When malware strikes via bad ads on good sites

Matt Drudge and Michael Arrington found themselves this week in an unpleasant position when visitors to their respective Drudge Report and TechCrunch sites were targeted by malware that appeared to have come from ads.

While Drudge vehemently denied it and blamed accusers with playing politics, Arrington acknowledged on Thursday that there had been malware-laden ads on TechCrunch on Wednesday. It's unclear which ad network served up the malware and what type of malware it was, although it was determined to be an ad running JavaScript, he said.

A browser warning that popped up for a blogger at Phat1.com on Wednesday said the TechCrunch ad contained elements from a site that appeared to be hosting malware. A Web search on the name of that site produced a result that said the site was associated with a virus, according to a post on Phat1.com.

"We suspended a bunch of (ad) campaigns in the meantime. We're only running ads with static images right now," Arrington said in a telephone interview. "This happens and it sucks and I don't know what we can do except for what we've done--just serve static images."

Web sites whose ads are served via ad networks would seem to be at the mercy of those networks. Last year, Drudge Report and a host of other sites were found to have ads distributing malware.

"You kind of open the doors to networks and there is supposedly a trust relationship," Arrington said. "Anytime someone puts a third-party widget on your site...theoretically that stuff can exploit weaknesses in a browser and install malware on a computer. Generally we look to the networks to be clean and they have the incentive to be clean."

Ad networks, the middle men who connect advertisers with Web sites that have ad space to sell, often serve the ads from a centralized server with no ability for Web site owners to preview the content. Ads also can be served from third-party ad delivery firms.

Even though Web site owners usually don't have a chance to vet the ads or the advertiser, they have an obligation to protect their visitors from malware, said Bennie Smith, a vice president of exchange policy at Yahoo's Right Media.

"Partnering with a third-party ad network is a good thing, but you can't remove all the risk and shift all the responsibility to the ad network," he said. "The user is coming to your site, not to the ad network. The primary responsibility still resides with you."

Before signing up with an ad network, Web site owners need to find out how well the network knows its advertisers and what it does on its own end to monitor for malware, Smith said.

For example Web site owners need to ask: Does the ad network look for red flags such as advertisers that are willing to pre-pay and require a tax ID number? Does the business name match the e-mail address? If the ad network is not using software tools to check the content for malware, is it at least reviewing the ads manually before they run?

Malware, regardless of how it is delivered from a site, can tarnish a Web site's reputation and keep visitors from returning, according to Smith.

"It's important because it erodes a user's confidence in the particular publisher or publisher's Web site in general," he said. "That has the potential to affect the size and quality of the audience, and that's an important component to the online ad model."

Who's responsible?
But who is legally liable?

"Under a negligence theory, one could argue that the Web site is liable," said Ben Edelman, an assistant professor at the Harvard Business School and a specialist in Internet security related to online advertising.

"The easier argument would be that the ad network is liable," he added. "Even then I see arguments on both sides. The ad net could certainly claim that this is a hard problem and that they did everything they ought to be expected to do."

Web site owners have a lot to lose if their customers don't come back. "Web sites have strong incentive to choose their ad networks carefully," Edelman said.

What can Web surfers do to stay safe?

"In general if you properly secure your PC you should be protected against the bulk of these types of attacks," said Joris Evers, a spokesman for McAfee.

"But there's also a responsibility on the (part of the) ad networks to vet the ads that they put through," Evers said, weighing in on the debate over responsibility. "The ad networks should ensure that they aren't serving up rigged images, iFrames, or links to malicious Web sites."