A US Senate subcommittee has called for new rules to force the online advertising industry to clean up its act and remove the hidden malware “hazards” that are increasingly impacting netizens.
In a report issued on Thursday, the committee, led by senator John McCain, warned that the risk to consumers from so-called “malvertising” is increasing and that self-regulation of the industry thus far has failed.
“The complexity of the online advertising ecosystem makes it impossible for an ordinary consumer to avoid advertising malware attacks, identify the source of the malware exposure, and determine whether the ad network or host website could have prevented the attack,” it found.
This complexity also makes it difficult to work out exactly which party is to blame if malware is delivered to a user’s computer through advertising, it added.
The committee claimed that the current system doesn’t create “sufficient incentives” for online advertisers to prevent abuses including “malware, invasive cookies, and inappropriate data collection”.
It recommended that “sophisticated commercial entities” of all sizes be forced to take steps to reduce “systemic vulnerabilities” in their networks, and that information sharing be encouraged.
“If necessary, Congress should pass legislation that removes legal impediments to the sharing of actionable cyber-threat related information and creates incentives for the voluntary sharing of information,” the report said.
The committee also urged self-regulatory bodies to develop “comprehensive security guidelines” to prevent malvertising.
It added: “In the absence of effective self-regulation, the FTC should consider issuing comprehensive regulations to prohibit deceptive and unfair online advertising practices that facilitate or fail to take reasonable steps to prevent malware, invasive cookies, and inappropriate data collection delivered to Internet consumers through online advertisements.”
Finally, the report recommended the introduction of more “circuit breakers” or check points into the online advertising ecosystem to ensure ad-based malware is caught at an earlier stage.
Jag Bains, CTO of internet security firm DOSarrest, welcomed the proposals as a “step in the right direction”.
“For some time now, ad networks have been able to diffuse culpability though the use of intermediaries and it allowed for rampant misuse, such as the aforementioned malware proliferation and more recently the relative ease of launching DDoS attacks with ad servers,” he added.
“More stringent checks and sanitization of submissions to an ad network must be done to avoid these situations and until these organizations are faced with penalties forcing them to do this, a high number of regular users and websites remain at risk.”
TK Keaniin, CTO at network security vendor Lancope, told Infosecurity that the lack of effective authentication in the online ad industry has been a “ticking time bomb” for some time.
"Since the registration and genesis of a brand new site on the Internet is so easy and can often times be automated, adversaries can fire up and take down hundreds of malicious sites all of them distributing these malware based ads before they are detected and taken down,” he added.
“Slowing this process down and leveraging reputation biases slow down the business of the Internet and take away one of its finest qualities. As you can see, there are going to have to be trade-offs made and everyone will have to do their part to make it more difficult for this malicious behaviour.”