Online ads are attacking you

malicious ads

An especially sneaky type of hack is on the rise. Hackers can infect your computer by piggybacking on Web ads -- even on trusted websites.

Hackers are slipping malware into legitimate-looking online advertisements. When you visit sites that serve those ads, you're automatically and unknowingly downloading computer viruses.

"Malvertising" has hit Amazon (AMZN), Answers.com, Dictionary.com, Examiner.com, The Jerusalem Post, Last.fm, The Pirate Bay, The Times of Israel, Yahoo (YHOO) and YouTube this year.

And it's blowing up. The number of malicious ads has nearly doubled every year since 2011, according to data from security firm RiskIQ. Its researchers have discovered 432,374 of them so far this year.

malicious ads chart

"The ad tech industry recognizes this is a serious problem," said Geir Magnusson, CTO of online ad platform AppNexus.

Malvertising makes up a microscopic fraction of the 5 trillion online ads displayed each year in the U.S. alone, according to trackers at comScore. But that's still half a million times our computers could get infected.

Hackers have used malvertising to steal bank account information and lock up files to hold them for ransom.

A major concern now is that hackers are getting smarter at launching attacks that slip past security scanners -- and are customized to specifically attack you.

Online ad networks allow advertisers to know your physical location, Web history, and what kind of browser, device or operating system you use. Hackers are leveraging this to make ads that only deliver malware under specific circumstances.

If the malware exploits a bug in Windows XP, it won't appear if you use Windows 7. It might only target retirees in Florida on weekdays. That's why malvertisements don't always raise alarms. They won't appear for every scanner.

Hackers also take advantage of a vulnerability in the way online ads are bought and sold. When you navigate to a website, a complex negotiation between advertisers occurs in a matter of milliseconds. The highest-bidding advertiser can show you an ad -- or go back to the market and see if there's an even higher bidder somewhere out there -- all in half a second.

The box reserved for advertising on a website might redirect you to a dozen different computer servers before it finally loads the ad. That's how hackers go unnoticed: The first package of data they send seems fine, but they eventually redirect you to a server that spits out malware. They set up deceptive servers to trick ad networks and consumers alike.

"The ecosystem is optimized to get the right ad displayed at the right time at the highest price," said RiskIQ CEO Elias Manousos. "It was never built to stop fraud."

The system's complexity makes it harder to crack down. When Times of Israel was hit with malvertising in September, it took 14 hours to figure out what ad agency was unwittingly passing along the bad ads, according to Jess Dolgin, whose J Media firm serves as the news website's advertising department.

Related: Internet of fails - What's wrong with connected devices

ISIS recruiting on teen social networks
ISIS recruiting on teen social networks

The advertising industry does take steps to protect the public. For example, AppNexus pays dozens of its staff in New York and India to monitor actual ads all day long. And a special software program, dubbed Sherlock, spots those that violate company policy.

Sherlock catches 35 malicious ads a week. But AppNexus serves 30 billion ads a day. Sherlock can't scan them all -- that would delay display time by minutes. Cybersecurity provider Bromium recently concluded the most thorough solution -- rigorous approval of 100% of ads -- is just not possible for the ad industry.

"There are limits to what you can do in milliseconds," said John Clyman, senior director of security at The Rubicon Project (RUBI), an ad exchange.

So how can you avoid malvertising?

The bare minimum: Don't click on ads, especially if they say something like, "Danger! You need to upgrade your antivirus!" And malware-laced ads can look like authentic car or movie commercials.

Minimize exposure: Always update your operating system, apps and Web browser (including plugins, like Java). Up-to-date antivirus programs will catch some malware -- but not all.

Go all the way: Use something like AdBlock, which stops all advertisements from appearing. But pages designed to look good with ads suddenly look horrendous. And worst of all, this chokes off the main revenue stream for publishers, like CNNMoney or your favorite blog.

Ad companies are also clamping down on each other. AppNexus has a three-strike policy before it suspends business with an ad agency. Security researchers suggest an ad industry honor system that universally revokes privileges. You spew malware, you're out. But the problem is so widespread that sounds untenable too.

"It would be interesting to see if anyone would be left standing," Dolgin said.

CNNMoney is investigating recent hacks. Have you had money stolen from your bank account? Has someone stolen your identity? Share your story.

CNNMoney Sponsors