Malvertising as a threat to society

According to a report, malvertising attacks are up 300% last year [1]. Malvertising is where malware is delivered either targeted or untargeted to a user device at any scale. Malware is intimately connected with cyberbreaches, causing damages of up to US$1 trillion per year[2]. One example of a malvertising attack affecting regular internet users is where Ransomware is delivered through an online advertisement. It is not uncommon for such attacks to involve premium publishers such as MSN,, the New York Times, AOL, Newsweek[3].

Because malware is intimately connected with cyberbreaches and damages thereof, and malvertising is rapidly becoming the primary means of spreading malware, the connection between the gargantuan damages caused by cyberbreaches and malvertising is hard to argue. This aspect was widely covered in a speech I gave on the Global Marketer Week public affairs day last week[4] titled Thank you for Ad Blocking”. Since posting it online, it has been read by tens of thousands of people and includes an extensive list of references covering the topic.

In a recent announcement [5], IAB Sweden vows to take an aggressive counter position by blocking users from their right to keep their devices, and together with their devices the Swedish society, secure.

Screen Shot 2016-06-04 at 05.42.47

Because of this initiative, I had today called Charlotte Thur who is heading IAB Sweden, hoping that she would be open to discuss her position in the matter. While for right to privacy reasons I can not record such a phone call without letting her know, I will try below to transcribe the key comments she made, together with an overview of the rest of the conversation.

When greed of a small group of companies takes over the interest of a nation state

First I went on to introduce my position and referenced to how malvertising and espionage are a major concern for us in the ad blocking discussion, and how without addressing nth-party tracking [6] first, trying to stop or reduce ad blocker usage in anyway is promoting privacy violations, espionage, and cybercrime through its connection with ad fraud, another major threat for a civil society. I also explained that I understood that she might not have all the information we do, and that I had no intention to point a finger at her in this matter, but simply to try to help her to see the matter more holistically.

She went on to convince me that she works with the best lawyers and experts who have all the required information and expertice that justify her taking the position she has in the matter taken on behalf of IAB Sweden and her members. I responded by saying that it will be trivial for me or others to evidence that her suggested course of action is directly against the interest of Swedish tax payers and that it would end up causing hard to Sweden’s national security. I also emphasised how others would potentially look at Sweden, considering it as a fair and sensible society, and possibly validate their own actions based on those of Sweden.

The rest of the conversation played out more or less like this:

Charlotta: we are not forcing the user to anything, we’re simply giving them the option to pay something for the content, or if they want to get it for free, to see the ads. 

Me: I understand that but if you are trying to convey users to turn off ad blockers, there is nothing to protect them from all the malware that is delivered with the ads. 

Charlotta: today we have a business model and we have to defend it. Where will the money come from if its not coming from ads? If we don’t do something, soon there will be no websites left, and I guess then we don’t have the whole problem also [laughs].

Me: but it’s your business model that is causing a serious security problem where malware is being delivered inside ads on your (publisher) members’ websites 

Charlotta: I have not heard about anything like this. When we asked consumers for reasons why they use ad blockers, nothing like this was in their responses. 

Me: is that because you were doing it through a structured survey where you did not have an option where they could say they are doing it to keep their devices safe? 

Charlotta: I…I have to run to a meeting now, if you have some evidence to support your claims about malvertising, you can send it to my email. 

Me: So are you saying that you have not seen any research or evidence about malware being delivered through ads? 

Charlotta: No I have not. 

Me: Ok, that explains a lot. How can you be taking such a strong position in this matter if you have not even look at all the aspects of the matter. Malvertising is related to cybercrime and the national security of your country!

Charlotta: I hope we will be successful, if this was a bad thing, then we have made a mistake. But we have to try this, we can’t just sit down. 

Me: But you clearly have not looked at all the research on this topic, how can you go on with your program when you even you yourself admit that you have not looked at any malvertising related research? 

Charlotta: So you think ad blocking is ok? Have you talked about this with Finland IAB, how about Denmark IAB, what are they saying about this? 

Me: We have a global concern for internet users’ rights and the security of the society. I have not been speaking with them (the IAB countries she mentioned) because they are not doing what you are doing. Also as I told you, we don’t work with the vendors, I’m just calling you to try to help you to understand that you are making a mistake. 

Charlotta: I’m going to hang up the phone now, I have to go to a meeting. We will not work together with you on ad blocking, that’s for sure. [chuckle] 

And so the conversation ended.

I did not have the chance to say it, but if I did, the key point I wanted to make is — If you do continue trying to block ad blocking without addressing the underlying security issues that are caused irresponsibility of your members, later you might and very likely will be indicted for your part in forcefully imposing espionage and malware on internet user. In the meantime, please remember that while you are engaging in ad blocking blocking activities, you are making your society less secure than those societies who do not allow such inconsiderate and dangerous behavior as that of yours. And yes, I get it that you don’t understand that this is the case, which also clearly suggest you should not take forceful action before you have carefully evaluated the meaning of these claims and the associated evidence.

Caution is advised to IAB leadership and board members

If you think that taking the kind of action IAB Sweden is taking will help your members, consider that research by Sophos found that 78% of their readers would stop coming to the site if it tried to block ad blocking and only 12% would turn it off [7].

While causing your members to lose their readers, and having them start seeking ad-free alternatives (and we all know there are plenty to be found), it does not compare to the risk of being part of an indictment where the charges relate to intentionally increasing cybercrime and worsening the national security of your country. Not to mention dealing with massive class-action suits where millions of internet users come together to claim remedy for being infected with Ransomware and other malicious codes because of having stopped using ad blockers on your request.

Instead, you should put all of your focus and resources towards making sure that your members, publishers and advertising technology companies, clean up the mess that is acting as cause to the current malware epidemic, and the threat to the civil society it posing.


About the Author

Leave a Comment:

(1) comment

Mr WordPress March 17, 2016

Hi, this is a comment.
To delete a comment, just log in and view the post's comments. There you will have the option to edit or delete them.

Add Your Reply

Leave a Comment: