Security firm Dasient estimated approximately 1.3 million malicious advertisements are viewed on the Web daily. According to the company, the average malicious ad lives on the Web for more than a week.
In the past few years, malicious advertisements have emerged as a
growing attack vector. Just how prevalent these attacks have become is
underscored by new research from Dasient that provides a look
into how such operations work.
According to Dasient, some 1.3 million malicious advertisements are viewed
the Web everyday, with each having an average life of between seven and
eight days. The company, which helps ad networks and
publishers deal with the issue, collected the data from
its telemetry system.
Perhaps just as interesting, Dasient found users are twice as
likely to be infected by a malicious ad during the weekend as they are
during the week. Often times, attackers will upload a legitimate
advertisement to an ad network in the middle of the week before
following up with a malicious one a few days later
"They create an account with an ad network...upload the legitimate ad
on say like a Wednesday, then they'll push it out for a malicious ad on
say Friday or Saturday," explained Neil Daswani, co-founder of Dasient.
"Their initial ad might get approved, but then of course on Friday or
Saturday a lot of ad networks don't reapprove the ad every time they
change. So then what will happen is on the weekend these malicious ads
will be served not only to the ad network that uploaded it, but
basically ad networks that syndicate ads with each other."
Another common attack method is for an attacker to compromise the
account credentials of an existing legitimate advertiser using on an ad
network. With that in hand, attackers can replace a legitimate ad with
a malicious one, Daswani said.
Most of the time, 59 percent, malicious ads infect users with
malware via drive-by downloads, according to Dasient. The rest of the
time (41 percent) attackers are pushing rogue anti-virus
. This is backed up in part by research from Google (PDF),
which found rogue anti-virus was responsible for 50 percent of malware delivered by online ads.
In February 2009, Google created a Website called Anti-Malvertising.com
with tips for ad operators and publishers. Chief among their tips for publishers - know who you are working with.
"Use the Malvertising Research Engine
to conduct quick background checks on prospective partners and their
domains," Google advised. "If a partner or domain you're researching
appears in a search result there, we recommend you take a much closer
look at the agency, advertiser or network in question before
accepting their ad."
There are several high-profile examples of what can happen when the
security process protecting users from bad ads breaks down. The Web
site for the Star Tribune newspaper
hit with an infected ad last year, as was eweek.com. Part of the
challenge of dealing with the issue is deciding just who is
It's an interesting dynamic, "because the users tend to blame the
publishers or hold the publishers accountable, and so the publisher
does have that responsibility and they suffer when this happens,"
explained Ameet Ranadive, co-founder of Dasient. "But the ad networks
are often the ones who can, say for example, taken down specific ads
within their network. I think both parties are in some ways responsible
for helping to address the problem."