and after publication. Bans any ad which looks like a system dialog. Reduces monetization incentives, spam, phishing, etc. Strong focus against spam with new email reject system. Fights bug sales, rewards bug reports. Global focus for all Yahoo users.
Google: Considers malware serious threat to Google and Google users. Created “malicious sites” register to identify known malware sites and warn users. Alerts webmasters for hosted bad ads. Scans ads and disables malware when discovered. Founded Trust In, with Yahoo, AOL, Facebook, and Twitter, which is an advisory site to help consumers manage and understand malware threats.
One of the issues identified by Online Trust Alliance is “drive by code,” an older type of malware requiring no interaction with the site to infect a computer. (I had an experience with one of these sites in 2008. 5 Trojans in quarter of a second. Fortunately, my software caught them, but this was on a job site). Drive by code incidents are up by 190 percent.
Major brands are also commonly used as sources for malware ads. They’re not even real ads, but they get clicked.
Trusted websites may become compromised.
Nor is enforcement having much luck on networks. Offenders disappear from one network and reappear on another.
McCain raised the question regarding liability for loss of consumer funds, and got some understandably equivocal responses. Things also got heated in the committee hearing when McCain asked witnesses to define the extent of a problem and figures. The Online Trust Alliance has figures of 207,000 incidents of consumer wipeouts.
Also creating a dance of definitions were the issues of regulation. If the big internet companies aren’t keen about mandatory notification of regulatory authorities of “breaches”, there’s also a grey area in terms of breach definitions.
A few thoughts
One of the weak points of malware is that it must use code to infect computers. That code has characteristics which can be identified, if known, or implied, if similar. An economic way of managing code would be to manage the installation process.
A probably irritating, but potentially useful, option, may be to simply block “generic” installs which meet profiles of malware installation. (It could also block some of those adorable downloads people continue to inflict on the public.)
Offenders are also vulnerable in terms of needing to stream information back to an operator for phishing, etc. “Counter infection” with tracer codes is one option for creating a risk factor which isn’t currently present in the market. (Microsoft put forward an idea of “friendly worms” as defenders, didn’t seem to get much traction.)
Some countries are well-known havens for cybercrime. Targeting those countries could reduce the financial incentives for continuing to be viable locations for cybercriminals. A cost of billions trumps a few million from cybercrime.
When considering this issue, the core problem is that advertising also supports the internet. The solution has to protect the cashflow, while eradicating the parasites.
This opinion article was written by an independent writer. The opinions and views expressed herein are those of the author and are not necessarily intended to reflect those of
More about Cybercrime, Malware, Phishing, malware in ads, drive by code
More news from