Companies trying to protect
advertising networks, publishers, online buyers and consumers from malicious Web attacks are stepping up efforts to stop the sale of ad space to fake agencies placing ads with malicious code.
The problem proliferated in the last year with -- according to one source -- an average of between 1% and 2% of infected ads per site, jumping to between 10% and 20% as social networks started pulling
ads from networks and the ability to make automated anonymous buys catapulted.
And there's no organized effort to stop it. Advertising networks and publishers say they have done their best to
stop the practice, but executives at companies that monitor these networks and sites for Trojans say it's not enough. Michael Caruso, chief executive at ClickFacts, is calling on the industry to put
in place more stringent practices to verify the companies that place ads on networks.
"There are a lot of Trojans being introduced through the ads running on these networks that may come from
exchanges or direct buys, but really they come from fake companies," Caruso says. "These fake agencies are buying ads and launching malware. We've been looking for behavior and not just signatures.
The industry has seen more than 25 million variants of malware."
Caruso can't see the entire Internet, and can only scan ad tags that ClickFacts supports. The software tests for an ad tag
calling in malware, viruses and malicious code. It also crawls entire Web sites, such as MySpace, looking for bad code. That may not seem like much for one site, but multiply it by thousands and
millions.
Many of the DSPs have a higher percentage of viruses in ads due to the nature of their automated ad-buying process, according to sources. Automation has been the culprit feeding the
fire that companies lit years ago.
The motivation for the fake ad agencies is identity theft through ad exchanges and automated buys. "We're not talking about an ad getting injected with a virus
-- we're talking about fake agencies being set up and no one mentioning that this is going on," he says. "It is going on and happening at every major publisher and in-person buys. It's also happening
through direct ad buys."
One method that malvertisers use is to inject code in an ad, but companies also hack a page, an ad, or an SQL server. The malware typically self-destructs within 24
hours to keep from being found. They also infiltrate the ad network by making a direct ad buy on an ad exchange with a fake credit card. The tactic is not entirely new, but many acknowledge that it's
been getting worse through the years. People set up an ad agency with some real clients, but also have "shady characters" that make ad buys.
David Norris, chief executive officer at BlueCava,
says legit advertisers are paying higher prices for ad space as the steady stream of fake companies that place infected ads across self-service display ad networks increases.
Apparently, seven
agencies were fired last December because they unknowingly hired criminals to make ad buys, hitting registry files with the intent of stealing personally identifiable information. These ad buyers put
the code inside the ad, and a keylogger in the ad downloads onto the computer through malicious code. Or someone switches out the ad tag after the ad has been manually checked. That's what happened to The New York Times. The criminals exploited weaknesses in the online ad system.
One weakness
is an inability to verify ads. While some companies have not put processes in place, others have. Kontera, a pay-per-click in-text ad network, has strict policies in place for placing ads. The network
doesn't run ads for pornography, alcohol, firearms, or contraband. It checks each ad several times to keep the network clean, according to Ammiel Kamon, Kontera's executive vice president of
marketing. "Self-service options have benefits, but require strict guidelines and monitoring," he says.
The industry lacks checks and balances, say Caruso and others.