For better or for worse, the online economy depends on advertising revenue. The biggest online service providers are funded by advertising. The vast majority of publishers wouldn’t exist but for advertising. Even the eCommerce sector, which generates revenue with sales, would be a pale shadow of its current size if it couldn’t advertise its wares on other sites, and the same goes for most other business models that that generate revenue by direct sales.
Malvertising is a significant threat to all of these sectors, because, in spite of the shady practices and ill-mannered obnoxiousness of much advertising, the majority of web users don’t use ad blockers. Whether they are unaware of the existence of ad blockers, understand the exchange of attention for content as fair, or simply don’t care, web users, by and large, put up with advertising. But, if advertising poses a significant security risk which is widely publicized, that’s likely to change.
Malvertising is a relatively new form of malware distribution. The motives are the same as always, infecting computers to dragoon them into botnets for click fraud and other malicious activities, ransomware distribution, and so on. It’s the delivery method that’s different. Instead of having to go to the trouble of hacking the New York Times, malvertisers simply buy space on the NYT front page and serve advertising that can directly infect visitors.
Most large publishers use advertising networks to sell their space. Those advertising networks deal with the advertisers directly, but often they don’t actually host the advertising content itself; they form the link between the publisher and third-parties that host their own advertising. Of course, it doesn’t take much effort for malefactors to create the appearance of a legitimate entity and buy advertising space from the networks.
The fiendishly clever aspect of malvertising is that criminals can not only leverage the ad networks’ portfolio of publishers for distribution, they can also use network’s refined targeting technology to make sure that malware ends up exactly where they want it. Real time bidding (RTB) is a favorite of malvertisers, allowing them to geo-target advertising, focus it on specific IP blocks, or target particular demographic groups.
Malvertising is a difficult nut to crack, and the burden rests largely on advertising networks like Google’s DoubleClick. The networks, of which there are dozens in a thriving and rapidly innovating industry, also have the most to lose if they don’t get to grips with malvertising. Publishers generally have no idea of the specific content of the advertising they are serving, but if their network fails to properly police content, they can vote with their wallets.