Yesterday I talked about the general way that Internet ads function. But today I want to look at one of the darker aspects of web advertising by looking at how ads spread malware.

Cisco’s Annual Security Report for 2013 provided some pretty amazing statistics about Internet advertising:

• They said that the highest concentration of online security threats are not found on pornography, pharmaceutical or gambling sites, but rather that the most danger today comes from major search engines, retail web pages and social media outlets,
• They said that online shopping sites are 21 times more likely, and search engines are 27 times more like to deliver a malicious piece of software than a counterfeit software site.
• But no threat compares to online advertising, and Internet ads are 182 times more likely to give you a virus as searching the web for porn. (Of course, they didn’t say how the intrepid Cisco researchers made the comparison to porn).

Probably the major culprit of malware in advertising comes from a practice called real-time bidding. When you go to load a web page that has real-time bidding, an ad company like AppNexus (or many others) asks for bids for placing ads on your page. The solicitation gives a quick profile of who you are in terms of age, demographics, geography, etc. The highest bidder then gets the ad space, and this all happens in a flash. The problem with this kind of system is that nobody has time to monitor the ads that are placed and so malicious advertisers gain access to you by bidding the highest. And they don’t have to bid much. It takes only a very tiny fraction of a penny to get an ad placed at one specific user.

The malicious ads don’t look malicious and are usually disguised to look like an ad for some normal company. But the purpose of the malicious ad is to put a piece of code on your computer. The bad news these days is that you don’t have to click on the ad to get the bad software – the act of opening the web page is often enough to activate it.

I run a malware checker regularly and I am amazed at how many pieces of malicious software I get regularly. It is not unusual for my computer to have picked up a hundred pieces of malware within three days after having scrubbed it. I don’t shop much on-line, but I read a lot of articles and I assume that is the source of most of my malware.

According to my malware software, most of the bad things that I pick up are adware, which they define as a piece of code that is gathering and transmitting data about me to the world. These days adware is generally something a little more complex than a cookie. Cookies are somewhat passive files that sit on your machine to tell somebody later that you have already been to a certain web site or something similar. Think of adware as cookies+ in that they gather specific data and either store it for later retrieval or, in the worst cases send it out to the world.

I’d say 99% of what I get is adware with only the occasional more malicious malware, which could be a virus or some other nasty piece of code. But think about what I am getting. I am inadvertently downloading 100 pieces of adware within just a few days, each of which is looking for specific facts about me and reporting back to whoever placed the malware. I am sure that mostly they are tracking the web sites I’ve visited in order to build up a more detailed profile about me. But these little pieces of malware can pick up almost anything else from bank account numbers to passwords.

I think we all understand that half of what is on the web these days is designed to build a profile for each of us. But I don’t think most people realize how intrusive this effort has become. They are not building a profile by slowly studying your web usage. They are spying on your directly to know everything you do. It’s a bit scary when the most dangerous place on the web is a search engine or a major news site that has ads.

Yesterday I talked about ad blocking and perhaps this is what is going to save us from this rash of malicious malware and adware. Certainly if somebody will block all ads to my computer then I can’t be receiving ads with malware. But I would be just as happy if somebody could deliver ads to my machine that are certifiably safe. It doesn’t take a lot of effort for an ad company to test an ad first to make sure it doesn’t leave bad code behind. But that can’t be done in a process where an ad space is advertised and subscribed in milliseconds. This gives the bad guys a really cheap way to get their ads to anybody they want.

So I think Google is onto something with their product that can block all ads. But as I described yesterday, Google is not the last company in the chain between a web site and a user, so I am guessing that even with Google ad blocking that some ads and malware are still introduced after Google has wiped out the first ads. Your ISP is the last entity to touch the data stream coming to your house and thus has the final chance to get rid of malware. I think ISPs might be missing the opportunity to offer better security to their customers by either blocking ads or by making sure that ads are safe.