Adblocking is becoming a more and more contentious topic in recent days. Publications, understandably, do not want people to block ads – they derive much of their revenue from them.
Users find them to be intrusive and often feel that they impede their usage of a site; and, given the recent meteoric rise of malvertising, ads can often become downright dangerous. Where is the balance between the desires of publishers and the safety of users?
Malvertising is the way that criminals leverage ad delivery networks to push their malware onto end users. This is made possible by both the multiple parties involved in the delivery of ads (which involve the publisher’s server to the ad network to the delivery edges, to the people buying the ad space, to the companies that market ads, and finally to consumers), and the complex nature of the network itself.
Ad networks are built to streamline operations as much as possible, to ensure that money gets from point A to point B quickly and efficiently, with as little friction as possible.
Ad networks have chosen to prioritize the speed of ad auctions and capability of delivery, as well as the feature set of ads, over everything else – and understandably so, since this is what makes them money. The faster and more feature-rich an ad can be delivered, the more it is worth to a publisher (for whom it is a ‘premium’ client) and to a business purchasing the space (because it’s a ‘premium’ ad slot).
The spread of these ‘feature rich’ ads then becomes something of an arms race – after all, how is a plain old text or simple picture ad going to get noticed when your competitor has figured out how to get auto-playing video to load over the content, and made sure that viewers have to take positive action to dismiss it?
But these feature-rich ad slots amount to remote code execution capability. They allow an ad provider to execute any program they want to within the browser environment of the consumer.
Ad networks, of course, claim that they want to ensure the safety of customers and insist that they ‘inspect’ ads – but the prevalence of malvertising in the market provides many examples to the contrary.
How do criminals bypass the checks that ad networks have supposedly put in place to prevent this? Often, it is accomplished by compromising the accounts of ‘trusted’ ad buyers. Businesses buying ad space are no better or worse at securing their credentials than any other user; they can lose control of their ad accounts just as often as anyone else loses control of a Facebook account or an email inbox.
Once the account has been compromised, the ‘trust’ that the ad network has in the client can be used by the malvertiser to speed their revisions to the original ads past verification – it would be prohibitively expensive, after all, to have someone manually review every change to an ad for every purchaser of ad space. Automatic review can be fooled fairly easily as well – signature-based detection fails if there’s any change in the malicious payload. Manual review can also fail easily enough if the malvertiser sets up a page that looks like a legitimate one, and then changes the content after it has passed review.
So how can this be changed?
On one side, ad networks seem to want to change this by fighting against adblockers – entering an arms race where they try to detect adblockers and either obstruct them or guilt people into disabling them.
On the other side are the various programmers who either despise the ad-cluttered user experience and those concerned with security, who are very highly motivated. This is not a fight that the ad networks are likely to win.
Alternatively, ad networks could try to work with the adblockers – for instance, by delivering known-safe ads.
The only way to really guarantee safe ad delivery is to vastly restrict the content to plain text or static pictures only, with regularly audited links to specific whitelisted domains. Then Ad networks should also provide random spot checks afterwords as well, to ensure ongoing compliance.
Sure, these ads are not nearly as interesting or “premium” as the feature-rich ads that are desired, but a ‘boring’ ad that is delivered is far superior to a feature-rich ad that is blocked and is never shown.
Ad networks need to judge what is more important: making their ads intrusive and feature rich, or accepting that users need a safe browsing experience and require assurance from the networks that their computer will not be damaged by malicious ads.
As far as my networks are concerned, my terms are simple: if you cannot ensure that your ad network is delivering safe content, then I will block you by any means available. This isn’t negotiable – the safety of my users comes far before the profitability of your network in my estimation. If you can guarantee that you will only show static pictures and text, with carefully vetted and audited links, then I’ll unblock.
This is not a negotiation, mind – these are the terms that any decent administrator will demand. After all, the ad networks need my users a lot more than my users need any ad networks. You really should follow Eric on Twitter to get more of his insights.
Eric Rand, Security Consultant, AlienVault