FBI, Justice Department and Homeland Security Set to Meet Ad Industry Leaders on 'Malvertising'

Trustworthy Accountability Group Says Law Enforcement to Attend Meeting

By Published on .

Credit: Andrew Harrer/Bloomberg
Most Popular

Some of the most influential people in the advertising industry gathered in New York on Wednesday for a closed-door meeting slated to be attended by members of the FBI, the Department of Justice and the Department of Homeland Security, according to its organizers.

The meeting, spearheaded by the industry's Trustworthy Accountability Group, was intended to find ways for companies such as AppNexus or Google to better share information with law enforcement on criminals plundering billions of dollars from the ad ecosystem each year through the use of malware.

A Homeland Security spokesman confirmed that representatives including the director of the Intellectual Property Rights Coordination Center, Bruce Foucart, attended the meeting.

Contacted Tuesday evening, the Department of Justice could not provide comment by noon Wednesday. The FBI did not respond.

AppNexus CEO Brian O'Kelley was scheduled to deliver opening remarks to roughly 20 or 30 senior level people at his company's headquarters in Manhattan. For some time, TAG has been working on a skunkworks project of sorts aimed at establishing a near real time information-sharing infrastructure that would allow the industry and law enforcement to take an aggressive role in fighting malware and "malvertising."

"We never come together," said Mike Zaneis, president and CEO of TAG, a creation of ad industry organizations. "A lot of industries do this all time time, but for some reason the digital advertising industry has never done this. We think it is high time that we come together to discuss information sharing around criminal threats and the different attacks they use while also partnering with law enforcement."

Organizations in banking or financial services already work with law enforcement to share data that leads to criminal arrest, but no large effort of that sort exists in digital advertising.

"When a big company has a strong security team and sees an attack through malvertising then it is not enough for that company to stop serving those ads," Mr. Zaneis added. "I think they all have an obligation now to share that information with their counterparts. This is really about how to bring everybody better at detecting malware attacks. And that only happens through a central information sharing hub, which is TAG."

Malvertising is one of the vehicles used by criminals to siphon billions from the ad ecosystem each year. It can invade top tier websites, both on desktop and mobile, by injecting malware into ads without the user's or publisher's knowledge. Devices can also be infected when users visit shady websites, click malicious links or download misleading apps, among other things.

A U.S. senate subcommittee said in a 2014 investigation report that many consumers are unaware that mainstream websites are becoming frequent avenues for cyber criminals seeking to infect a consumer's computer with malware.

"The internet as a whole, as well as all the consumers who visit mainstream websites, is vulnerable to the growing number of malware attacks through online advertising," the report said. "While there are many other significant vulnerabilities on the internet, malware attacks delivered through online advertising are a real and growing problem. The complexity of the online advertising industry makes it difficult to identify and hold accountable the entities responsible for damages resulting from malware attacks."

Those distributing or creating the malware are seldom caught, but Mr. Zaneis said sharing actionable intelligence with law enforcement would significantly improve the chances of catching culprits behind malware while strengthen the ad ecosystem at the same time.

"It's really a horrific situation when as part of that endeavor, consumers are being inundated with malware and having their computers hijacked," Mr. Zaneis said. "The more we can do to harden our digital supply chain so we are not delivering malware, the more we can protect consumers. And the more intel we share with law enforcement, the more they can go after criminals."

Although countries like Pakistan are known in cyber security circles as being big sources of malvertising, a sizeable chunk also comes from U.S. locales such as Florida, where offenders could be prosecuted under the Computer Fraud and Abuse Act.

A group of senators last month also introduced a bill called the "Botnet Prevention Act," which would expand the Justice Department's ability to fight networks of computers infected with malware and the people behind them.

Down the road, TAG hopes to establish a relationship with Interpol, which represents nearly 200 countries and might help thwart the spread of malvertising globally. But before any of that can happen, TAG will have to launch its anti-malware initiative, which is set to be complete this fall.