Chapter 6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West

Benjamin Edelman

Read the news of recent computer security guffaws, and it’s striking how many problems stem from online advertising. Advertising is the bedrock of websites that are provided without charge to end users, so advertising is everywhere. But advertising security gaps are equally widespread: from “malvertisement” banner ads pushing rogue anti-spyware software, to click fraud, to spyware and adware, the security lapses of online advertising are striking.

During the past five years, I have uncovered hundreds of online advertising scams defrauding thousands of users—not to mention all the Web’s top merchants. This chapter summarizes some of what I’ve found, and what users and advertisers can do to protect themselves.

Attacks on Users

Users are the first victims—and typically the most direct ones—of online advertising attacks. From deceptive pop-up ads to full-fledged browser exploits, users suffer the direct costs of cleanup. This section looks at some of the culprits.

Exploit-Laden Banner Ads

In March 2004, spam-king-turned-spyware-pusher Sanford Wallace found a way to install software on users’ computers without users’ permission. Wallace turned to security vulnerabilities—defects in Windows, Internet Explorer, or other software on a user’s computer—that let Wallace take control of a user’s computer without the user granting consent. Earlier intruders had to persuade users to click on an executable ...

Get Beautiful Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.