In February the London Stock Exchange (LSE) came under scrutiny when an advertisement carried on its website was blamed for distributing a virus. Visitors who clicked on the advert could, it was claimed, have allowed malware onto their computers.
But the LSE said there was nothing wrong with its website and it contained no viruses. "We are waiting for Google to update its virus report."
It did, however, issue an e-mail to customers, which read, "Thank you for your e-mail and our apologies that you are having problems accessing our website. Unfortunately a third-party advertising service provider which uses www.londonstockexchange.com has caused Google to display the error message you received. The London Stock Exchange's website itself has no issue and remains unaffected and entirely safe. As a precautionary measure all links to the third-party service provider have since been removed from our website.
The industry has coined the term malvertisement to describe how a virus can be distributed through online advertising. Through malvertisement a site incorporates a malware advert. Online adverts are often hosted on third-party ad servers. The challenge for IT departments is that adverts are designed to entice users to click on them; but there appears to be little control in terms of security for online advertising.
As the LSE example shows, a website's reputation may be put at risk if it displays an infected advert.
Trusteer chief technology officer Amit Klein says the advert is a vehicle to infect the user's PC with any malware of choice. "Malware is written to generate as much revenue as possible from infection. For instance, rogue anti-virus entices users to pay for AV software to clean-up fake threats."
Malvertisments can also infect PCs with financial malware. "This waits in your browser for you to log into your bank and then transfers money out of your account," says Klein.
Facebook and the New York Times have also been affected by malvertisments. Clearly a reputable site running virus-infected adverts may risk damaging its reputation.
Stewart Room, partner at Field Fisher Waterhouse LLP warns that while there are many situations where e-commerce companies enjoy immunity from legal liability, it is possible that UK domestic law will hold an organisation liable to third parties for malware infections.
He says, "Factors that may support liability include a failure to implement appropriate security controls, misleading statements in customer-facing documents, a failure to take mitigating steps (such as breach disclosure) and the general nature of the relationship with the customer. Conversely, you can see how infections resulting from zero-day attacks may influence a different result."
So a site may be regarded as negligent for not taking appropriate security measures. Room says, "It might be appropriate to draw analogies with occupiers liability law, where hazards on the land` resulting from another's actions lead to third-party liability."
MessageLabs, which provides a cloud-based service for filtering web access, categorises users into low, moderate and high risk, depending on the likelihood of them being fooled by online scams, spam phishing and other social engineering attacks. Research from MessageLabs shows that high-risk users are more likely to encounter advertisements and malvertisements, potentially leading to malware infections.
In an office environment, web browsing policies can control which sites a user can access. The risk for corporations is that when a laptop leaves the office, company-wide web filtering becomes more difficult. "Laptop users are more likely to trigger policy blocks on the MessageLabs service. The types of websites being visited by higher risk users tend to be outside policy rules, according to Paul Wood, senior analyst at MessageLabs.
This makes high-risk users vulnerable to being lured in by malicious advertising. "It is easier to crack an ad server than an auction, social media or e-commerce site," he said.
One ad server can service hundreds of trusted websites, which means an infected ad can easily spread onto hundreds of legitimate, trusted sites. "If you are registered on a legitimate site, and you search for products to buy, these details are passed in the background to the ad servers, which present banner ads related to your personal choices. This info could be used by the bad guys," Wood warned.
Given that users are being put at risk if a legitimate, trusted website publishes a malware-infected advert, and the site may be legally responsible for all the content on the site, shouldn't the ad servers monitor the adverts they distribute? Trusteer's Klein says, "It's difficult to monitor ad servers. It is up to the advertisement providers to make sure their adverts are trusted."
So here is the key: for internet advertising to remain profitable users must continue to click on adverts. But if users risk being hacked by an advert, and having their personal data stolen, then they would not click on the advert.
Trend Micro researcher Rik Ferguson has written extensively in the Counter Measures blog on how the New York Times issued warnings through both Twitter and its website's front page about malvertisements that trigger the display of a malicious pop-up window. The window displays the typical fake antivirus warning indicating malware infection. This prompts the affected user to purchase a full version of a rogue antivirus software.
The reported infections are nonexistent. The alarming messages are distractions to convince the user into giving away important information.
A malvertisment is a variation of the rogue anti-virus scam that is plaguing internet users. Ferguson says, "Here's a really simple tip to remember. If you ever see a browser pop-up window that arrives uninvited, telling you your PC is infected, ignore it, it is a scam. Close the window, empty your browser cache and to be on the safe side, run a real scanner like HouseCall. To be more fully protected in future, make sure you install an anti-malware program that will also block malicious URLs, rather than simply looking for malicious files.
This was first published in April 2011