Commentary

RTB Exchanges Attracting Malvertising

News broke earlier this week that hackers have been buying ads on real-time bidding (RTB) platforms and embedding them with RIG 3.0, which checks whether or not a person’s computer is vulnerable and if it is, it loads a trojan virus. VentureBeat first reported the findings, which were uncovered by Trustwave Holdings.

It marks the second time in the past four months that booby-trapped ads have been delivered via RTB exchanges. And on top of these attacks, it was reported earlier this week that Yahoo is also under fire from malvertising.

In a comment posted on MediaPost, Paul Benjou from The Center for Media Management Strategies commented that the latest finding creates “another check box that needs to be ticked when evaluating RTB platforms.”

Lane Thomas, security research and software development engineer at IT provider Tripwire, said in an email that the “latest hits reflect the bad state of security within the Web.” Thomas said there is “no single person or system to blame,” but offered a suggestion as to what networks and ad platforms could do to heighten security.

“[A]d networks and platforms need to enhance their verification and validation processes. Attackers have a huge incentive to penetrate these systems,” Thomas wrote. “Further, ad networks and platforms have a lot to lose in terms of consumer trust. If large scale malvertising campaigns such as this continue, consumers will lose more and more trust in these ad services, which can ultimately lead to financial losses for the ad organization.”

Advertisers are already losing billions of dollars per year, so it’s already an issue worth addressing. Any trust consumers lose in ad tech providers simply adds to the money lost to bots -- just in a different fashion. Instead of just fighting bots, these companies would also be fighting a PR battle.

It’s not a stretch to say consumers are losing trust. “Do Not Track” technologies are alive and well and are even receiving updated standards.  

It’s not entirely up to the networks and platforms to protect consumers from scrupulous happenings on the Web, however. Consumers could still steer themselves in the wrong direction. Thomas added that “end users need to be vigilant when clicking advertising links and should always keep their software patched and updated.”

For their part, ad tech companies are actively working with verification and validation companies. For example, Google DoubleClick on Tuesday partnered with comScore to bring validation measurement to its platform. Additionally, investors are zeroing in on ad fraud detection firms, with companies such as Integral Ad Science and Distil Networks raising a combined $88 million in the past several weeks.

It’s a legitimate problem RTB ad-buyers face, but James Green, CEO of Magnetic, has a simple solution that he shared at the OMMA Art & Science conference in Los Angeles in July: “Go to those exchanges that are worse and refuse to pay.”

1 comment about "RTB Exchanges Attracting Malvertising".
Check to receive email when comments are posted.
  1. Rafael Cosentino from Telanya, August 5, 2015 at 11:55 a.m.

    When companies provide offers to publishers via direct long term relationships, there is some accountability that takes place.  Publishers see ads they don’t want and ask the provider to remove them.  Ad providers have a vested interest in weeding out seedy offers to maintain credibility with premium publishers and their audiences.  With RTB, no one is accountable.  There is now a daisy chain of exchanges which for all intents and purposes is much more difficult to track any one source. So sure, if you have a scummy malware product, rebill or ransomware offer to distribute and no one credible will run it, go with RTB!  There is still less accountability the relationships are seperated by many vendors.

Next story loading loading..
About the Author

Tyler Loechner is a MediaPost Reporter covering real-time, programmatic, RTB and more. You can reach Tyler at tyler@mediapost.com.