How Monetizing Became Malvertising

    by Barrett Golding
    September 8, 2016
    Petya ransomware screens, Bleeping Computer.

    This piece was first published by the Donald W. Reynolds Journalism Institute as part of  the Breaking News series on the self-inflicted fractures breaking the news business.

    Cyber criminals are embezzling billions annually from advertisers. They take over news sites, spread computer viruses, steal passwords and hold people’s hard drives hostage.

    It’s a tangled world wide web of piracy, fraud and extortion. Everyone lets it happen: ad agencies, ad networks and publishers. Everyone gets their cut.


    After these attackers decimate the online advertising business and erode all trust in online news, they’ll move on.

    Those of you in the news business can then:

    • Explain to your readers why your site installed malware on their computers.
    • Explain to your advertisers why their high-priced ads were never seen by anyone anywhere.
    • Explain to government investigators why you shouldn’t be prosecuted for criminal conspiracy.
    One example.

    One example.


    Shell game

    “The other day I mindlessly clicked on some link-bait on my mobile phone. It was an article about “22 Photos that Prove Shaq is a Giant.” Yes, I’m embarrassed, but that’s not the point. Within that one listicle there were no less than 30 “impressions” of the same Best Foods Mayonnaise banner ad. How embarrassed do you think the brand manager at Best Foods will be when his CMO reads this?” — “Why Ad Tech Is the Worst Thing That Ever Happened to Advertising,” Advertising Age

    The Interactive Advertising Bureau estimates malicious advertising — malvertising — “costs the U.S. digital marketing, advertising, and media industry $8.2 billion annually.”

    A few years ago malvertising was merely scamming the system: fake ads, fake traffic, fake analytics. Ad tech is a hacker’s heaven, an unregulated labyrinth of circumlocution systems for bidding, placing and tracking ads.

    “All the code is awful and you aren’t allowed to change it anyway,” says Salon developer Aram Zucker-Scharff. “Usually ad servers claim they run some sort of checks, but considering just how many malicious or badly formed ads get through, it is pretty apparent they don’t do much.”

    The hacker’s goal is to bill, aka bilk, advertisers for ads no human ever saw. Their fraud takes several forms: Ad stacking piles multiple ads on top of each other. Ad stuffing shrinks ads to invisible 1-pixel squares. Click farms send fraud users to real sites. Clickjacking sends real users to fraud sites.

    This example comes from Kalkis Research: “You’ll be redirected through a loop of various shell websites, spending a fraction of a second on each [making the bogus sites seem, to analytics algorithms, as high-quality and high-traffic]. Once the shell websites have good enough Alexa rankings, and off-the-chart demographics, they sign contracts to display ads with much better terms.”

    A shell game. A con. That what malvertisers did, before they became racketeers.


    The cyber miscreants now have a new scheme. They don’t just scam advertisers, they also buy ads. Their new goals: Install spyware, scareware and ransomware via websites; capture site-visitors’ computers for their “zombie army” to attack more websites and more web users.

    “Ads have become the major vector for malware,” said Maciej Ceglowski in his Web Directions keynote. (All his talks are essential reading.)

    Again, ad tech makes this easy: “People think you have to click on the ad for something bad to happen, but that’s not the case,” said Jerome Segura of the security firm Malwarebytes. “The malicious activity takes place in a few seconds.”

    Malwarebytes’ Wendy Zamora wrote:

    “A lot of folks in the business (and consumer) world are shaking in their boots about ransomware. It’s understandable. Ransomware is a dangerous threat and, if not protected against, can do serious damage to a company’s data, reputation, and bottom line. But the truly alarming part is that ransomware is being delivered by malvertising. Malvertising can do this without you knowing (until it’s too late) and without your users taking a single “unsafe” action online.” “Malvertising and ransomware: the Bonnie and Clyde of advanced threats,” Malwarebytes


    Malwarebytes estimated 70 percent of malvertising now delivers ransomware payloads. Bromium Labs researchers detected “at least 27 percent of the Alexa 1,000 websites were delivering malware via malicious advertisements.”

