Online criminals are looking to infect your computer and they’re increasingly turning to online ads to deliver malicious software.
The New York Times was recently hit by a sophisticated scam in which criminals pretended to purchase ads for a well-known, legitimate brand, only to later serve an ad hawking fake anti-virus software laced with malware.
And this past weekend, popular websites such as the Drudge Report, Horoscope.com and Lyrics.com fell victim to a similar attack that targeted three ad networks: Google DoubleClick, YieldManager and ValueClick Fastclick.
The malicious ads served were even far more dangerous than those that affected The New York Times. These ads directly attempted to infect unsuspecting users with a trojan contained in a PDF document that was popped-up in a stealthy browser window. Users with an out-of-date (and vulnerable) version of Adobe Acrobat Reader were at risk and according to security vendor ScanSafe, only three of the 41 anti-virus products it tested were able to detect the malware.
The attack appears to have been widespread: from Saturday to Monday, ScanSafe reports that the ad attack accounted for 11% of the pages it blocked. Needless to say, it’s pretty likely that users were infected and some probably still don’t even know it.
Which leads to the obvious question: as these attacks grow in popularity with criminals because of their apparent effectiveness, how long will it be before we see the first lawsuits filed against ad networks and/or online publishers over these attacks?
I’m no lawyer but the ad networks in particular seem like a juicy target. After all, it would seem that somebody is going to eventually scream “Negligence!” over malicious ads that slip into these networks somehow undetected. Is this a case of sophisticated scammers outwitting ad network security measures or are the ad networks asleep at the wheel? In my opinion, it’s probably a bit of both. But in today’s highly litigious society, I’m sure at least one attorney will see potential in arguing the latter.
The implications are potentially significant. Some of the largest ad networks would obviously be juicy targets for attorneys. For publishers, it’s unclear what recourse they might have if they’re sued or suffer a loss of reputation because of an ad network’s failure to block malicious ads. Most ad network agreements have clauses that seek to limit the ad network’s liability.
This whole subject could be very messy and while none of this is to say that lawsuits targeting ad networks or publishers over malicious ads would stick, defending against a lawsuit is expensive regardless.
Again, I’m not lawyer and I don’t even play one on TV. But if ad networks cannot control the ads they display and publishers don’t demand more from the ad networks they employ, and users are legitimately harmed because of it, it’s not a stretch to assume that someone will eventually try to pin the blame on them.