Blog

As reported by VNUNet, Expedia and RealPlayer's Rhapsody websites have both run adverts that when clicked upon redirected to sites that attempted to install malware. Ad serving company Doubleclick also suffered a similar attack, resulting in malware-linked ads running on premium sites including The Economist, and Facebook has also been targeted.

So what can the Internet industry do to prevent these attacks?

The efforts of companies like Google and Microsoft to warn end users when they are visiting a known nasty site - via the Google toolbar or IE7 phishing filter - are welcome, however I feel the industry needs to go further - and quickly.

In fact there are two industries at work here - and they need to forge very close alliances. The ad serving providers, online publishers and search engine companies, representing the Internet industry, need to work a lot more closely with the computer security and software companies - MS, Apple, FireFox, Symantec, Adware etc.

The threats the computer security/software companies used to face are now embedded in the very eco-system of the web; whether you like it or not, advertising pays for most of the websites you use, and security attacks launched via any online advertising medium not only spread nasties that the computer companies have to fight, they also undermine confidence in online advertising as whole in the eyes of consumers. CTRs will fall if ads are equated within viruses - and sites will disappear in a worst case scenario if this becomes an epidemic.

At a time when industry groups like the IAB, IPA and SEMPO* are increasingly active in best practice guidelines for online advertising, with Google and Doubleclick, Atlas and MSN merging, when Google and MS both becoming more active in preventing malware at the server and client computer level, now is the time for them all to work together to combat existing and emerging threats like those experienced by Expedia etc. These threats don't just attack the faceless end user; they risk undermining the very advertising models that MSN, Google and all of our industry depend upon.

The ideas of industry co-operation sounds fine in a perfect world - but how can these big, competing companies successfully work together?

I think this is where an independent body needs to be involved to facilitate practical steps, starting with a "clearing house" where details of known attacks and sites can be collated every minute of every day, and shared out to all participating (vetted) companies. This would mean that no matter what browser you use, anti-virus you run or ad network serves you adverts, they all know about the same attacks and as a whole reduce the gaps that attackers use. This database would assist law enforcement, too.

Of course this would be hard to make happen, with legal and technical obstacles to overcome - which is why this needs an independent, international, non-governmental body - perhaps a role for the IAB on the Internet industry side?

Notes:

I'm no expert on computer security, but have encountered various nasties on an individual PC or network-wide level over the years, and help friends and families about basic dos and do nots online.

*Disclosure: we are members of all 3 organisations.