PageFair’s recent report revealed that global adblocking has increased by 41% over the last twelve months. Internet users are turning to adblocking to avoid annoying advertising and tracking. But a more troubling concern is gradually bubbling up into mainstream awareness and may lead more users than ever to adblock in future: malicious advertising, or “malvertising”.
Malvertising has been around for several years, but the number of attacks have already increased by 260 percent in the first half of 2015, according to cyber security firm RiskIQ. Users are exposed to malvertising when malware distributors piggyback on legitimate ad networks, buying slots and sending out ads loaded with malicious scripts. A user doesn’t even need to click on the ad to trigger delivery of the malware. Some are “ransomware” that encrypt the user’s files and demand a payment to decrypt them (e.g. “CryptoWall”), while others (e.g. “BEDEP”) are designed to turn machines into botnets – zombie armies that can be used to spread viruses or send out spam.
Victims great and small
As might be expected, porn sites are regularly affected, but a large number of high-profile sites have also been hit over the years, including the Huffington Post, AOL and TMZ. Yahoo visitors were exposed to CryptoWall in August 2014, then again almost a year later to an unknown payload (possibly CryptoWall or BEDEP) via the malvertising exploit called Angler in July 2015. Malwarebytes recently reported that a massive malvertising campaign “ran mostly uninterrupted for almost three weeks” in August 2015, infecting millions of machines.
It is difficult to defend against malvertising. Premium software such as Malwarebytes Anti-Exploit may be able to catch attacks by the Angler Exploit, but the free versions of anti-virus programs used by most users are probably not up to the task. Heavily-protected and fully up-to-date machines may in any case be vulnerable to so-called “zero-day” threats.
RTB and the rise of malvertising
Advertising networks have ended up as the unwitting distributors of malware because of the use of real-time-bidding (RTB) systems designed to allow the rapid deployment of targeted ads across a range of websites. Ad slots are bought and sold via the ad network in an instant, with publishers rarely aware of what ads their visitors will see or who paid for the impression. RTB has solved many problems for advertisers and publishers but at the cost of exposing the most important participant in the transaction – the consumer – to an unacceptable threat.
Growing awareness of the problem is leading some security experts to actively recommend that Internet users employ adblocking software. Adblocking is becoming a security response, rather than just a way to block ads and stop tracking. It could even become the default security policy for company networks.
Any potential solutions, such as establishing a “circuit breaker system” of “trusted advertisers”, require advertising networks to accept that they are ultimately responsible for the problem. Advertisers can’t really expect consumers to beef up their security in order to receive ads. Considering that Internet users are more than willing to block ads for simply being annoying, this seems an optimistic expectation. In fact, security threats could be the tipping point that renders the web an ad-free zone. As Ad Age warns:
People often cite lethargic page-load speeds or general aesthetics as the reasons they install ad-blocking software on their web browsers. But hackers are making perhaps the best case for people to block banner ads – and for advertisers and publishers to take ad-blocking seriously. Ad Age
PageFair is opposed to adblocking because we believe that it could ultimately lead to the demise of publishers and death of the open web. But we can find no valid alternative to blocking malvertising until the situation changes. The surge in malvertising attacks so far in 2015 suggest that more consumers will embrace adblocking. And that’s bad news for publishers.