Washington DC – Online Trust Alliance (OTA) Executive Director and President Craig Spiezle testified today before the U.S. Senate’s Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, outlining the risks of malicious advertising, and possible solutions to stem the rising tide. (View Hearing)
According to OTA research, malvertising increased by over 200% in 2013 to over 209,000 incidents, generating over 12.4 billion malicious ad impressions. The threats are significant, warns the Seattle-based non-profit—with the majority of malicious ads infecting users’ computers via “drive by downloads,” which occur when a user innocently visits a web site, with no interaction or clicking required.
The consequences of malvertising include cybercriminals capturing users’ personal information or turning devices into a bot for the purpose of taking over that device and using it in many cases to execute distributed denial-of-service attacks (DDoS) against a bank, governmental agency or other organization. Just as damaging is the deployment of ransomware, which encrypts a user’s hard drive, demanding an extortion payment to be unlocked. Users’ personal data, family photos and health records can be destroyed and stolen in seconds.
In the absence of policy and traffic quality controls, organized crime has recognized malvertising as the “exploit of choice” because it offers the ability to be anonymous and remain undetected for days. Through a multi-stakeholder effort, the OTA Advertising and Content Integrity Committee proposed a holistic framework addressing five key areas. Such a framework should be the foundation of an enforceable code of conduct or possible legislation and include:
- Data Sharing
“Today, companies have little, if any, incentive to disclose their role in or knowledge of a security event, leaving consumers vulnerable and unprotected for potentially months or years, during which time untold amounts of damage can occur,” said Spiezle. “Failure to address these threats suggests the needs for legislation not unlike State data breach laws, requiring mandatory notification, data sharing and remediation to those who have been harmed.”
It is important to recognize there is no absolute defense against a determined criminal. At the hearing, OTA proposed incentives to companies who adopt best practices and comply with codes of conduct. Spiezle emphasized that these companies “should be afforded protection from regulatory oversight as well as frivolous lawsuits. Perceived anti-trust and privacy issues must be resolved to facilitate data sharing to aid in fraud detection and forensics.”
In summary, OTA emphasized the need to work together, and openly disclose and mediate known vulnerabilities, even at the expense of short-term profits. The full testimony is available at https://otalliance.org/malvertising.html.
The Online Trust Alliance (OTA) is a non-profit with the mission to enhance online trust and user empowerment while promoting innovation and the vitality of the Internet. Its goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, and meaningful self-regulation and data stewardship. Its members and supporters include leaders spanning the public policy, technology, ecommerce, social networking, mobile, email and interactive marketing, financial, service provider, government agency and industry organization sectors.