Tips For Publishers

All web publishers are potential targets for malware authors attempting to spread their software by hiding malicious code within an ad's SWF (Flash) file, GIF file or landing page. If an advertiser or agency provides you with an infected ad, your computer and personal information—and that of your site's visitors—can be exposed to serious harm. We recommend the following measures to help you protect your inventory and your site's users.

CAUTION:  Viewing an infected ad while investigating it can put your computer at risk. Below, we suggest using alternate means that can help you review potentially malicious ads more safely.

1) Pay close attention to all agencies and advertisers with whom you work

Perform due diligence by thoroughly checking prospective partners' references and credentials
  • Research the domains of ads' clickthrough URLs, as well as the domains for advertisers' and agencies' companies, before allowing their content onto your site or network. Use the Malvertising Research Engine to conduct quick background checks on prospective partners and their domains. If a partner or domain you're researching appears in a search result there, we recommend you take a much closer look at the agency, advertiser or network in question before accepting their ad.
  • Use WHOIS data (available at sites such as DomainTools.com) to research the domains of advertisers and agencies before allowing their content onto your site. Exercise extra scrutiny with domains that exhibit any of the following characteristics:
    • Domain was registered recently
    • Site is hosted out of a different country than where the company itself is based
    • Domain registrant's name and contact info is hidden behind a privacy company or uses a false address
    • Unusual registrant details, such as the following:
      • Contact email address doesn’t match domain (e.g. @gmail, @yahoo etc. instead of @domain)
      • Registrant has unexpectedly high number of domain registrations (eg. there are 5 domains at the same IP but the registrant's email address has been used for 20, 30, or more domains)
      • Reverse-IP-lookup shows suspicious-looking domains hosted on the same IP address (same applies to authoritative name server)
      • Reverse-IP-lookup shows unrelated domains hosted on the same IP address (e.g. domains pertaining to clothing brands and prescription drugs hosted on one IP address—and the same applies to authoritative name server)
Educate your team to recognize suspicious behaviors
  • Remind your sales team to be especially wary of relatively new clients who place last-minute orders or request to pay by credit card or wire transfer rather than through invoicing. Always check to confirm that prospective partners' contact information matches their billing information.
  • Be wary of advertisers who contact your team at unusual hours (inconsistent with the time zone of the location specified in their contact information).
  • Exercise particular caution at the end of the work-week and before holidays, since malicious parties will often attempt to launch a malicious ad when they expect fewer teams to be on-call to identify and disable it promptly. 
Consider instituting policy changes that could help protect your site
  • Consider requiring new customers to pre-pay in full for smaller orders (under several thousand dollars) and provide a significant down payment for larger orders. In some malvertising attempts the malicious party will fail to pay their bill, and requiring payment up-front can make your site a less attractive target. 
2)  Perform comprehensive QA on all ad creatives
  • Instead of navigating directly to an HTML ad's URL to see if it appears suspicious, investigate the URL's domain by examining its WHOIS information (available at sites such as DomainTools.com).
  • Don't open a .swf file yourself; use a protected system such as Wepawet to check it.
  • Carefully inspect all iframes and redirects, which are sometimes used to distribute malicious code. The domains associated with any creatives containing iframes should be researched especially carefully. Additionally, since a 3rd party controls the content of the iframe, it may be harmless to start with and become malicious at some point in the future at the discretion of the 3rd party. You can learn more about the risks associated with iframes and multiple redirects at http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html.
  • Visit sites such as http://wepawet.iseclab.org/ and http://www.adopstools.net to scan Flash, JavaScript, and PDF files before allowing them to run. (Please keep in mind that Google has no connection with these sites or scanning tools and cannot guarantee their effectiveness.) 
  • Test each core creative and all files the creative’s code invokes. Use an SWF-to-XML converter (for example, http://www.jswiff.com/demos/swf2xml.jsp) to detect references made from each SWF file. If the converter fails with an error, treat the creative with suspicion.
  • Treat any creative that contains encrypted code with suspicion.
3)  Protect your own computer and website from infection
4)  Require all partners to uphold safe standards        
  • Be aware that various ad networks and exchanges may have significantly different standards for the prevention and detection of malware. No automatic detection system, however robust, can substitute for your own vigilance. However, we strongly advise against exposing your site to harm by using networks or exchanges without strong anti-malware security measures in place.
  • Require all ad networks and ad exchanges with which you work to take affirmative steps to prevent the spread of malware within their systems. For example, if an ad network or ad exchange allows you to control which advertisers and agencies can purchase your inventory, take advantage of this ability. 
5)  Learn more about malvertising