    And guess where malvertisers most like to share their wares.

    We’re number one

    Bromium Labs found more than half the ads with malware payloads were on either news or entertainment websites, with news at the top of the pack (32 percent). Like all marketers, malvertisers want premiere placement on well-respected sites. The ad-bidding process grants them their wish.

    In March 2016 the websites of The New York Times, BBC, Weather Network, The Hill, Newsweek, AOL, MSN, and NFL all, as CNET reported, “inadvertently ran malicious ads that attempted to hijack the computers of visitors and demand a ransom.”

    This even juicier website-breaking news is from Engadget: “Forbes asked readers to turn off ad blockers in order to view the article. After doing so, visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information.”


    Malicious advertisements sources, Bromium Labs

    “You could be researching business trends on a site like NYTimes.com and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the “right” malware for you.”“Truth in malvertising: How to beat bad ads,,” Malwarebytes

    What’s a Google to do?

    The problem is not new, it’s been happening on news sites for years. These headlines are from 2013:

    Google has run an anti-malvertising team since 2009. Here’s a recent report on their progress:

    Google is enabling traffic laundering, where websites with pirated content redirect visitors to shell websites displaying AdSense ads. These ads finance piracy, and Google is taking a cut in the process. Google clients have no clue of the reputational risk they run by using AdSense.“A Real Life Example of Google’s Implication in Ad Fraud and Traffic Laundering,” Kalkis Research

    CNBC and CNN commentator Shelly Palmer wrote, “Ad tech has evolved into a toxic ecosystem that is killing itself, and it is taking digital advertising with it.” His article, “What We’ll Do When Ad Tech Dies,” concludes, “Ad tech will be with us in its current form until someone goes to jail.”

    Till then we’ll continue to reap what the technology sows, like AppLift’s fraud detectors discovering 34 percent of mobile ads at risk of fraud, and RiskIQ in 2015 measuring a 260 percent spike in malicious advertisements.


    Let’s hope news publishers are planning for a post-ad-tech world. No site owner wants to deliver this news to her readers:

    Perhaps this partly explains the rapid rise of ad-blockers. When reading the news, it seems a reasonable expectation to not have your computer hijacked by a crime syndicate.

    “The Web is turning into a clickbait jungle. Established publishers are trashing their websites with low-quality content recommendations. Smartphone manufacturers and software publishers, worried about worsening browsing experience, are uniting to fight online ads.

    Ad dollars are being stolen. Ad efficiency is declining. Traffic laundering is thriving. Bad guys have become experts at gaming ad tech metrics and monetizing fake or unwilling visitors.

    Unless ad tech starts to pay attention to the consumer, its days are numbered.”“Clickbait And Traffic Laundering: How Ad Tech Is Destroying The Web,” Kalkis Research

    What hurts online news is not the ads, it’s the ad technologies. It’s their chumboxes and subprime markets. It’s their molasses-slow surveillance scripts and their Swiss-cheese security. It’s their superstitious belief in “big data” and their exorbitant “ad tech tax.” These are all upcoming topics in RJI’s Breaking News series.

    RJI_LOGO_wSchool_Stack_PMSBarrett Golding, a web developer and leader of the Peabody Award-winning project Hearing Voices from NPR, is a residential RJI Fellow at the Donald W. Reynolds Journalism Institute, where this article first appeared.

    Tagged: advertising clickbait malvertising malware monetizing the news online advertising

    Comments are closed.

  • Who We Are

    MediaShift is the premier destination for insight and analysis at the intersection of media and technology. The MediaShift network includes MediaShift, EducationShift, MetricShift and Idea Lab, as well as workshops and weekend hackathons, email newsletters, a weekly podcast and a series of DigitalEd online trainings.

    About MediaShift »
    Contact us »
    Sponsor MediaShift »

    Follow us on Social Media