View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Malvertising ‘more than triples in 2013’

Industry needs far greater collaboration to counter threats, Online Trust Alliance says.

By Jimmy Nicholls

Malvertising rose by more than 200% in 2013, with malicious adverts seen by more than 12.4 billion people during last year, according to industry group the Online Trust Alliance (OTA).

The news follows an attack on Yahoo this past January in which adverts designed to install malware on visitors’ systems were seen by 300,000 people, with one in ten systems being compromised as a result.

Giving testimony to a US Senate subcommittee, OTA executive director and president Craig Spiezle, said: "In the absence of secure online advertising, an impossibly task given today’s fragmented advertising ecosystem, the integrity of the internet is at risk.

"Not unlike pollution in the industrial age, in the absence of regulatory oversight and meaningful self-regulation, these threats continue to grow."

Opening the hearing, Arizonan senator John McCain noted that last year online advertising accrued $42.8bn in revenue, $3bn more than that from broadcast television advertising. It is the first year that advertising generated higher online than through braodcast television.

Malicious adverts have appeared on sites as prominent as Google, the London Stock Exchange and the New York Times, with an advert on Major League Baseball’s website shown to an estimated 300,000 times before it was taken down.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Spiezle emphasised the dangers of "drive by downloads", where malicious software runs automatically when a visitor enters a site, though malvertising can also take the form of pop-ups , widgets or frames.

According to the OTA, criminals employ a range of tactics to run malicious adverts, with some paying for advertising campaigns directly from a network, some impersonating advertisers or ad agencies, and some buying ads through automated systems.

While private data is a common target of such activity, criminals also hijack systems to engage in further distributed-denial-of-service (DDoS) attacks, and may use ransomware to encrypt hardware before demanding a fee to unlock it.

Display advertising is expected by OTA to be sold automatically three-quarters of the time by 2015, almost double the proportion it was in 2012. Though accepting the efficiency of such systems, Spiezle said that they "lacks robust circuit breakers to detect fraudulent advertisers".

He added that fear was rife enough among some companies that they preventing employees viewing third-party adverts, with individuals using extensions such as Adblock Plus, No Script or HTTP Switchboard to protect themselves.

"For some, malvertising remains a "Black Swan Event", rarely seen but known to exist. For others it is the elephant in the room that no one wants to acknowledge," he said, adding that the advertising industry had to collaborate if it was to overcome the threats.

"Achieving security online is not an end state," said Alex Stamos, VP of information security at Yahoo. "It’s a constantly evolving challenge that we tackle head on."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.