Malvertising is short for “malicious online advertising”, and it’s a pernicious problem.
Simply put, it’s a way for crooks to infect innocent visitors via your website, to poison your website’s online reputation, and to trash your brand…
…without going anywhere near your servers, and without tripping any alarms on your own network.
All the crooks do is buy ad space from an ad network and start placing ads – because ads, very loosely speaking, are tiny little web pages of their own that appear in ad-sized windows on other people’s websites.
You can probably see where this is going.
Once the ads are up and running, the crooks start sneaking booby-trapped, malware-delivering ads into the mix.
And, with, that, they’ve as good as infected your website, and potentially infected hundreds or thousands of other websites at the same time.
Every so often, your web property will pull an ad from the affected ad network, and once in a while the ad that appears will be an infected one, and one of your visitors will be put right in harm’s way.
Technically, the ad didn’t come from you, but that’s cold comfort to the afflicted visitor.
Your website’s URL is in the address bar; your organisation’s logo is at the top left corner of the web page; and your brand is left to shoulder the blame.
Also, infected ads appear irregularly, which makes them hard to detect and even harder to track down.
This, in turn, only adds to the sort of security confusion that helps the crooks.
Even mainstream sites – sites that you’d never get into trouble for browsing at work, because they’re well-known sites with useful content – can fall victim to malvertising.
This week’s news is that at least the BBC, Newsweek, The New York Times and MSN were affected over the weekend.
So it it’s certainly the sort of problem that could happen to you!
What to do?
Malvertising isn’t something that technology alone can fix.
That’s because it’s woven into the battle between adblockers (many of which aim to suppress ads outright, for a variety of reasons) and ad-sponsored websites (some of which argue that adblockers are crushing the value of free content, if that’s not an oxymoron).
Why not listen to the recording of yesterday’s Security SOS webinar, where Sophos security expert John Shier discusses the problem, and some possible solutions, in a clear and very balanced way?
Notes for listeners. This webinar is part of our Security SOS series, running all this week. Unlike traditional webinars with 30-45 minutes of Powerpoint slides delivered in the style of a conference presentation, these are more like a half-hour BBC Radio 4 or NPR science programme. There are no product demos and no sales pitches. Instead we present a chance to listen to a Sophos expert talking in a refreshingly jargon-free style about topics that are a personal passion, rather than just a “day job.”