Media Kit
In the News

Home > News > 2010 > 5 tips for preventing malvertising

5 tips for preventing malvertising
November 03, 2010
View the Article


  • Understanding the vulnerabilities of your own website allows you to put up a strong defense
  • Take the time to identify the third-party risks on your website and discuss these vulnerabilities with the security team in your organization
  • If it sounds too good to be true, it probably is

Malvertising -- the practice of using online advertisements to deliver malware to end users -- is of growing concern. Studies have shown that more than 1 million sites were compromised the second quarter of this year alone.

Dasient writes:

"In Q2 2010, we estimate that 1.3 million web sites were infected, based on data from our telemetry systems. Q2 was the first quarter in history for which we believe that over one million web sites were infected in a three month time period."

Stopping badvertisers is an ongoing process: learning and networking, utilizing technology and systems, and managing relationships across competitive lines. Malvertising -- or the prevention thereof -- is currently one of the industry's top priorities. Many publishers and ad networks want to know how to secure their systems. There are several things that online advertising teams can do -- but for starters, let's go over a few basic tips.

Stay informed
Understand the vulnerabilities of your own website. Do you use third-party widgets or applications within your site? Third parties -- including third-party advertising -- are the primary risk to websites. Anything outside your control is at the mercy of being screened and checked by someone else.

Third-party ads open the door to malvertisement risks -- bad banner ads that compromise your site and users. Some of these bad ads can infect users without their action (drive-by downloads). Others scare users into clicking on them by appearing as antivirus warnings (scareware).

Take the time to identify the third-party risks on your website and discuss these vulnerabilities with the security team in your organization. Then, look at the third-party relationships. Do you know and trust these third parties? Do they come from recommended sources?

Be smart about your advertiser and agency relationships
That last-minute ad from a national brand willing to prepay $20,000 for a quick weekend campaign starting tomorrow -- it's tempting, right? If it sounds too good to be true, it probably is. This year, we've seen a spate of rogue advertisers and impostors pretending to represent legitimate brands and agencies. These people go to great lengths to paint a picture of legitimacy. Much has been written recently to expose these methods.

Scrutinize your ad network choices
The same holds true for ad networks. Any large, premium publisher should choose its ad networks wisely and manage relationships closely. Is your ad network employing internal security measures? Is it utilizing third-party vendors to ensure that its network of websites is protected from malvertisements? Premium publishers should engage with four to seven ad networks to ensure that they have the right competitive and content mix. This also ensures that they can optimize their yield and earn the most from every impression without wasting those views on defaults. But more is not always better. Don't scrape the bottom of the barrel to get 10-plus ad networks rotating through your site. Not only do you open up risk with low-end networks, but you also reduce the overall eCPM you earn from your remnant inventory.

Understand the security provided by your third-party ad server
Maintain a close relationship with the security team from your third-party ad server. Ask it to outline how it is staying on top of the malvertising issue. Does it employ a third-party security vendor to screen ad tags? Does it conduct its own background checks, or have a staff dedicated to tackling the problem in-house?

Your ad server technology should not only be a robust, reliable ad serving system -- it should also be a safe one. You should be able to go home at the end of the day knowing your users will remain safe and protected while visiting your site.

Be vigilant
Site owners should also take on the responsibility of screening their own sites for problems. Look at the third-party ads, widgets, and applications. Check the site periodically for scareware and other problems. If you provide a forum for your users, they'll be the first to let you know if there's a problem or if your site has been compromised. Consider using a third-party tag screening vendor (such as The Media Trust) to screen your ad tags.

Finally, establish operations procedures for your ad ops staff to handle an incident if it occurs. Outline the steps to immediately shut off ads. Give your sales team tools to inform you when problems are seen. Set up an escalation path to notify your ad server and ad network(s) if and when a problem arises. The Online Trust Alliance has aggregated a great set of tools and guidelines now available on its website.

It's well worth it to invest time in understanding the space and the vulnerabilities of your own systems. Learning these things now makes the (practically inevitable) mitigation of problems much easier down the road.