Google Filters Annoying Ads But Does Nothing for Security


Last week, Google began rolling out a new functionality in its Chrome browser that will halt a dozen of some of the web's most irritating advertising formats.

Organizations that don't nix the ads, which include videos that auto-play at high volumes and full-page pop-ups, will be punished. If the offending ads aren't removed within 30 days after they've been flagged, Google will disable all ads on the offending website.

Only Google could have pulled off such a move. The technology giant dominates the search sphere, and nearly 60 percent of web surfers use the company's Chrome browser.

Google's motivation, however, is clear: The company's fortunes are tied to web advertising, which is facing challenges due to the increasing use of ad-blocking software. Globally, 11 percent of users employ ad-blocking software, according to PageFair, an advertising technology company.

But experts say Google's advertising blocking only addresses one aspect of the online advertising ecosystem, and leaves other, arguably more challenging, privacy and security issues unresolved: Namely, cybercriminals have increasingly infiltrated ad networks to distribute their malicious software.

"While intrusive and annoying ads make for a poor browsing experience, I think the most nefarious aspects of the online advertising industry are those not necessarily visible to the naked eye," says Jerome Segura, lead malware intelligence analyst at security firm Malwarebytes. "Trackers, forced redirections and malvertising in general are issues that can have far more impact on users and need to be addressed as well."

Programmatic Sales

Online advertisements are largely bought and sold programmatically, or through automated systems that advertise available inventory and let others bid on placement. The systems involve tens of thousands of companies.

That has provided ample opportunity for cybercriminals for both fraud and malware. The Interactive Advertising Bureau estimated in a November 2015 report that malvertising cost the industry $1.1 billion in lost revenue and recovery from incidents while bot-related traffic caused $4.6 billion in losses.

Malvertising involves seeding a harmful ad into a distribution network where it may be delivered broadly across the web. Top websites have been caught delivering advertisements that force people to other harmful websites or deliver malware using exploit kits.

Don't blame websites; they're victims too. And advertising trade groups have long realized the threat that malicious advertisements pose. In October 2016, the Trustworthy Accountability Group released voluntary guidelines for scanning ad content to ensure it does not lead to malware (see Online Ad Industry Threatened by Security Issues).

Craig Spiezle, managing director of AgeLight Advisory Group and chairman emeritus of the Online Trust Alliance, testified before a U.S. Senate subcommittee in 2014 about the hidden hazards of online advertising.

"For nearly a decade I have said that the ad industry is heading towards a trust meltdown," Spiezle tells Information Security Media Group. "I believe we are at this inflection point today."

Botnets And Malware

In November, the Danish advertising technology company Adform revealed a botnet called Hyphbot that fraudulently placed video ads, which often cost the most to place on sites. The group behind Hyphbot had gained access to at least 14 marketplaces and platforms where online ads are sold, Adform said (see Video Ad Fraud Botnet Bags Up to $1.3 Million Daily).

Hyphbot purported to offer video ad inventory on major sites such as The Economist. But the ads were placed on randomly generated domain names, and malware on the compromised endpoints directed users to those domains to view the ads.

The advertising security company Confiant revealed another scheme in January. A group nicknamed Zirconium created 28 fake advertising agencies, some of which had business connections with legitimate ad brokers (see Online Advertising: Hackers' Little Helper).

Zirconium placed as many as 1 billion harmful ads that appeared on more than 600 websites. The ads didn't automatically exploit computers but redirected users to scammy sites, which tried to induce victims into taking some action, such as downloading a fake Flash player update.

Lingering Trust Issues

The Electronic Frontier Foundation, a digital rights watchdog, has praised Google's new attempt to eliminate some of the most intrusive online ads. But it says the move falls far short of addressing all of online advertising's ills.

"Google's approach here is a Band-Aid response to the crisis of trust in advertising that leaves massive user privacy issues unaddressed," writes the EFF's Alan Toner. "Whether it's the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies, users have a lot of reasons to take action and defend themselves."

Segura says that the ads targeted by Google are far from the only types that have made users turn to ad-blocking software. More work needs to be done to restore users' faith in the industry, he says.

"I'm hoping this is only the first phase of a plan that goes beyond the look and feel of online ads but one that also addresses the multiple privacy and safety concerns plaguing the online advertising industry today," Segura says.