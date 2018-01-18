Over the past couple of weeks, internet users have been complaining of a new wave of hard-to-close, misleading, and malicious ads popping across websites big and small. Some of the ads even make it impossible for people to read news and other content by redirecting browsers to spammy sites or popping up mobile app store pages for undesired software.

Just got this weird pop up (the URL changed to what you see in the pic) while reading a NYT article via way of a tweet. pic.twitter.com/XGdM8tXl1s — Josh Sternberg (@joshsternberg) January 5, 2018

It’s exciting to see every major media outlet covering this same important story on their mobile websites. pic.twitter.com/keXPRSLgpv — Chai — If I Ever Fall In Love (@anildash) January 7, 2018

Many social media posts lamented that even top-tier publishers like The New York Times and The Atlantic were willing to run such intrusive ads on their sites. But experts say the problem isn’t with lack of discernment on the part of site publishers but with an extremely complex online advertising system that makes it hard for publishers involved to detect, let alone weed out, misleading and malware-laden ads.

Malvertising, as it’s sometimes called, isn’t new. The first recorded sighting of a malware-loaded ad, in late 2007 or early 2008, stemmed from a vulnerability in Adobe Flash, and affected a number of platforms including MySpace, Excite, and Rhapsody. In 2012, the Online Trust Alliance, an industry group, estimated nearly 10 billion ad impressions were compromised by malicious ads. But those in the digital ad industry say the problem has been rapidly growing worse.

“Over the past two years, we have seen the amount of malware and mobile redirects, which might lead to malware, roughly double in the digital ad ecosystem,” says Chris Olson, CEO of The Media Trust, a McLean, Virginia company that provides security services to ad providers and online publishers.

Unlike in print or broadcast media, where advertisers and agencies that represent them can submit ads directly to publishers for review, online ad space is typically bought and sold through complex systems of intermediaries and exchanges. Advertisers and their representatives programmatically bid in real time for the rights to show ads to particular users, and those ads include custom JavaScript code that runs in users’ browsers. The exact content users see depends on who they are, where they are, what kinds of devices they’re running and other characteristics, making it difficult for publishers and ad networks to conclusively review every version of an ad for malicious content.

“It allows them to precisely target users at scale, so they can precisely target users who have unpatched operating systems or browsers,” says John Murphy, VP of marketplace quality at Pasadena adtech company OpenX. “They can also target individual devices, and this also makes it very difficult to detect, because even if we do a high level scanning on our side to ensure that the creatives are clean, unless we come up with the exact combination of characteristics they’re targeting, we’re not going to see the behavior.”

And experts say the problem traditionally gets worse around the year-end holidays, when the number of online ads skyrockets just as the people able to review security issues at ad networks and publishers are on vacation or occupied with other matters.