Publisher Beware is Lesson From Right Media’s Malvertising Incident
Recently, Avast Anti-Virus released a report claiming that Yahoo’s Right Media YieldManager is the leading distributor of “malvertising”. Malvertising being malware that exploits holes in the web applications that are used to deliver web ads from the big ad delivery platforms. Yahoo! is not alone, malware was also found to be served by Fox Audience Network’s Fimserve.com, Google’s Double Click, and MySpace.
Visitors to sites like The New York Times, The Drudge Report, TechCrunch, and many others found their computers infected with a trojan that looks for vulnerabilities in Java, QuickTime, and multiple Adobe products. Even security savvy surfers were not protected as computers were infected once the ad loaded, not when the ad was clicked.
Once the dust settled, the finger pointing began. According to a CNET interview with Avast Researcher Jiri Sejtko, the malware is a Trojan Javascript form that targets the Windows operating system. Sejtko said that of the ad networks impacted by the Trojan, dubbed JS:Prontexi, only Double Click took proactive measures against it.
“The Google portion of JS:Prontexi is quite small and has gotten visibly even smaller as they have taken steps to improve the situation. That is not the case with Yahoo and Fox.”
Right Media VP Bennie Smith responded to his network being accused of serving up malicious ads on TechCrunch:
“Partnering with a third-party ad network is a good thing, but you can’t remove all the risk and shift all the responsibility to the ad network…The user is coming to your site, not to the ad network. The primary responsibility still resides with you.”
That’s right. According to Smith it’s the publisher’s fault that the applications that they have no control over are serving up malware.
Working in web security, there I have seen plenty of web applications that are vulnerable to attacks. If I run a blog that is powered by WordPress, then I need to do everything I can to secure it. If a plug-in has known vulnerabilities I have to either look for a patch, disable it, or replace it.
However, unlike the blog example above, publishers have no way of working with the applications that run these ad networks to better secure it. Instead, they have to trust that the ad manager they are running on their site has been secured. They have to trust that the advertisements have gone through some type of review to insure that they are not delivering up malicious code to the visitors.
Unfortunately for the publishers, when their site infects a visitor, the visitor doesn’t blame the ad manager. They blame the web site. If my computer was infected after visiting TechCrunch, I am going to stop visiting. If The Drudge Report is flagged as unsafe, then I will go elsewhere.
Maybe publishers do need to take the initiative. To protect their visitors, perhaps they need to look at which ad networks are doing everything they can to prevent the spread of malware through their network. Ask them questions like:
• What is the review process for ensuring an ad does not contain malware?
• What is done to ensure that attackers cannot exploit the code of legitimate ads?
• Is there a web application firewall in place to inspect web layer traffic?
• When was the last time your application underwent a code review?
• Who do I contact if I suspect an ad is serving malware to my visitors?
• What will you do if your network serves ads on my site that contain malware?
If your questions can’t be answered to your satisfaction, maybe it is time to take responsibility and look for a new ad network. One who is willing to make sure your reputation isn’t damaged by the content they serve on your web site.
