In the light of recent high profile malvertising attacks, the adtech industry is finding itself as a center of attention in respect to the ongoing malware epidemic. In this article we will cover how in fact it is the industry itself that to some extent is causing malvertising attacks to be possible.
EIGHT MYTHS ABOUT MALVERTISING
MYTH: the adtech industry and namely ad platforms that are used for conducting such attacks, are a victim of malvertising
FACT: not only ad platforms get paid for delivering malvertising, but do to negligence and structural issues are a significant cause for such attacks to be possible in the first place
MYTH: malware enters the ad eco-system because of “hacking” or technological vulnerability of some kind
MYTH: adtech companies are “doing everything they can” to keep malware from entering the internet advertising eco-system
FACT: with few exceptions, adtech companies have changed nothing in order to being more responsible or to address the underlying structural issues
MYTH: there are strict auditing processes that adtech companies adhere to in terms of what can be delivered through their systems
MYTH: bigger publishers are less prone to malvertising attacks than small websites
FACT: malvertising attacks are increasingly focused on major publishers, due to their massive reach together with other possible reasons
MYTH: malvertising is typically delivered through small shady ad networks / exchanges
FACT: malvertising attacks take place through major ad platforms regularly, due to poor policies pertaining 3rd-party tags, and poorly understood redirecting practices
MYTH: malvertising attacks are focused on blindly infecting as many internet users as possible
FACT: malvertising attacks are increasingly focused on attacking specific countries and major publishers in that country
MYTH: for a malvertising attack to be effective, user needs to click the ad or take other action
FACT: malvertising attacks are delivering ransomware and other types of malware unconsciously to users’ device
ADTECH’S ROLE IN MALVERTISING
While ‘modern’ malvertising incidents have been reported since 2004 , Doubleclick was sued for a large scale tech support banner ad scam as the actual perpetrator already in 2003 . An attack that can be considered an early form of malvertising. Since 2004 Doubleclick has been frequently reported for being used in malvertising attacks  and most recently in March 2016 . Such is the track record of the largest, best resourced and in terms of related security policy, the most responsible company in the adtech eco-system.
While malvertising has been an issue for more than a decade, a point illustrating the persistence of the problem on one hand, and the inability of the adtech industry to contain it on the other, the shift towards targeting major sites has brought the topic under wider attention only recently . In the light of these facts, it seems fair to argue that IAB’s and its members’ self-regulatory efforts in this matter have failed, and further involvement from outside of the industry is badly needed to address malvertising as the serious threat to internet users, business and civil society it presents. In this respect, perhaps the most alarming trend that can be seen in recent malvertising attacks is the way attacks are targeting specific nations, for example UK , Netherlands  and Finland .
Based on a survey conducted by botlab.io, even savvy users rarely know that malvertising can be used to deliver malware unconsciously to the user’s device. Yet installing of ransoware and malware infecting the user’s device without any action on the users part has become a hallmark of malvertising attacks