Security Experts:

Connect with us

Hi, what are you looking for?



Malware Rising – Attacks Increasing Through Malicious Online Advertising

Malvertising Attacks Continue to Rise. Brands and Consumers Threatened.

Malvertising Attacks Continue to Rise. Brands and Consumers Threatened.

Popular websites, blogs and ad networks are fast becoming the preferred means of cybercriminals, identity thieves, and hackers to steal consumer information and distribute malicious content.

The most common attacks today are made possible by Web site / server hacks, against which publishers, with the exception of their off-site links, are probably best protected, and by user-contributed content, advertising and cross-site widgets.

MalvertisingHowever, virtually none of these Web sites or advertising companies has an effective means to uncover and identify the “drive-by” downloads, malicious software, and other fraudulent content that infect their properties through the plethora of user-contributed pages and the stream of advertising that is added to their sites on a daily basis.

In May, digital advertising technology company, the Rubicon Project, revealed some insight into emerging industry trends and market shifts that occurred in the first quarter of 2010 in its Online Advertising Market Report series.

The report showed that with the continued growth in online advertising, there is also an increasing trend in online threats through “malvertising,” a growing method used to distribute malware via advertising tags served through an unsuspecting publisher’s Web site, blog comments, forums and other forms of user generated content, allowing cybercriminals to create content that used to carry out a wide range of malicious attacks.

Google, in response to the increasing level of threats, setup, a Web site they call an “Investigative Research Engine.” The site, setup in June 2009, checks a variety of independent, third party sites that track possible attempts to distribute malware through advertising and serve as a resource to educating Internet users, ad network operators and publishers about the problems. Google also employs a “Head of Anti-Malvertising,” Eric Davis, who has been in the role since 2008.

“For publishers, advertising is about making money, but malicious ads change the equation. Publishers need better solutions to protect their customers from malvertising and the potential for malicious content on their Web sites,” noted Rob Lipschutz, co-founder and CEO of SiteScout, a company acquired by the Rubicon Project in May 2010 that helps protect publishers against malicious ads and other dangerous Web content. “The advertising ecosystem faces a stiff challenge and the problem is widespread and found in both direct advertising as well as more distributed ad networks. New ad formats also make the problem increasingly complex.”

Many of the digital ad serving platforms being used today were developed over a decade ago and not designed to cope with today’s massive volume of transactions from buyers and sellers around the world, creating a constant stream of new vulnerabilities in the system.

Advertisers and agencies often utilize “third party ad tags”, allowing them to control and monitor their ads which removing the ability for publishers to be able to control what ads are served. With larger publishers, ad networks and exchanges having thousands of different ad tags running at any given time, monitoring all campaigns and creative being served is a challenge. These disparate systems have had no universal quality control because nothing is tied together, driving the need for automation and technology innovation to eradicate the vulnerabilities of this process.

The need is clear for a solution aimed at publishers and advertising companies, the producers of content, rather than end-users, that provides visibility and advanced protection against the new kinds of attacks to prevent direct loss of revenue or risk to brand (leads to loss of revenue). In January, the Rubicon Project launched Rubicon Security, its first foray into protection against malware attacks on publisher customers’ sites. Combined with the acquisition of SiteScout,  the Rubicon Project has established a comprehensive solution to help combat malvertising within its platform.

Dasient, another company that protects businesses from web-based malware attacks, provides a Web Anti-Malware (WAM) service that can automatically identify and quarantine malware on websites, helping businesses avoid losses of traffic, reputation, and revenue.

The issue of malware will only increase as a key risk to publishers’ advertising businesses – and to the consumers driving those businesses – in the months ahead.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.