Risks

Since hackers have discovered ad-networks as an attack vector, the variety of attacks a user can expect to encounter has exploded. These include:

Malicious downloads, including ransomware. “Drive-by” downloads don’t even require the user to click on an advert - simply viewing the page may be enough to deliver the payload. Malware is usually delivered through vulnerable versions of Flash or Adobe Acrobat. Redirects to phishing sites that attempt to steal a user’s credentials. Scareware - adverts designed to trick a user into downloading unnecessary and potentially dangerous software, such as fake antivirus protection. Browser lockers - malware that locks up the browser, often posing as a security alert.

Prevention

When you host adverts, you are inviting a third-party to write content to your web-pages. Unfortunately, this means you are limited in how much control you have in protecting your users. You can mitigate the risks involved by:

• Working with reputable ad networks. Choose networks that are certified by e.g. Google. If you are evaluating a new ad network, see if they have any existing big-name clients. Avoid advertising networks that use deceptive practices pop-ups and pop-under windows.
• Performing due diligence on agencies and advertisers. Restrict your advertising to relevant market segments, and if your ad networks permits it, consider individually whitelisting advertisers.
• Implementing a content security policy. Implementing a Content-Security Policy will help control what domains can host content used in your web-pages. Unfortunately, many advertising toolkits (e.g. Google Adsense) cannot be restricted in this fashion - so you may have to create a “soft” whitelist using the Content-Security-Policy-Report-Only header, and monitor unexpected domains.
• Using client-side error reporting tools. Tools for recording errors in the browser - like Sentry, TrackJS, Rollbar and Airbrake - will help you detect unexpected and anomalous behavior that could indicate a malvertising infection.
• Logging out-going URLs. Capturing click-strings for adverts will help with forensic analysis in the case of a malvertising outbreak.