A deep-rooted problem
Getting rid of malvertising won't be easy. One challenge lies with the structure and operational model of the online advertising ecosystem itself. It includes hundreds of players that sell services ranging from ad networks to advertiser-focused supply-side platforms, publisher-oriented demand-side platforms and ad exchanges — open marketplaces where publishers sell inventory that advertisers can purchase.
Ad networks can also sell excess inventory through other networks and affiliates that in turn may work with other partners. Publishers — and even the ad networks themselves — don't always know who the buyers are.
In 2012, the Online Trust Alliance estimates, the industry delivered more than 10 billion ad impressions containing malvertising.
It's an imperfect system, Sullivan says, but one that publishers must rely on to sell "remnant" inventory —ad space that they can't sell themselves. "You either sell it to a network for a lower cost or you don't get anything at all. No one is immune to the problem," he explains. And in an opaque marketplace like an exchange, advertisers have no idea where their ad impressions are actually coming from. That makes it a target for advertising fraud.
The malvertising payload is delivered through advertising networks in various ways, which presents its own challenges to prevention. Cyber criminals tend to use three different approaches, says Sullivan. The most straightforward is for the malware distributor to simply buy ad inventory through an exchange and submit an ad with malware embedded within it.
That's hard to do today because many publishers and advertisers use tools that scan for malicious code and attempt to inspect references to other sites. "But it might not get caught if they've hidden it well," he says.
Publishers and ad networks can deploy tools from security vendors such as The Media Trust and DoubleVerify that inspect ads for malvertising and scan associated ad tags -- embedded code that tells the browser where to retrieve an ad -- to verify the location. But not every ad network uses the tools, and a malvertising ad may link to an affiliate or partner that in turn links to another site, cascading as much as four levels deep.
"If all the ad is doing is sending traffic somewhere, you may miss the fact that that the attack is happening on the third or fourth hop," says Blue Coat's Larsen. "It's rare to trace it back to a web ad company. It's almost always some other site."