Beware of Risky Ads on Tumblr | MalwareBytes Unpacked
Ads on sites like here need to be secure to obtain the same respect as magazine ads
Most of us who use the Web are making increased use of ad-sponsored Web sites for news, blogs, social media and the like.
In most cases, the banner advertising that appears on these Websites or on advertising-funded mobile-platform apps and is delivered in a tasteful manner provide a similar experience to the display advertising we see, accept and take for granted in newspapers, magazines and other printed media. That is where pop-up or pop-under advertising isn’t used or you don’t hear noisy video commercials playing through. It could be enough to see an animated or slide-show ad appear within the confines of the banner. Here, the advertising doesn’t interrupt the reading experience unlike with TV advertising or online-video advertising where it interrupts the viewing experience.
Such advertising, like the Google AdSense ads you see on this site, is sold on a contract that is based on cost-per-click which the advertiser pays when you click on the ad to follow through with it, or cost-per-impression which is based on simply on the ad being loaded and appearing on the site.
The malvertisement threat
But there is a security problem cropping up here in the form of “malvertisements”. These are online advertisements that are delivered to lead users to Websites that host malware. Typically they use enticing copy and graphics in the advertisements to attract users to view content on these sites and download software of questionable provenance.
Security vendors run a rhetoric that encourages us Web users to use ad-blocking software to keep our computer secure by masking all online advertising. But this can get in the way of honest advertisers and the publications that depend on them for revenue because the software works on an “all or nothing” approach.
But what can the online advertising industry do about this?
If a Website author has control over all of the advertising they admit, they can easily “fence out” malvertisements and distasteful advertising by examining what their potential advertiser is tendering at the start of and through the life of their advertising contract.
But this is not the case for most Websites where they will rely on one or more ad networks like Google AdSense to supply all or the remainder of their ad inventory. These ad networks typically source the advertising themselves and pay publishers a cut for each advertisement that appears or when someone clicks on an advertisement.
Malware sites advertise through these networks on a “pay-per-click-only” contract because it is a “low-risk high-return” option. But the networks could make life harder for them by, for example, vetting the creatives (advertising text, graphics, scripts and links) offered for an ad campaign before accepting them for display and through the life of the campaign. Similarly, they could make it harder to establish or sustain advertising contracts for “fly-by-night” operations like distributing malware such as implementing the ability to break-off ad contracts if the advertiser engages in deceptive conduct or not offering “very-low-risk” advertising options such as “pay-per-click-only” text ads. One way would be to require all ad contracts to be based on the requirement to pay for a particular time length or minimum number of impressions.
Ad networks can also exchange details about advertisers that engage in deceptive business practices so that the advertisers don’t go “shopping around” different ad networks to hawk their wares at the lowest risk. This is similar to a lot of proper business practices where companies are able to exchange details about known credit risks for example.
This could be part of an online advertising code of conduct to protect the validity and legitimacy of the online display advertisement as part of an advertiser’s campaign mix and as a way for Web publishers to raise some income.
Webmasters can work with the ad network’s control panel to reduce the kind of advertising that gets through to their ad spaces. For example, they could opt to keep the advertising that appears to tightly reflect the content and tone of their Website. The Webmaster can also exercise a tight level of control over any advertising they directly sell for their Website such as offering contracts with a minimum level of risk to the advertiser or vetting the creative material tendered by the advertisers.
As well, they can take out security measures over the Website to stop undesireable activity from occurring with their Website. This could include implementing hardened login procedures such as brute-force lockout or two-factor authentication on the critical admin and editor accounts.
Like most online-security issues like Wi-Fi security, it isn’t just up to end-users to do the “heavy-lifting” to keep their Web experience secure. Other stakeholders like advertising networks need to join in the game to keep a secure Web with respected online advertising and avoid exposure to liability.