Internet Security Systems - AlertCon(TM)

Infected Advertising - Wrongful Delegation of Malware Responsibility

Posted by Gunter Ollmann on December 04, 2008 at 3:26 PM EST.

This is going to be one of those blogs that I suspect I shouldn’t really post because it’ll sound more like a rant and the people at fault will never see it anyway but – too late – I’ve done it now.

I’ve actually been waiting it out to see if anyone else was similarly baited by the recent disclosure of another well-known Web site serving up malicious content through an infected advertising provider.

Earlier this week one of the more popular print/cyber newspapers on the Internet was found to be serving their readers malware through an infected online advertising provider. According to The Register, the third-party advertising company was serving up a stream of infected content – with Sophos confirming one sample as being a strain of the Mario family of worms.

OK, so this attack vector isn’t particularly new – in fact I remember writing about it way back in 2001 and it’s even referenced in part of my whitepaper about phishing attack vectors (see The Phishing Guide).

But the thing that’s compelled me to raise the topic now isn’t about the website itself (it's not the first, and it won't be the last to fall victim to this threat), it's more about some of the comments made in the story. In particular the following quote:

"Websites shouldn't be expected to check all adverts they serve up, it's not practical. The third-party ad network is more responsible for checking advertising links,"

I’m sorry, but I disagree with that statement on several levels. Why? Here’s a short list:

  1. Any website that serves malware to its customers, doesn’t get a “get out of jail” card just because the content was provided by a third-party. If I’m visiting a Website, the fact that the advertising pummeling my poor bleeding eyes is being supplied by some other agency doesn’t matter to me – not in the slightest. Look at it this way – if I’ve visited your site, then anything that renders inside my browser during that visit that was designed to look to be part of your website is part of the sites content – as far as I’m concerned, it’s your content – after all, you’re the one looking to make money from the material being served.
  2. Regardless of whether you think it’s practical or not to inspect all content being rendered to viewers of a site, I believe you’re responsible for that content regardless, and need to do your best to check and make safe that content. In actuality, it is perfectly feasible to inspect this type of third-party content – the technologies exist (in fact I’d be happy to hook you up with some sales guys I happen to know that would be only too pleased to show anyone the portfolio of products and technologies IBM offers that can provide the necessary functionality) – but there may be changes for some organizations in the way they stream advertising content to hapless visitors.
  3. Yes, the third-party network is responsible for the malicious content they provide. Not to me, but to the organization they’re supplying the services to. The contract exists between the website owner and the third-party provider – so I hope that the organization behind the website has ensured their negotiated SLA’s provide appropriate compensation and liability clauses. For myself, as a visitor to the website, I’ll have placed my trust in the Website owners and their content – so my “contract” is with them, and they’re the ones defaulting in this type of case.

Does that make sense? Let me try to explain by way of an example. Consider a fictional grocery chain called “SuperduperFoods” that has its own home-labeled baked-beans. Down the bean isle I see cans of baked beans from various name brands, but the can I choose to buy is the “SuperduperFoods Baked Beans” one. I take that can home, have it for dinner, and awaken in hospital a few days later after having survived a near death E.coli food-poisoning experience.

Who takes the blame? Sure, it’s not as if SuperduperFoods has its own factory specializing in baked beans – they rely upon a third-party to cook and can their beans. But it’s their label on the can, and they’re the ones that sold the baked beans to me. While I’m not a legal professional, as far as I’m concerned SuperduperFoods is liable for the food poisoning – and they’re certainly the folks I’d be banging on the door and laying blame.

So why is it so different in the cyber world when a website serves up a “trusted suppliers” malicious content and presents as their own? Just as SuperduperFoods is required to check, inspect, validate and secure the integrity of their food supply chain, the expectation is that a website owner needs to assure the content they provide to their customers to a similar level.

And then, to end the story there’s another quote:

"End users need to protect themselves against threats, however they arise,"

Yes, end users need to protect themselves against the myriad of threats out there – but the website owners have no right to delegate that responsibility down to their customers. Should SuperduperFoods insist that customers purchase a pet that can be used to sample any foods being sold prior to consumption for their own safety? Yeah, I didn’t think so either.


BTW apologies to the poor guy that got nailed for giving those quotes – you’re not the first person to propose them – it’s an excuse that’s been made multiple times in the past for poor Web security and third-party service integration.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.