Malvertizements: web sites versus advertising networks and who we can blame....
As we know, malvertizements have been discovered at 123greetings.com not once, not twice, but three times that I know of and, to add insult to injury, two of the malvertizements were *visually identical* to each other, making me wonder just what checks and balances are in place at 123greetings.com to protect visitors to 123greetings.com from malvertizements.
Several comments have been made to my blog about the problems revealed by recurring incidents such as 123greetings.com. For example, a gentleman that I respect very much, Alunj, says:
"It seems to me that if anyone's getting free passes, it's not the web site on which you see the advert, but the advertising agency which approves the campaigns hosted on that site. ... I think that the group that should be scanning the adverts, as they are originally uploaded, and at regular intervals, is the media hoster - in this case, that would appear to be 247realmedia.com - "24/7 Real Media". Why are they still accepting and hosting these malicious adverts?"
Laureli says:
"part of the responsibility should rest with the site itself, and that may result in using different advertising agencies. it seems like companies should take steps to avoid distributing malware to their users."
I think it is worthwhile examining some of the "behind the scenes" reality that we (those of us who fight malvertizements, the advertising networks, and the victim web sites) have to deal with day to day. Please understand that I am not making excuses; my goal is to highlight the problems that we face.
Ok, so first, let's look at Alun's comment (forgive me, friend, for singling you out here):
"Why are they still (24/7 Real Media) accepting and hosting these malicious advertisements?"
Here is a short explanation (and please let me stress that this is not specific to 24/7 Real Media): Basically there are two main ways that advertisements appear on a web page. The first way is that a web site will go to an advertising network and say "I want advertising, give me some". Invariably there will be some ability to pick and choose the advertising content, but for the most part, the network provides the advertising content. The web site trusts the advertising network to provide clean content.
The second way is when a web site selects and manages its own advertising content. It will "licence" infrastructure and software from an advertising network, and then upload its own advertising. In this case the advertising network trusts the web site to upload clean content and the advertising network does not own or manage, and therefore cannot control, the content. This second scenario is by far the most common reason why we see malvertizements being distributed by reputable advertising networks.
I have encountered the second situation more times than I care to count and, unfortunately, whenever I have encountered the situation, no matter who the network is, the answer is always the same:
"We don't own the content; we can't do anything; all we can do is write to the web site's administrator and ask them to remove the advertisement"
At worst, I have seen a delay of more than two weeks while I, first of all, convince the advertising network that I know what the hell I am talking about, and second, while they then try to contact the web site administrator and convince them to take down the malicious advertisement.
That being said, *sometimes* a victim advertising network (and they are victims as well) will take steps to neutralize a malvertizement even when they do not own the actual content, for example when the malvertizement hit Blick.
The Blick incident was *big* news in Switzerland - in fact, the entire incident became bigger than Ben Hur - and it may have been the fact of the publicity that forced the advertising network, nine.ch, to act. Even then, they did not delete the malvertizement. Instead they (to use their own words) "firewalled" it. The guilty parties ended up leaving nine.ch and moving on to a couple of other hosts before coming to rest at their only safe harbour at the time, Securehost.
When a web site manages, controls and uploads its own advertising content then, historically, there is not much that the host network can do UNLESS there is a history of past incidents that the advertising network can use - kind of like Baseball's "three strikes and you're out" rule.
Yeah yeah, I know, if the advertisement was for, for example, "kiddy p04n", general p04n0graphy or other illegal content then it would invariably be immediately shut down... but reality is that when it comes to malvertizements the *visual content* is not illegal - visually it is harmless - and the *legal* backup available to advertising networks is limited. There are moves afoot to make advertising networks legally responsible for malvertizements (once they are made aware of the malvertizement behaviour), but until the advertising networks have such legal pressure behind them (I actually call it "legal support") then, realistically, there isn't much they can do.
"It seems like companies should take steps to avoid distributing malware to their users"
As I have said over and over and over on this blog, the malvertizements are coded to *exclude* particular IP addresses, cities, States and even entire countries. It is standard operating procedure for a malvertizement to be coded so that it will NOT trigger a redirect if displayed on a computer within the IP range of the victim web site or victim advertising network.
When we remember this, we have to ask ourselves just what the administrator of web site is meant to do. The big advertising networks themselves *are* fighting back. They have the technology, the infrastructure and the money to be able to analyse the creatives that *they* accept and distribute. Individual web sites do not have such an ability.
The whole charm of the Internet, a basic cornerstone of its success, is that *anybody* can participate. Anybody can set up a web site and turn it into a business. But, that being said, if we want to keep the richness of the Internet we also have to accept that the people who run these sites are "babes in the wood" when it comes to malvertizements.
I do *NOT* want the Internet to turn into a world where you cannot set up a web site unless you meet a minimum educational standard. I do NOT want the Internet to turn into a world where we can only accept advertisements if we have the expertise to decompile and analyze SWF code.
So, what do we do?
Many people have suggested that all advertisements should be blocked using something like a specialized HOSTS file. Others have said that we should simply delete Flash from all computers and avoid the problem that way. I can't agree with either suggestion.
If there is one cornerstone that I have always stood on, it is that every (wo)man deserves their wage. I will never agree to a wholesale blocking of advertising. I don't want the Internet to turn it a place where you can only view a web site if you pay first and all of us deserve the chance to earn an income, damn it.
Deleting Flash from all computers is a more interesting idea (yes, I still say that Flash is the Typhoid Mary of the Internet). But, that being said, what does deleting Flash achieve? What do we learn? What security improvements are made? What about those of us who *need* Flash for various reasons?
I *know* that the major advertising networks are trying to educate their clients - to teach them about the dangers that they face - but we're facing an uphill battle.
Services such as Adoptstools are relatively new, yet essential to the fight against malvertizements. Why? Because Adopstools *AUTOMATES* analysis. And it is only by *automating* the security process that we will are able to make a real difference (at least for so long as Adobe fails to do something, if only giving the end user the ability to turn off the functionality that allows the malvertizements to hijack us in the first place).
What does Sandi hope for?
I want Adobe to step up to the plate and give the user the ability to block the functionality that is used to hijack Internet users in the first place.
I want advertising networks to make it compulsory for all clients to run *all* advertising through a service such as Adopstools before it is uploaded and displayed.
I want advertising networks to be able to immediately isolate malvertizements without contacting the client first - and I don't care who "owns" the content.
I want Estdomains/Esthosts and Securehost shut down.
What do YOU want?
I've tried (and failed, I suspect) to "braindump" a lot of stuff into this blog entry, and suspect that I have failed dismally. There are so many nuances, potentials, traps, dangers, and whatnot in this situation.
So let me ask this of you.
Let's say, for example, that your opinion is that "advertising networks should take steps to stop distributing malware". Please, think deeply about this... consider the problems, the challenges, and ask yourself just *how* we are going to do this. Because I tell you what.. I am considered to be a thought leader in this field, but I am struggling for answers.
Yes we could set up amazing infrastructures that could cope with and analyse the millions of individual advertisements out there ... but if the price to be paid is that "the Internet" is no longer free... if the price is that you must pay to access any site ... would you still want to go down that path?
I can't dump everything I have learned and know via some sort of mysterious osmosis into the brain of my readers and into the brain of every person who wants to run a web site and earn an income from advertising. There are times when I feel like my head is going to explode.. there is so much INFORMATION that I want to get out there... but it would overwhelm my readers.
Please, just *think* about this ... really think about it... if we block all advertisements Web sites will disappear.... this ain't free folks... somehow, sometime the bandwidth used has to be paid for...