In the past few years, malicious advertisements have emerged as a growing attack vector. Just how prevalent these attacks have become is underscored by new research from Dasient that provides a look into how such operations work.
According to Dasient, some 1.3 million malicious advertisements are viewed on the Web everyday, with each having an average life of between seven and eight days. The company, which helps ad networks and publishers deal with the issue, collected the data from its telemetry system.
Perhaps just as interesting, Dasient found users are twice as likely to be infected by a malicious ad during the weekend as they are during the week. Often times, attackers will upload a legitimate advertisement to an ad network in the middle of the week before following up with a malicious one a few days later.
“They create an account with an ad network…upload the legitimate ad on say like a Wednesday, then they’ll push it out for a malicious ad on say Friday or Saturday,” explained Neil Daswani, co-founder of Dasient. “Their initial ad might get approved, but then of course on Friday or Saturday a lot of ad networks don’t reapprove the ad every time they change. So then what will happen is on the weekend these malicious ads will be served not only to the ad network that uploaded it, but basically ad networks that syndicate ads with each other.”
Another common attack method is for an attacker to compromise the account credentials of an existing legitimate advertiser using on an ad network. With that in hand, attackers can replace a legitimate ad with a malicious one, Daswani said.
Most of the time, 59 percent, malicious ads infect users with malware via drive-by downloads, according to Dasient. The rest of the time (41 percent) attackers are pushing rogue anti-virus. This is backed up in part by research from Google (PDF), which found rogue anti-virus was responsible for 50 percent of malware delivered by online ads.
In February 2009, Google created a Website called Anti-Malvertising.com with tips for ad operators and publishers. Chief among their tips for publishers – know who you are working with.
“Use the Malvertising Research Engine to conduct quick background checks on prospective partners and their domains,” Google advised. “If a partner or domain you’re researching appears in a search result there, we recommend you take a much closer look at the agency, advertiser or network in question before accepting their ad.”
There are several high-profile examples of what can happen when the security process protecting users from bad ads breaks down. The Web site for the Star Tribune newspaper was hit with an infected ad last year, as was eweek.com. Part of the challenge of dealing with the issue is deciding just who is responsible.
It’s an interesting dynamic, “because the users tend to blame the publishers or hold the publishers accountable, and so the publisher does have that responsibility and they suffer when this happens,” explained Ameet Ranadive, co-founder of Dasient. “But the ad networks are often the ones who can, say for example, taken down specific ads within their network. I think both parties are in some ways responsible for helping to address the problem.”