The problem appears to be increasing in the mobile arena as well. According to research by security software vendor RiskIQ, the incidence of malicious apps increased 388% from 2011 to 2013, and malvertising is an increasingly common technique that cyber criminals use to deliver those apps.
Around 7% of the threats Bitdefender blocked in the last month were Android packages delivered by way of mobile advertising that "falsely claimed that those devices had been infected," Botezatu says. In this scheme, a pop-up dialog, which looks like it was generated by the Android operating system, prompts the user to take action that will supposedly remove the virus.
But when the user clicks on the pop-up to take action, she is prompted to change her settings to allow installation of a third-party app — delivered outside of the protected walled garden of Google Play — so that the malware payload can be delivered undetected. Because these "scareware" messages look like they were generated by the operating system, they're very effective, Botezatu says.
The digital advertising industry must stop having unprotected sex. Randall Rothenburg, president, Interactive Advertising Bureau
Malvertising could also cost the online advertising industry, and web publishers that depend on it, in other ways that are even more difficult to measure. "These threats are undermining the integrity of the interactive advertising ecosystem," says Spiezle. Users cite a lack of trust in the safety of online advertising as one reason for using ad blocking software, even though the use of such software eliminates all ads -- good or bad — along with the primary revenue source for many web publishers. "Blocking all ads and scripts will most likely keep the user safe," but would reduce revenue for web publishers, Spiezle says.
One Blue Coat Systems client, which Larsen will describe only as a Fortune 500 company, recently decided to block all ad traffic for tens of thousands of its employees. "They were concerned about malware coming in from this vector and not being able to stop it," he says.
Fixing the problem
Spiezle wants to see changes in the process for vetting online advertising. "If we don't do this we'll see increased use of [ad] blockers, calls for regulation and potential lawsuits for failure to take steps to help protect users from harm," he says.
"I agree absolutely," says Sullivan. Today, a well-managed ad network that knows every one of its affiliated sites and monitors them constantly may still sell its excess inventory to a secondary ad network that doesn't operate at the same level.
Sign up for Computerworld eNewsletters.