{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

Online criminals are looking to infect your computer and they're increasingly turning to online ads to deliver malicious software.

The New York Times was recently hit by a sophisticated scam in which criminals pretended to purchase ads for a well-known, legitimate brand, only to later serve an ad hawking fake anti-virus software laced with malware.

And this past weekend, popular websites such as the Drudge Report, Horoscope.com and Lyrics.com fell victim to a similar attack that targeted three ad networks: Google DoubleClick, YieldManager and ValueClick Fastclick.

The malicious ads served were even far more dangerous than those that affected The New York Times. These ads directly attempted to infect unsuspecting users with a trojan contained in a PDF document that was popped-up in a stealthy browser window. Users with an out-of-date (and vulnerable) version of Adobe Acrobat Reader were at risk and according to security vendor ScanSafe, only three of the 41 anti-virus products it tested were able to detect the malware.

The attack appears to have been widespread: from Saturday to Monday, ScanSafe reports that the ad attack accounted for 11% of the pages it blocked. Needless to say, it's pretty likely that users were infected and some probably still don't even know it.

Which leads to the obvious question: as these attacks grow in popularity with criminals because of their apparent effectiveness, how long will it be before we see the first lawsuits filed against ad networks and/or online publishers over these attacks?

I'm no lawyer but the ad networks in particular seem like a juicy target. After all, it would seem that somebody is going to eventually scream "Negligence!" over malicious ads that slip into these networks somehow undetected. Is this a case of sophisticated scammers outwitting ad network security measures or are the ad networks asleep at the wheel? In my opinion, it's probably a bit of both. But in today's highly litigious society, I'm sure at least one attorney will see potential in arguing the latter.

The implications are potentially significant. Some of the largest ad networks would obviously be juicy targets for attorneys. For publishers, it's unclear what recourse they might have if they're sued or suffer a loss of reputation because of an ad network's failure to block malicious ads. Most ad network agreements have clauses that seek to limit the ad network's liability.

This whole subject could be very messy and while none of this is to say that lawsuits targeting ad networks or publishers over malicious ads would stick, defending against a lawsuit is expensive regardless. 

Again, I'm not lawyer and I don't even play one on TV. But if ad networks cannot control the ads they display and publishers don't demand more from the ad networks they employ, and users are legitimately harmed because of it, it's not a stretch to assume that someone will eventually try to pin the blame on them.

Patricio Robles

Published 25 September, 2009 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2379 more posts from this author

Comments (0)

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.