web publishers are potential targets for malware authors attempting to
spread their software by hiding malicious code within an ad's SWF
(Flash) file, GIF file or landing page. If
an advertiser or agency provides you with an infected ad, your computer
and personal information—and that of your site's visitors—can be
exposed to serious harm. We recommend the following measures to help you protect your inventory and your site's users.
CAUTION: Viewing an infected ad while investigating it can put your computer at risk. Below, we suggest using alternate means that can help you review potentially malicious ads more safely.
1) Pay close attention to all agencies and advertisers with whom you work
Perform due diligence by thoroughly checking prospective partners' references and credentials
Educate your team to recognize suspicious behaviors
- Research the domains of ads' clickthrough URLs, as well as the domains for advertisers' and agencies' companies, before allowing their content onto your site or network. Use the Malvertising Research Engine to conduct quick background checks on prospective partners and their
domains. If a partner or domain you're researching appears in a search
result there, we recommend you take a much closer look at the agency, advertiser or network in question before accepting their ad.
- Use WHOIS data (available at sites such as DomainTools.com) to research the domains of advertisers and agencies before allowing their content onto your site. Exercise extra scrutiny with domains that exhibit any of the following characteristics:
- Domain was registered recently
- Site is hosted out of a different country than where the company itself is based
- Domain registrant's name and contact info is hidden behind a privacy company or uses a false address
- Unusual registrant details, such as the following:
- Contact email address doesn’t match domain (e.g. @gmail, @yahoo etc. instead of @domain)
- Registrant has unexpectedly high number of domain registrations (eg. there are 5 domains at the same IP but the registrant's email address has been used for 20, 30, or more domains)
- Reverse-IP-lookup shows suspicious-looking domains hosted on the same IP address (same applies to authoritative name server)
- Reverse-IP-lookup shows unrelated domains hosted on the same IP address (e.g. domains pertaining to clothing brands and prescription drugs hosted on one IP address—and the same applies to authoritative name server)
your sales team to be especially wary of relatively new clients who place
last-minute orders or request to pay by credit card or wire transfer
rather than through invoicing. Always check to confirm that prospective
partners' contact information matches their billing information.
wary of advertisers who contact your team at unusual hours
(inconsistent with the time zone of the location specified in their
- Exercise particular caution at the end of the work-week and before holidays, since malicious parties will often attempt to launch a malicious ad when they expect fewer teams to be on-call to identify and disable it promptly.
Consider instituting policy changes that could help protect your site
- Consider requiring new customers to pre-pay in full for smaller orders (under several thousand dollars) and provide a significant down payment for larger orders. In some malvertising attempts the malicious party will fail to pay their bill, and requiring payment up-front can make your site a less attractive target.
2) Perform comprehensive QA on all ad creatives
3) Protect your own computer and website from infection
- Instead of navigating directly to an HTML ad's URL to see if it appears suspicious, investigate the URL's domain by examining its WHOIS information (available at sites such as DomainTools.com).
- Don't open a .swf file yourself; use a protected system such as Wepawet to check it.
- Carefully inspect all iframes and redirects, which are sometimes used to distribute malicious code. The domains associated with any creatives containing iframes should be researched especially carefully. Additionally, since a 3rd party controls the content of the iframe,
it may be harmless to start with and become malicious at
some point in the future at the discretion of the 3rd party. You can learn more about the risks associated with iframes and multiple redirects at http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html.
- Visit sites such as http://wepawet.iseclab.org/ and http://www.adopstools.net to scan Flash,
keep in mind that Google has no connection with these sites or scanning
tools and cannot guarantee their effectiveness.)
- Test each core creative and all files the creative’s code invokes. Use an SWF-to-XML converter (for example, http://www.jswiff.com/demos/swf2xml.jsp) to detect references made from each SWF file. If the converter fails with an error, treat the creative with suspicion.
- Treat any creative that contains encrypted code with suspicion.
4) Require all partners to uphold safe standards
5) Learn more about malvertising
aware that various ad networks and exchanges may have significantly
different standards for the prevention and detection of malware. No
automatic detection system, however robust, can substitute for your own
vigilance. However, we strongly advise against exposing your site to
harm by using networks or exchanges without strong anti-malware
security measures in place.
all ad networks and ad exchanges with which you work to take
affirmative steps to prevent the spread of malware within their
systems. For example, if an ad network or ad exchange allows you to
control which advertisers and agencies can purchase your inventory,
take advantage of this ability.