Posted February 10, 2011 9:59 am by with 1 comment

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

Malware has always been a real problem for the Internet space and now it is spreading further into the world on online advertising. For those keeping score, that’s a bad thing.

According to a post from ClickZ

More than 10 billion online ad impressions served up in 2010 carried malware, according to recent research from Online Trust Alliance. The organization, dedicated to establishing best practices for ensuring data privacy and security online, argues that delivery of ads transferring malicious code could be prevented if ad networks and other ad third parties took care to know their business partners.

Excuse me while I chuckle at that last sentence. In this go-go Internet space taking care to know your business partners can slow down ‘progress’. With many ad networks being sketchy from the get-go this is both a tall order and a bit too Utopian for this real world Internet. Money talks, so few people vet.

As a result the following chart may start to look all too familiar as we move forward.

No one ever said the online space is safe but with the constant need to expand and grow there are holes that are left and where there is opportunity for something bad to happen then it will be exploited. So what advertising forms are the culprits?

The organization estimates most of the malvertising served last year came in the form of display ads, and many of the ads emanated from outside the U.S. Based on aggregate data from ad serving firms, OTA reported in December that it confirmed nearly 19,000 incidents of malvertising last year occurring across 3,500 sites and 200 unique ad networks.

What’s most frightening is the reality that users may not have to even click on ads to become infected. A post from ReadWriteWeb looked at this particular issue back in September

According to Chris Larsen, head of Blue Coat’s research lab, you don’t even need to actually click on the ads. Blue Coat documented one way this is done: a site can use JavaScript to call hidden iFrames which load PDFs containing code that exploits Adobe Reader vulnerabilities.


The numbers as a percentage of overall ads displayed make this seem like a non-issue but for those that have been caught the issue is real and it is likely to continue to grow.

Is there a remedy? Good old fashioned ‘staying up to date’ should stop most of it.

Here’s the good news: according to Larsen, most malvertising targets well known exploits. Keeping your operating systems and software patched is the best way to prevent damage from attacks.

Patch management is a notoriously labor intensive and thankless process, but as NSS Labs recently noted in a report it’s one of the most important steps IT can take to protect its users.

Moving forward, though, the online advertising industry better not just brush this one under the rug because of its current relatively low incidence rate. With all of the concerns about privacy in the online space the last thing that needs to be put in the mind of “Joe Internet User” is that the ad they are clicking on could trigger malware that will put them at risk. If that becomes a real concern then the effectiveness of online ads will diminish and there will some pretty disappointed folks who are banking on advertising to keep them in the black rather than seeing red.

Are you concerned about this? Does this impact how you will look at ad networks? Will you wait until it’s an epidemic before it is real to you? Let us know.