U.S. Markets open in 6 hrs 5 mins

How to stop rogue ads that can set you up for malware

Rob Pegoraro
Contributing Editor
Forced-redirect ads are not only a nuisance, they can also harm your computer, smartphone or bank account.

Of all the advertising-inflicted annoyances on the web, the “forced redirect” ad most deserves to be shot into the sun.

As you’re reading a page an ad bumps your content aside with an obviously fraudulent pitch — maybe a phony claim that your computer has been hit with a virus, maybe a fictitious offer of a free gift card — and takes over your browser’s address bar.

Clicking or tapping the back button doesn’t get you away from the pestilential ad, because it already sent your browser through a loop of page reloads. Your only recourse is closing the entire tab — or, if this happened as you read something shared on a social network’s mobile app, quitting the entire program. What’s more, these ads can lead you to download malware or trap you in a financial scam.

“These are the bottom of the bottom,” said Jason Kint, CEO of Digital Content Next, an online-publishing group that has been campaigning against fraudulent and deceptive ads.

And while everybody hates the way these ads attack our ability to read the things we want online, they persist with cockroach-like tenacity. For that, you can blame a malfunctioning ad market and software defenses that have yet to catch up.

But they’ll soon get some help.

Business model of a nuisance

Forced-redirect ads reach you in the same way those “Around the web” ads show up at the bottom of sites you visit. Automated exchanges match up advertisers with available spots on pages in real time.

Such “programmatic” ad networks are supposed to let advertisers meet potential customers–as determined by tracking your activity on web pages–at the lowest possible cost and with minimal human involvement. When it works, these networks put ads in front of you that match your interests.

But con artists have been exploiting these automated systems for years, and especially malevolent ones can exploit JavaScript coding to take over a page in your browser by forcing a “redirect” to another page.

“Third-party ad networks with lots of dynamic bidding […] require constant attention from publishers to keep out scam ads that run arbitrary JavaScript,” explained Ryan Singel, CEO of Contextly, a developer of web-publishing tools. “You’d think the ad networks would do this filtering but they don’t do a thorough job.”

Another example of a popular style of forced-redirect ads.

That’s because ad networks can still make money off of these obnoxious ads.

Exploiting programmatic ads and web coding like this lets a crook get one of the usual scams that much closer to a target. “The bad guys use them to do attribution fraud, phishing scams, exploit kits and a variety of more edge type of attacks,” said Louis-David Mangin, CEO of the ad-security firm Confiant.

Fighting back at multiple levels

The traditional approach of reporting sketchy content to a site’s owner — see, for instance, the 46 pages of posts flagging ”Disruptive Ads” on the popular travel site FlyerTalk, or the frustration publishers voice on Reddit’s AdOps subreddit — doesn’t work well when there are so many scammers who can cloak their identities so easily.

One answer is smarter screening of programmatic ads to catch the con jobs. Confiant, for example, offers an ad-industry equivalent of malware protection; Mangin said his company’s system can catch and stop a hostile ad before it can finish loading in a browser.

FlyerTalk’s parent firm Internet Brands, meanwhile, is now evaluating services from the ad-monitoring firms The Media Trust and GeoEdge, said spokesman Joe Ewaskiw.

Digital Context Next, for its part, launched its own ad marketplace, TrustX, at the end of September to give publishers an alternative to networks that regularly serve up junk or worse.

The single biggest company in online ads, Google (GOOG, GOOGL), is trying to attack the problem in two places.

Its Accelerated Mobile Pages system for speedy reading on phones and tablets now features a locked-down ad format that bans the scripting trickery forced-redirect ads deploy. And its Chrome browser will block that same behavior automatically when its release 64 ships towards the end of January.

Other browser vendors have yet to build in the same defenses.

“Google has staked out a much stronger position on this issue than the other browsers,” said Confiant’s Mangin. “They are not just the largest browser, but the largest mobile OS, the largest ad exchange and the largest ad server, so it makes sense that they be the first to move.”

Google competitors like Apple (AAPL), Microsoft (MSFT) and Mozilla would be wise to follow its lead. And web publishers would be wise to remember that these aren’t the only kind of bad ads they need to fix, from fraudulent ads (projected to be a $16.4 billion problem this year) to the clickbait that treats you like an idiot.

Warned Contextly’s Singel: “The online ad ecosystem is rife with fraud, and publishers ought to worry much more than they do about the damage these kinds of ads and other low-rent ad units do to their reputations with readers.”

More from Rob:

Email Rob at rob@robpegoraro.com; follow him on Twitter at @robpegoraro.