> News > 2010
> 5 tips for preventing malvertising
5 tips for preventing malvertising
November 03, 2010
- Understanding the vulnerabilities of your
own website allows you to put up a strong defense
- Take the time to identify the third-party
risks on your website and discuss these vulnerabilities
with the security team in your organization
- If it sounds too good to be true, it probably
Malvertising -- the practice of using online
advertisements to deliver malware to end users
-- is of growing concern. Studies have shown that
more than 1 million sites were compromised the
second quarter of this year alone.
"In Q2 2010, we estimate that 1.3 million
web sites were infected, based on data from our
telemetry systems. Q2 was the first quarter in
history for which we believe that over one million
web sites were infected in a three month time
Stopping badvertisers is an ongoing process:
learning and networking, utilizing technology
and systems, and managing relationships across
competitive lines. Malvertising -- or the prevention
thereof -- is currently one of the industry's
top priorities. Many publishers and ad networks
want to know how to secure their systems. There
are several things that online advertising teams
can do -- but for starters, let's go over a few
Understand the vulnerabilities of your own website.
Do you use third-party widgets or applications
within your site? Third parties -- including third-party
advertising -- are the primary risk to websites.
Anything outside your control is at the mercy
of being screened and checked by someone else.
Third-party ads open the door to malvertisement
risks -- bad banner ads that compromise your site
and users. Some of these bad ads can infect users
without their action (drive-by downloads). Others
scare users into clicking on them by appearing
as antivirus warnings (scareware).
Take the time to identify the third-party risks
on your website and discuss these vulnerabilities
with the security team in your organization. Then,
look at the third-party relationships. Do you
know and trust these third parties? Do they come
from recommended sources?
Be smart about your advertiser and agency
That last-minute ad from a national brand willing
to prepay $20,000 for a quick weekend campaign
starting tomorrow -- it's tempting, right? If
it sounds too good to be true, it probably is.
This year, we've seen a spate of rogue advertisers
and impostors pretending to represent legitimate
brands and agencies. These people go to great
lengths to paint a picture of legitimacy. Much
has been written recently to expose these methods.
Scrutinize your ad network choices
The same holds true for ad networks. Any large,
premium publisher should choose its ad networks
wisely and manage relationships closely. Is your
ad network employing internal security measures?
Is it utilizing third-party vendors to ensure
that its network of websites is protected from
malvertisements? Premium publishers should engage
with four to seven ad networks to ensure that
they have the right competitive and content mix.
This also ensures that they can optimize their
yield and earn the most from every impression
without wasting those views on defaults. But more
is not always better. Don't scrape the bottom
of the barrel to get 10-plus ad networks rotating
through your site. Not only do you open up risk
with low-end networks, but you also reduce the
overall eCPM you earn from your remnant inventory.
Understand the security provided by your
third-party ad server
Maintain a close relationship with the security
team from your third-party ad server. Ask it to
outline how it is staying on top of the malvertising
issue. Does it employ a third-party security vendor
to screen ad tags? Does it conduct its own background
checks, or have a staff dedicated to tackling
the problem in-house?
Your ad server technology should not only be
a robust, reliable ad serving system -- it should
also be a safe one. You should be able to go home
at the end of the day knowing your users will
remain safe and protected while visiting your
Site owners should also take on the responsibility
of screening their own sites for problems. Look
at the third-party ads, widgets, and applications.
Check the site periodically for scareware and
other problems. If you provide a forum for your
users, they'll be the first to let you know if
there's a problem or if your site has been compromised.
Consider using a third-party tag screening vendor
(such as The Media Trust) to screen your ad tags.
Finally, establish operations procedures for
your ad ops staff to handle an incident if it
occurs. Outline the steps to immediately shut
off ads. Give your sales team tools to inform
you when problems are seen. Set up an escalation
path to notify your ad server and ad network(s)
if and when a problem arises. The Online Trust
Alliance has aggregated a great set of tools and
guidelines now available on its website.
It's well worth it to invest time in understanding
the space and the vulnerabilities of your own
systems. Learning these things now makes the (practically
inevitable) mitigation of problems much easier
down the road.