Christmas is fast approaching, and this year is set to be the biggest ever for online shopping. Hundreds of millions of dollars will be spent by Australians alone. And every year, the flurry of online activity prompts warnings about the dangers of internet shopping. While this has become less problematic over time as advanced online security technology becomes stronger at both ends of transactions, there is another, lesser-known (and easy) way to fall foul of hackers: malicious advertising.
Shopping picture from Shutterstock
Web advertising is arguably the most important and lucrative online business. Some 96 per cent of Google's US$50 billion annual revenue comes from its advertising programs.
Online advertising is becoming more sophisticated. Advertising agencies now specialise in online markets and new analytic tools which can track and profile users to provide highly targeted advertisements with increased revenues.
While these online ads are a convenient way for commercial companies to reach customers, and for internet users to stay in touch with online stores and items they're interested in, they do bring new risks.
Should I click that ad?
Hackers have found web ads to be a low-cost and highly effective means to conduct malicious and fraudulent activities. This is often called malvertising.
Malvertising is a vibrant underground business, endangering even those internet shoppers who trust reputable websites. Recent research shows that at least 1 per cent of a set of well-maintained websites have been exploited to deliver malicious content or to conduct fraudulent clicks.
This may seem like a low rate, but when you think about the sheer number of websites you visit, this level of risk is exceptionally high and dangerous – particularly as the malware operates in a different environment from that where anti-virus software expects to detect it.
The fraudulent ad links mimic standard online ads. They can:
- look like an inoffensive part of a webpage, just an ordinary ad featuring something you might be interested in
- seem very contextual to the webpage you're browsing
- appear to be anti-virus software asking you to update your system; they often provide enough details on your system parameters to be very misleading
- show a store close to your current location where you could find great deals.
This is by no means an exhaustive list.
Dodgy ads, targeted directly at you
Sophisticated tracking components in today's advertising eco-system make malvertising even easier to hide. These components give hackers many different ways to provide contextual, user-targeted or location-based "ads".
Another prominent threat is the "remarketing" ad. These serve ads to users who have shown some interest in a brand, but not until they have left an advertiser's website.
If you shop online, you'll have seen these ads, often called personalised retargeting ads. After you search for a particular brand, you will see a display banner featuring the same type of products (often the exact item you previously searched for) popping up again and again on other sites you visit.
Besides the privacy concerns raised by the current high tracking capabilities, this also makes users less suspicious. It increases the attacker's chances of redirecting them from ad networks to malicious servers, rendering the malvertising problem even more severe.
Keeping yourself safe
Today, there is a plethora of (more or less) user-friendly privacy tools that you can install as add-ons to your browser. These either limit the web tracking capabilities of third parties, or block online advertisement material.
NoScript, Ghostery or BetterPrivacy are very effective ways to limit the damage of tracking components throughout the web. But using them comes at the expense of your web experience; for example, some multimedia content won't work properly anymore.
Blocking all ads is also considered very harmful to the stability of the online eco-system. Internet users benefit from free internet services (such as search engines, email, file sharing, online social networks), but the trade-off is we implicitly agree to be "annoyed" by online ads, and from time to time click on them. It is exactly like being disturbed by commercial breaks while watching broadcast TV.
Probably the best countermeasure though is internet users being conscious of their own behaviour, and trying to distinguish bad from good using intelligence and intuition. But I have to admit, this is really getting more and more difficult!
Dali Kaafar is Principal Researcher in Online Privacy and Security at NICTA. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.