Malvertising rose by more than 200% in 2013, with malicious adverts seen by more than 12.4 billion people during last year, according to industry group the Online Trust Alliance (OTA).
The news follows an attack on Yahoo this past January in which adverts designed to install malware on visitors’ systems were seen by 300,000 people, with one in ten systems being compromised as a result.
Giving testimony to a US Senate subcommittee, OTA executive director and president Craig Spiezle, said: "In the absence of secure online advertising, an impossibly task given today’s fragmented advertising ecosystem, the integrity of the internet is at risk.
"Not unlike pollution in the industrial age, in the absence of regulatory oversight and meaningful self-regulation, these threats continue to grow."
Opening the hearing, Arizonan senator John McCain noted that last year online advertising accrued $42.8bn in revenue, $3bn more than that from broadcast television advertising. It is the first year that advertising generated higher online than through braodcast television.
Malicious adverts have appeared on sites as prominent as Google, the London Stock Exchange and the New York Times, with an advert on Major League Baseball’s website shown to an estimated 300,000 times before it was taken down.
Spiezle emphasised the dangers of "drive by downloads", where malicious software runs automatically when a visitor enters a site, though malvertising can also take the form of pop-ups , widgets or frames.
According to the OTA, criminals employ a range of tactics to run malicious adverts, with some paying for advertising campaigns directly from a network, some impersonating advertisers or ad agencies, and some buying ads through automated systems.
While private data is a common target of such activity, criminals also hijack systems to engage in further distributed-denial-of-service (DDoS) attacks, and may use ransomware to encrypt hardware before demanding a fee to unlock it.
Display advertising is expected by OTA to be sold automatically three-quarters of the time by 2015, almost double the proportion it was in 2012. Though accepting the efficiency of such systems, Spiezle said that they "lacks robust circuit breakers to detect fraudulent advertisers".
He added that fear was rife enough among some companies that they preventing employees viewing third-party adverts, with individuals using extensions such as Adblock Plus, No Script or HTTP Switchboard to protect themselves.
"For some, malvertising remains a "Black Swan Event", rarely seen but known to exist. For others it is the elephant in the room that no one wants to acknowledge," he said, adding that the advertising industry had to collaborate if it was to overcome the threats.
"Achieving security online is not an end state," said Alex Stamos, VP of information security at Yahoo. "It’s a constantly evolving challenge that we tackle head on."
