In the middle of March, some of the biggest publishers in the world — including the BBC and the New York Times — began serving malware to their visitors. Visitors were served content with the ability to take advantage of vulnerabilities in popular software to install malware. The publishers had no idea it was happening. Their servers hadn’t been hacked. The malware was included in the advertising loaded next to content. Attacks of this sort are known as malvertising.
Unless you’re familiar with how advertising on the web works, you might have difficulty understanding how a site like the New York Times could serve malware to millions of readers without being aware they were doing it. In truth, the New York Times has no idea which adverts it serves most of the time. It pays someone else to sell the space. The company paid to sell the space probably has no idea about the exact content of the advertising either, because they use other companies to handle real time bidding and other aspects of the process that puts ads in front of valuable eyeballs.
As Pinboard developer Maciej Ceglowski has discussed, the adtech space is hugely complex and convoluted, with thousands of companies vying for a slice of the pie that made companies like Google into multi-billion dollar behemoths. It only takes one of the companies in the chain between advertiser and publisher — who have no direct relationship — to be negligent, incompetent, or malicious. If they are, when you read the news over your morning coffee, there’s a small chance that at the same time your PC is being compromised with ransomware.
Publishers and bloggers are having a hard time of things. Margins are compressed to a razor’s edge, and publishers are throwing every potential revenue generator at the wall to see what sticks. Monetizing content is tricky in an era in which everyone expects content for free, and that means adtech companies have a lot of power. If publishers want to be able to pay their writers (and their owners) they have to make money, and, for the present, that means adtech, with its enormous complexity and scope for problems.
What’s a web user to do? The obvious choice is to use an adblocker. But making that choice will deprive publishers of the revenue they need to bring readers the content they want. The typical response to that problem is to whitelist the sites you love, but because almost everyone uses advertising networks and has no clue where the ads they serve come from, it’s entirely likely that even the most trustworthy of sites is a potential risk.
The only real solution is for publishers to either take a hard stand against negligent advertising companies so they are incentivized to be a little more careful what they send over their networks, or to bring ad buying in-house and circumvent the whole problem. The advertising industry has to start taking malvertising seriously, or users will take the problem into their own hands, further degrading the already tenuous position of publishers and bloggers.Posted in: Webmaster