Security Review: Online Advertisers

By petermil at 9:43 pm on February 6, 2009Comments Off on Security Review: Online Advertisers

Online advertisement is the lifeblood of the internet.  Without it, sites such as Facebook, Myspace, Google, etc. would go out of business. Approximately a year ago, Google alone reached over 1.1 billion unique users in a month(see 1)–and they had only 35% of the market at that point; this does not however imply that advertisers were reaching 3.14 billion users, as most top advertisers would reach the same users [note that Google also owns the #2, doubleclick].

With most major sites tied to the success of advertisers, there comes a tradeoff between appeasing advertisers and appeasing users.  The sites which appease advertisers impose interstitials, spyware, and popups.  By doing so, they increase the revenue advertisers are willing to pay, and they hope that their content is sufficiently interesting that users will wade through the ads regardless.  Other sites attempt to appease the users, and keep ads as unintrusive as possible, hoping that they will get more users due to the superior user experience, and that users will investigate ads because they care about the funding of the site and out of genuine interest in the ad.  The advertisers we are interested in here are the first category.

Security Goals

  • Advertisement should not harm the user passively (example: user opens page, spyware automatically installed)
  • Advertisement should not harm the user actively (i.e., the user clicks the ad and something bad happens)
  • Advertisement should not hijack space against the desire of the site owner (example (from 2): picture)

Adversaries and Threats

  • Malicious advertisers

Typically, these advertisers will be interested in installing adware/spyware/malware on a user’s computer.  This software will generally be responsible for browser hijacks, unexplained popup ads, and sometimes even credit card/identity theft.  A malicious advertiser is defined here as someone who commits these acts against the wish of the vendor and publisher.  Typically such an advertiser can only get away with such acts until the vendor or publisher is notified and takes actions to remedy it.

  • Malicious publishers

This is where a publisher deliberately puts spyware, or other harmful software, on their site with the goal of infecting their users.  They will expect to get a cut of whatever money is made due to such actions.  This can be very difficult to predict, as a site may be benevolent until it runs into financial difficulties, or the user gets tired and wants to move on, but not before maximizing profits.

  • Malicious vendors

This is less of an issue for those going with major vendors such as AdWords, but if a publisher chooses to use a small-scale advertising site, then they may run into a vendor who voluntarily uses such tactics as described above.

  • Malicious Third Parties

Here, a third party is anyone not involved in the advertisement process.  A virus writer who sends out e-mails with a virus which infects people with malware which hijacks google.com when the user tries to search would be an example of a third party.

Potential Weaknesses

  • Most sites give a limited amount of ability for users to provide feedback about advertisement–if an advertiser is infecting people with malware, it may take some time for it to be known and remedied.  In the meantime, countless users may be infected.
  • Browser holes are common.  By utilizing one of these holes, a user may be silently infected.
  • Ads can be difficult to reproduce.  They are randomly rotated, so merely linking to a page on which one got infected gives no guarantee that the investigator will see the same ad which caused the infection, leading him/her to believe it was a false report.
  • Third parties are good at infecting people.  This can be shown by how many people get viruses through merely opening attachments, for example.
  • Publishers are not very accountable for their actions.  Generally speaking, the worst that will happen to a publisher is that he/she will lose the userbase of the site.  Legal action is nearly unheard of, and so there is little at stake for the publisher who merely wants to make a quick buck and move on.

Defenses

  • Ensure that browsers/operating systems are up to date.  A fully updated user is rarely the user who gets targeted–most infections are due to vulnerabilities for which a patch already exists (not all, obviously).
  • Use an adblocking extension which prevents content from loading off known advertising domains.
  • Use firewalls/anti-virus.
  • Allow users to complain directly to the vendor about ads instead of requiring the publisher to do so (obviously, this step only works for malicious advertisers, not malicious publishers/vendors).
  • Only allow pre-screened (by the publisher) ads to appear. Unfortunately, this may severely limit the strength of the advertising, and requires a benevolent vendor/observant publisher.

The Future

With the current major browsers, most security threats can be blocked by fully updating them and using intelligent browsing habits.  The main risk is for those who either a) trust the publisher too much or b) are not careful users (the kind of people who see a download for a “toolbar required to display the content” and decide to download it, then end up infected).

It seems unlikely that online advertising will significantly change in the future.  There will be new technologies which can be exploited and new vulnerabilities, but online advertising is here to stay as the future of the internet.  Despite the backing-off of many advertisers with the weakening economy, advertising still remains a strong industry overall.  Major companies such as Google are relatively restricted ethically, due to their ease of accountability and need to maintain a reasonable public image.  Smaller vendors will remain the primary risk, due to their lack of concern about public relations and potential for lack of adequate staffing (leading to malicious advertisers having a long run).

Terms Used:

interstitial – a page (almost always advertising) which appears instead of the expected content.  The user is usually automatically forwarded after a certain amount of time, or he/she can click on a link which leads to the expected page.

publisher the site on which the ad is served.  So, if an ad appears on mysite.com, then mysite.com is the publisher.

vendorthe company responsible for connecting advertiser and publisher.  Google Adwords is a major vendor.

Sources:

1: Attributor

2: Ben Edelman

Filed under: Security ReviewsComments Off on Security Review: Online Advertisers

Comments are closed.