Malvertising – that is the spreading of malware or fraudulent content through malicious ads on otherwise trustworthy homepages – is not only persistent but also growing as recent articles from Motherboard  and Ars Technica  suggest, both refering to a report from Cyphort as their primary source. This increase in delivery of malicious ads poses an imminent threat to users on the Internet. Ars Technica emphasises that one consortium only, consisting of 28 fake ad agencies, was able to reach 62% of ad monetized websites on a weekly basis.
Today, dynamic provisioning of interactive content is integral to many websites in order to serve their intended purpose. Be it applications such as Google Docs or social media platforms such as Facebook and Twitter.
But there is another business that heavily relies on the dynamic provisioning of content, advertisement. With help of scripts deployed on popular webpages, ad networks dynamically provide content to distribute ads in a specified volume, time frame and geographical location, to name just a few criteria. Additionally, the bi-directional nature of involved communication allows ad networks to not only blindly distribute specific content per page load but also to track and target certain user groups. The two most important types of peers of such ad network operators are on the one hand those who want to have their ads displayed on preferably popular web pages and pay for it, and on the other hand those who are willing to sell suitable advertisement space on their webpage.
This leads to scenarios in which reputable web sites distribute malicious content without even knowing it, as happened with Forbes.com, MSN.com or Huffington Post [4, 5], for example. Assuming that an up-to-date Anti Virus software will avert the threat is a misbelief as shown in the incident with Equifax, where only three out of 65 AV Scanners detected the malware .
The abuse of ad networks and its implications for endpoint security are not new at all and have been brought up by media and security experts alike throughout the last decade [7, 8]. Still, the problem is growing bigger and a recap of 2017 brings lots of Ransomware attacks to mind, many of which can be and have been conducted via drive-by downloads. The German BSI identified drive-by downloads as an important vector for the spreading of Ransomware .
So, what is the conclusion? As long as the content that is distributed via ad networks is neither restricted in type nor subject to any form of “quality” assurance, a rational user should block side-loaded content for the sake of security*. With this in mind, the attempt of some German content providers to prohibit the use of ad blockers appears to be an attack on both privacy and security of users . On the other hand, the business models of many web page operators are highly dependent on ads actually being loaded and displayed.
*This, of course, does not provide any security in cases where the visited web page delivers malware itself, but it covers those cases where malware is dealt out by ad network operators.