A Complex System of Middlemen, Resellers, Auctions
Creates Dangerous Vulnerabilities.
Recently visitors to the forums section of Digital Spy,
a British entertainment and media news Web site, were greeted with an ad
that loaded malicious software onto their computers. The Web site's
advertising system had been hacked.
A number of such attacks have occurred this year, as perpetrators exploit
the complex structure of business relationships in the online advertising,
with its numerous middlemen and resellers. Web security experts say they
have seen an uptick in the number of ads harboring malware as the economy
has soured and publishers, needing to boost their ad revenues, outsource
more of their ad-space sales.
Viruses can be incorporated directly within an ad, so that simply clicking
on the ad or visiting the site can infect a computer, or ads can be used
to direct users to a nefarious Web site that aims to steal passwords or
identities. In most cases, the problem becomes apparent within a matter of
hours and quick fixes are put in place, but that's not fast enough for
Internet surfers whose computers end up infected or compromised.
"The system is only as safe as its least secure members, and some of these
members can be strikingly insecure," says Ben Edelman, an assistant
professor at Harvard Business School who researches Web security issues.
EWeek.com, a technology news site owned by Ziff Davis Enterprise, in
February displayed an ad on its homepage masquerading as a promotion for
LaCoste, the shirt maker. The retailer hadn't placed the ad -- a hacker
had, to direct users to a Web site where harmful programs would be
downloaded to their computers, says Stephen Wellman, director of community
and content for Ziff Davis.
Similar attacks occurred across a series of News Corp.-owned sites in
February, including AmericanIdol.com, FoxNews.com and IGN.com. In January,
clicking on an ad on Major League Baseball's MLB.com led visitors to a
site with malware.
Digital Spy, Ziff Davis, Fox and MLB all say that immediately after they
detected the incidents, they isolated the ads and removed them from their
sites.
Digital Spy sells the ad space on its forums section, visited by three
million unique visitors a month, through a number of other companies,
called ad networks. If one ad network doesn't sell the space to a marketer
directly, it often will sell it to another network. The space also can be
outsourced to ad exchanges, another set of companies, which hold an
electronic auction for online ads.
"As that chain gets longer, it becomes more and more difficult to vet the
ads to make sure there are no viruses in them," says James Welsh,
co-founder of Digital Spy, owned by Hachette Filipacchi. "There was a lack
of scrupulous checking somewhere along that line, and an attacker seized
upon this and used it as a route to inject some very nasty malware onto
our site."
Web publishers say they have started limiting the number of companies they
outsource their ad selling to and are working with security vendors, such
as San Francisco-based ClickFacts, to detect malicious software on their
networks and remove it as quickly as possible.
Ad technology companies and Internet companies say they, too, are making
efforts to boost the security of their systems. Microsoft, Google and Time
Warner's AOL say they use a series of technical and manual procedures to
scan for malicious code in their systems.
AOL says that in addition to digital virus scans, it employs a team of
people to review each of the thousands of Web sites interested in entering
its ad network and each of the advertisers that want to run an ad campaign
across these sites. Microsoft says it verifies the legitimacy of the
companies it does business with and deploys technologies that scan ads and
Web sites to mitigate attacks.
"It is an issue that we take very seriously," says Alex Gounares,
corporate vice president of ads and commerce research and development at
Microsoft, which operates some of the largest online ad technology
systems. "I don't know if it will ever go away. The world has evildoers."
The Post Office Lowers Rates For
High-Density Flat Mail.
The Postal Service has had second thoughts about the
rate increase that would single out newspapers.
The USPS reversed course and is now reducing rates for high-density flat
mail, effective July 19, 2009. Newspapers generally use high-density flat
mail to deliver total market coverage products and advertising inserts to
non-subscribers.
In a letter to members, Newspaper Association of America CEO John Sturm
said the new rates should save the industry $7 million in 2010.
Win Yankee and Ducks Tickets!