Malvertising is cheap, effective, difficult to combat and, unfortunately for internet users, on the rise.
It is now routinely used by cyber criminals to inject malware into unwitting computer systems and cause havoc by exploiting flaws in popular software such as Adobe Flash, as Jérôme Segura, senior security researcher at Malwarebytes, explains.
"Malvertising is an effective and very profitable infection vector and it gives [cyber criminals] the ability to target millions of people in a few minutes," he said.
"Flash is a very popular platform which has suffered from many exploits and zero-days so it is a piece of software that is using in drive-by download attacks. It just so happens that Flash is also heavily used by the advertising industry because it provides dynamic content.
"So if you take the mix of software that has suffered a lot of zero-day exploits and the fact that most ads are built with Flash you have something really potent and really dangerous."
Furthermore, the nature of real-time ad displays on most websites also plays in the criminals' hands.
"The ads you are seeing when browsing the web are displayed in real-time based on your profile. When you load up a page it checks cookies and checks IP addresses and within milliseconds what you are seeing in the background is an auction process," Segura explained during a recent media roundtable in London.
"The problem is sellers don't really know who the buyers are. They don't really control it either. It's complex but real time bidding brings opportunistic attacks and the ability for criminals to really target who they are going after. With complexity it becomes harder to track the offenders."
"There are malicious actors exploiting the system and they are getting away with it."
- Jérôme Segura
Advertising networks are not set up in a way to easily combat malvertising threats. Indeed, it is quite the opposite. Instead these networks are locked in a race to the bottom by lowering prices, lowering authentication and, as a result, increasing the risk of exploitation.
"Unfortunately, it's the nature of the business," said Segura.
"It shouldn't be that easy to register to ad platforms. They should need more information, like phone numbers. But it's one of the downsides of automation that [users] want everything fast and the platform to be accessible. It's too easy to sign up, there are not enough barriers - you are going to have malicious actors."
He added: "There are malicious actors exploiting the system and they are getting away with it."
Not only are cyber criminals getting off with malware-based crime, it has become a lucrative business.
"In some cases, advertisers can start an account with only $5 and can also start a campaign within 10 minutes. This is a great example of why we have problems in the ad industry right now," he explained.
"On average the cost of 1,000 impressions was only $0.75 and with $5 criminals are able to expose over 6,000 people to malware within a few seconds. Obviously many have more than $5 so you can extrapolate and see the potential impact.
"The way these companies let pretty much anybody come in with no specific budget with very little scrutiny over who the advertisers are."
Given all this, it's no surprise malvertising has become so popular.
"If I was a criminal, which I'm not, it's the way I would get in. I would mass deliver malware," says Malwarebytes CEO Marcin Kleczynski.
"I would mass deliver malware using malvertising against as many people as I can, steal credentials from as many people as I can, and then see what did I catch? Did I see someone from a bank? Did I see somebody from a big company that's interesting to me?
"It's such a cost effective and easy way to mine data and discard the credentials which are not important to you."
The rise of ad-blocking software
But web users do have a new tool to defend themselves - ad blocking software.
As online threats and malware increase so too does the popularity of ad-blocking software. Trend Micro has predicted it will shape the threat landscape of 2016.
"The growing aversion of online users to unwanted ads, combined with the spike in malvertising attacks seen throughout the 2015, have given vendors reason to push ad-blocking options in their products and services," the firm said in a recent research paper.
"Users are no longer just 'annoyed' by unwanted ads, they are fully aware of the kind of risks these pose."
Additionally, according to separate research from ad-block firm PageFair, use of ad blockers in the UK increased by 82 percent in the past year alone, now being used by 12 million active internet users in Q2 2015.
"As more people become aware of the dangers of malvertising, they will start to take precautions - such as making sure their browser setup is safe, making sure that if Flash is used then it is patched and likewise with anti-malware engines on their devices," Bharat Mistry, cyber security expert at Trend Micro, told V3.
Interestingly, Mistry believes that another way to combat the threat would be to create a separate body that would have the power to monitor online advertising applications.
"One way to combat this is if the advertisements could have their reputation checked by an independent organisation or body similar to the way BlackBerry provide the Guardian service for application analysis before publishing on the BlackBerry store," he told V3.
"This would force the ad creators to also register with the ad vetting organisation - which turn would not only provide reputation analysis or the Ad but also the creator. This is something that on-line ad networks would have to enforce and regulate."
Malware and the law
However, this is no easy answer in sight, especially when tackling those responsible for spewing out malware via ads is so tough.
Mark Taylor, partner at international law firm Osborne Clarke, argues that the situation is made complicated by the typical problems associated with the internet - it is notoriously difficult to police.
"As with many areas in relation to technology the law is in some ways struggling to catch up," he said.
On the spike in malvertising, Taylor admits there is some confusion over who is liable for such an attack.
"Who is responsible? Is it the final website that publishes the advertising, is it the ad networks and there isn't a simply or straightforward answer to that? It's a case of deconstructing how the chain serving the ad has been put together," he said.
A number of laws exist that are used to help prosecute digital threats, including the recently enacted Consumer Rights Act 2015 and the old faithful Computer Misuse Act 1990.
"On the criminal side it's straightforward in terms of fixing criminal liability on the ultimate perpetrator," said Taylor.
"The Computer Misuse Act has been around for many years, it may be a much criticised bit of legislation and it may struggle to keep up occasionally but I don't think there is any doubt that the person who is serving the malvertising would be guilty of offences under section one and section three."
However Taylor notes that, as is often the case when dealing with internet-based threats, criminals are often either hidden from view or completely out of reach.
"Of course you have got the usual problem with criminal offences of actually laying your hands on the perpetrators and while the idea that somebody is criminally responsible looks good, experience since the Act has been in force shows there's actually very few prosecutions under it," he noted.
In the future Malwarebytes CEO Marcin Kleczynski believes a number of changes need to happen in order to effectively combat malvertising.
"Antivirus is no longer enough. There needs to be additional software that can protect the user whether its password management, ad blocking, anti-exploit or anti-malware," he explained.
"There needs to be an assumption of breach especially at an enterprise level. At this point it's pretty foolish to think there is any security solution out there that is 100 percent and being able to respond quickly [to attacks] is more important than ever.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance