Ad Giant Publicis Tells Publishers to Throw Bodies at the Fake Web Ads Problem
by Peter Kafka
Posted on October 13, 2009 at 5:12 AM PT
Last month, the New York Times (NYT) was attacked by hackers who bought fake Web ads from the publisher. And one of the world’s biggest ad companies says that won’t be the last assault.
Publicis, the giant French ad holding company, has been warning Web publishers to be “hyper-vigilant” about other bogus ads like the ones the Times mistakenly sold, which were purportedly for Vonage (VG) but were actually designed to distribute malware. Publicis, whose units includes Starcom, Digitas, Optimedia, MediaVest, Zenith, and Spark, has been sending out letters warning publishers to be wary of the rogue ads, which it describes as an “industry issue.”
The catch: It appears that the only way to combat the attacks, at least in the near-term, is to do something that runs counter to industry trends: Throw bodies at the problem. Publicis wants publishers to individually verify the ad orders they receive, which would be a nonissue for traditional media but is a problem for Web publishing, which increasingly relies on automation. Mediapost:
The incidents have exposed potential vulnerabilities in on online publishing security, and are causing advertisers, agencies and publishers alike to reassess the processes they use to conduct business, especially as they interact with an increasing array of third-party intermediaries–advertising networks, exchanges, etc.–many of which place insertion orders automatically and without human intervention. The solution, as the Times’ and Publicis’ new policies suggest, is to reinsert human interaction into the process–at least for the time being.
Whoops. That whole thrust of Web publishing is get humans as far away as possible from buying and selling decisions: The ad exchange that Google (GOOG) launched last month, for instance, is designed to handle those tasks in milliseconds. Now think about how long it takes to pick up the phone to actually confirm that ad buyers are who they say they are [shudder].
It’s possible that this is simply butt-covering on the part of Publicis (these attacks have been out there for quite some time) and that this will blow over soon. But I don’t think so. Which means the ascent of Web ads may slow down, just a bit, as the industry figures out just how many humans it will take to fight the problem.
Comments
the Times sold ad space to an unknown entity and got burned. Vonage (or similar mass marketers) put ad offers in affiliate programs that are easy for rogue “agencies” to pick up. Armed with these Vonage ads they purchase space, dirt cheap, from publishers and distribute their malware/spyware.
These situations are not to hard for vigilant publishers to protect against. Don’t sell really cheap deals to unknown entities. Don’t fall for offers of pre-payment to assuage concerns. Sales managers and ad ops folks can easily set procedures to snare these attempts.
Posted by Eric Bingham at October 13th, 2009 at 6:09 amI feel the need again to be the designated crank about these reports that the Times was “attacked by hackers.” I think we all know what image this conjures up, but it’s not what actually happened in this case. The Times ran a bogus ad, sure, but they were not “attacked by hackers” — the ad was a redirect to another server hosting the actual malware. They were the attacked/hacked party. Nobody wants to talk about that, for reasons which continue to mystify me.
Posted by Mitch Stone at October 13th, 2009 at 10:38 amMalware in ads could be avoided by 3rd party software scanning like ClickFacts. No need for more head count.
See CNET article September 15, 2009 “Ads–the new malware delivery format”
http://news.cnet.com/8301-2708.....2-245.html
ClickFacts is a Risk Discovery company that enables Advertising Networks, Publishers and Advertisers to dramatically reduce the potential of delivering malicious code or inappropriate content to consumers of web advertising.
Posted by Michael Caruso at October 20th, 2009 at 12:20 pm