When visitors to The New York Times website began falling victim to a fake anti-virus ad that attempted to install malware on readers' computers, some, myself included, suspected that the ad was probably being served through an ad network.
According to The Times, about half of the ads that are served on its website come from ad networks and they are an obvious target for scammers looking to distribute rogue ads that deliver malware.
But as it turns out, the rogue ad that was wreaking havoc with some Times readers was actually sold by The New York Times itself.
As Ashlee Vance of The Times details in an article on the matter, a scammer masquerading as VoIP company Vonage purchased ad inventory from The Times. Since The Times has sold ads to Vonage in the past, it allowed the scammer to serve up the ads from a third party ad server that had not been vetted. For a while, real Vonage ads were displayed but as early as late Friday the scammer switched the ads on the third party ad server to spread a rogue ad promoting fake anti-virus software.
While malware posing as anti-virus software and rogue ads are nothing new, the attack against New York Times readers is notable. It affected enough people to attract attention and the scammers were brazen enough to actually purchase advertising directly from The Times itself despite, as Vance points out, the inherent risks involved.
The incident highlights several things:
- The increasingly sophisticated nature of online crime. It's a safe bet that the scammers who targeted The Times are not amateurs. That online criminals would buy advertising from a brand publisher and serve legitimate ads for some time hints at the lengths scammers will go to hook more victims. The reason is obvious: cybercrime is big business.
- The difficulty publishers have in protecting themselves and their users. It's apparent from Vance's description of the events that transpired this weekend that publishers are extremely vulnerable in part because selling and displaying advertising is fairly complex and often involves many parties. Tracking down a rogue ad and identifying where it is being served from seems easy at first. But when you have direct relationships with potentially hundreds of advertisers at any given time and then have relationships with multiple ad networks that are serving ads for potentially hundreds or thousands of campaigns, it's no surprise that tracking down the source of this attack was so difficult.
So what are publishers to do?
To start, the best offense is always a good defense. Vetting ad buys and where ads are being served from is a good idea. According to Times spokeswoman Diane McNulty, the company "will not allow any advertiser to use unfamiliar third-party vendors" going forward.
And while The Times wasn't the victim of a rogue ad from an ad network, ad networks need to be evaluated carefully:
- Less may be more. In my opinion, many publishers use too many ad networks and I'm not sure it's usually necessary. From a security standpoint, the chances of something bad happening increase as you add more third party code to your site and this includes ad network code.
- Due diligence is required. Most ad networks rely on other networks to fill inventory they can't move. You can see where this leads when it comes to the possibility of rogue ads finding their way onto a site. That's why it's so important for publishers to understand how their ad networks operate and who they work with. With this information, better decisions can be made (for instance many ad networks let you serve your own defaults if you choose and this may be a better option that being paid pennies for remnant ads).
The internet isn't a safe place. From your WordPress installation to the ads you serve, scammers are looking for ways to piggyback on your audience to do their dirty work and you can't let your guard down if you hope to repel them.
Photo credit: CarbonNYC via Flickr.