Ad industry tries ‘certified’ security seals to combat ransomware in ads

  • Liam Tung (CSO Online)
  • 16 November, 2016 08:00

Firms in the $50bn online ad industry can now apply for a security seal to signal they’ve done enough to prevent criminals exploiting news to spread ransomware.

Publishers can now select to work with ad companies that have been “Certified Against Malware” thanks to a program launched on Tuesday by the Trustworthy Accountability Group (TAG), an initiative led by major news organizations, vendors like Procter & Gamble, ad agencies, and ad tech firms, including Google and Facebook.

The seal signals that buyers, sellers, and the multitude of go-betweens in the online ad industry have taken “aggressive” steps to fight malware, according to TAG.

The group has also launched a malware threat-sharing hub for select companies to provide information on the latest malware attacks. The hub also is an open channel for law enforcement to access malware-related data from the ad industry.

“TAG’s ‘Certified Against Malware’ Program uses a multi-prong approach that includes consumer education, industry best practices, information sharing, and law enforcement to shut down malware distributors and protect the advertising supply chain,” said Mike Zaneis, CEO of TAG.

One of the main threats to consumers from online ads is so-called malvertizing, or malware ads distributed through legitimate online ad exchanges onwards to high traffic news and media sites, such as the New York Times, BBC,, as well as popular adult sites.

Besides using news publishers to cast a wide net, 70 percent of malvertising campaigns deliver ransomware, according to security firm Malwarebytes. Unlucky site visitors then have an option to pay an extortion fee or sacrifice files by criminals who’ve effectively thrown away the key.

While these attacks impose a heavier immediate cost on site visitors, concerns over malicious ads in particular have helped justify ad-blockers, which threaten revenues of online publishing and the ad industry.

A study by ad-industry group Interactive Advertising Bureau, a contributor to TAG, found that users would likely turn off an ad blocker if they could be guaranteed that viewing an online ad won’t lead to a malware infection.

Jérôme Segura, Malwarebytes’ lead malware intelligence analyst says that allowing publishers to choose companies based on whether they meet security standards is a much needed step in the right direction.

“There is truly a need to restore confidence in the state of the online advertising business considering it has been seriously threatened by ad blockers. This is not the first effort to date to combat malvertising and it probably won't be the last either,” he told CSO Australia.

However, he warned the complexity of the ad supply chain could still be used to spread malware despite the program offering better insight into information held by different parties within it.

“One issue that could remain is if companies that are vetted still engage with third parties that aren't, thereby introducing weaknesses via a piggy-backing effect in the long and complex ad delivery chain,” said Segura.

Naturally, compliance with the program focuses on firms that have or or attempting to gain the TAG seal. Those companies need to meet a set of guidelines and adopt TAG’s best practices for scanning creative for malware.

According to the guidelines, companies can lose their TAG seal if any company involved in a transaction with them files a complaint with TAG and provides evidence of non-compliance. Security firms, end-users and others can report a malware event, but that won’t necessarily affect a firm’s TAG certification.

Companies that have agreed to participate in the program include Adform, Admiral, AppNexus, DoubleVerify, engage:BDR, GeoEdge, Google, MediaMath, OpenX, RiskIQ, RocketFuel, Rubicon Project, Sovrn, SpotX, and The Media Trust.

The best practices for scanning creative for malware is available here and the guidelines which firms need to comply with are here.

TAG's malware hub initially will rely on data provided by members of TAG's Anti-Malware Working Group until more members come into compliance with the program, Jamie O'Donnell, manager of the TAG Certified Against Malware Program, told CSO Australia.

O'Donnell said law enforcement access to the information-sharing hub will only be used to pursue criminals and not as a source for information about end-users.

"TAG plans to collaborate with law enforcement to help identify and prosecute the criminals who disseminate malicious code using advertising creatives. End-user privacy would not be compromised because no user information would be accessed or shared. The information shared among companies and with law enforcement would only be what the criminals had placed into a creative or landing page," O'Donnell said.