In the case of the malvertising that affected the L.A. Times and other sites last fall, the cyber criminals used more than 275 different sites to deliver the malware, with the number of affected host websites in the "low hundreds." Those sites received thousands of hits per day, according to Larsen.
The user's browser was redirected through four hops to a "drive-by download" site that used an exploit kit to check for known vulnerabilities. "If you were vulnerable you would be infected without ever clicking on anything," Larsen explains. Blue Coat researchers discovered the sites as part of an ongoing search for sites using exploit kits and then traced the traffic backwards to the ad networks and publisher sites that had inadvertently carried the malvertising, Larsen says.
A spokesperson for The Media Trust says the company also had detected the malvertising attacks and notified its customers when they appeared so they could block them. It says its software was not in use by the affected publishers and the ad networks.
Mobile devices can also fall victim to malvertising that uses social engineering tactics to get the user to bypass existing protections against malware apps. These ads mimic user interface elements of the mobile operating system, such as system messages or pop-ups, in order to mislead the user into taking specific actions, says Botezatu.
Sizing up the problem
Just how big is the malvertising problem? Opinions vary, and while anecdotes abound, hard numbers on the scope of the problem are hard to come by. The Online Trust Alliance (OTA), a nonprofit advocacy group that says its mission is to build trust online, estimates that fewer than 1% of all online ads involve malvertising of some sort.
That number might sound small, but each ad is typically served up many times. "A single incident of malvertising can equate to several hundred thousand exploits," says Craig Spiezle, OTA executive director. In 2012, the OTA estimated, the industry delivered more than 10 billion ad impressions containing malvertising.
But there are no hard numbers, in part because figuring out which malware infections came from malvertising isn't easy. While it's hard to get a handle on the full scope of the problem, Botezatu is certain about one thing: "The problem is definitely not decreasing."
One Blue Coat Systems client, which research architect Chris Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. "They were concerned about malware coming in from this vector and not being able to stop it," he says.
Certainly the issue has grown large enough to have the IAB's full attention. And part of that may be the potential negative impact of even a few widely publicized incidents. A high-profile infection such as the Yahoo attack can have consequences for both publishers and the online advertising industry. "The Yahoo incident, a portal visited by millions of people a day... takes the game to a whole new level," says Botezatu.