Manhattan Assistant U.S. Attorney Janice Fedarcyk commented on what was known as Operation Ghost Click by saying, “Working primarily from Estonia and Russia, the defendants effectively hijacked four million computers in a hundred countries – including half a million computers in the United States. Those half-million U.S. computers include those used by individuals, as well as computers housed in businesses and government entities such as NASA.”

A report issued by the FBI included further details, such as, “The thieves were able to manipulate internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.”

The men arrested, according to an FBI press release, are Vladimir Tsastsin, 31, Timur Gerassimenko, 31, Dmitri Jegorov, 33, Valeri Aleksejev, 31, Konstantin Poltev, 28, and Anton Ivanov, 26. A seventh defendant, Russian national Andrey Taame, 31, is still at large. The U.S. Attorney’s Office will seek to have all of the defendants extradited to the United States for prosecution.

Google showcased the power of the remote application removal feature to manage the ongoing fallout from a series of malware attacks dubbed “Droid Dream,” which managed to infiltrate Google’s Android Market as well as third-party ones. After detecting the infestation on Tuesday, Google rapidly deleted the approximately 50 bad apps in the Android Market; the remote nuke was aimed at app downloads from third-party site.

Interestingly, Droid Dream tainted legitimate apps with third-party code designed to swipe and send user information to remove servers. Nothing critical was leaked, according to a Google blog post.

Users with affected devices were informed of the infection via email and notification that “Android Market Security Tool March 2011″ had been installed appeared on Android devices. “You are not required to take any action from there; the update will automatically undo the exploit,” writes Android Security Lead Rich Cannings.

This latest infiltration displays the hacker’s progress in mobile malware, and also brings into question the wisdom of using an open platform like Android as mobile attacks will only increase with the proliferation of smartphones. Then again, privacy issues be damned, Google’s remote nuke seems to be an effective last-ditch measure.

Some networks, exchanges and publishers think they can protect their businesses from malware by purchasing a block list, which tracks sites that have served malware in the past. While a block list is better than nothing, it offers little beyond a false sense of security.

To begin with, lists work too slowly. Most malicious codes created by malware criminals are designed to become obsolete in 24 hours. By the time a site containing malware has been identified and added to the list, the damage has been done.

The other problem with block-lists is that they can identify sites that are not intentionally offering malware. Oftentimes, legitimate sites are victims in the cycle, prey to hackers or creative criminals looking to steal data. In fact, malware criminals are getting so creative that they’ve taken to creating fake agencies and then enlisting legitimate enterprises to help them serve the damaging ads. So while block lists prevent networks and exchanges from serving ads on these sites, the publishers themselves may be receiving unjust penalizations.

In a recent article in MediaPost, Julia Casale-Amorim did an excellent job documenting how malware criminals set up fake agencies to distribute ads embedded with code designed to steal site viewers’ personal information for financial gain. No block list can stop a fake agency from running such ads, and Casale-Amorim gives great advice for spotting potential scammers.

But identifying entities like this is a fairly labor-intensive process, and a good criminal can still slip by you. The only real solution for eliminating malware is the proactive testing of ads and applications for malware before they go live. This way networks, exchanges and sites can expose infected ads coming from any source.

Proactive testing looks for behaviors an online ad exhibits in a virtual environment. Each ad tag needs to be tested by simulating user and computer behavior in a safe, virtual environment to help mitigate infections. This virtual environment duplicates various IP, plug in, browser, ad server and OS configurations for testing purposes. This testing is done in a real-time setting and identifies actions that are key identifiers of infected ads, such as launching:

• PDF exploit files – Malicious ad banners redirect users to infected PDF documents. Upon opening the malicious PDF document, users would get infected by the embedded malware.

• Invisible pixels - Criminal hackers exploit users by building iFrames into pages that are one pixel by one pixel—invisible to the user. Inside that iFrame they can stash executable code stored at another site that infects the user’s computer.

• Keyloggers - Malware criminals can record personal information related to financial accounts by installing a program that tracks (or logs) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware.

• DLL hijacking – Malware criminals can exploit this by sending the target user a link to a network share containing a file they perceive as safe. The file actually contains malicious payloads for stealing information stored on the computer, without the person’s knowledge.

• DLL injections – Malware criminals can force a process to load a dynamic-link library. This can then influence the behavior of a program in a way its authors did not anticipate or intend. For example, it can run a password capture program.

Identifying these potential malware infections early in the process also prevents any suspect ads from ever publishing, which is another solid advantage over block lists. Again, block lists only identify malicious code once it is live, and the odds are that by the time the problem is located, the malware criminals have already moved on to the next target.

Real-time detection and prevention of malware isn’t just the right thing to do, it’s good business as well. A top ad network recently decided to fight back against malware criminals by proactively screening ads exhibiting suspicious behaviors. Dramatically reducing the amount of malware on their network contributed to helping this company grow from the 30th rated network to breaking into the Top 10 and being able to raise its CPMs significantly. The cost of ad screening was minimal and saved the network considerable time and effort by not having to deal with the potential malware attacks and allowing them to focus on selling ads.

Malware is an industry problem that hurts everyone in our business. We are all responsible for providing a safe environment for the loyal viewers who consider the web part of their daily lives. Until we can find a better solution, proactive screening for malware is the only way for our industry to maintain the trust of the people who pay the bills — our audience.

So what happened? Should we all anticipate a mammoth wave of spam to hit any second? The MessageLabs bureau of Symantec Hosted Services, which analyzes email traffic within its global infrastructure to estimate the worldwide volume of spam, reports on its Intelligence blog that a few significant botnets were hobbled in churning out their junk.

Spam has hit all-time highs over the last few years, and Symantec estimates currently between 100 billion and 200 billion spam messages are sent a day (give or take 50 billion). The charts below shows an interesting series of peaks and bottoms, most notably the one in November 2008 after the shutdown of McColo, the rogue ISP from California that was home to a slew of spammers.

Daily spam volume from October 2009 to present (in billions)

Monthly spam volume from January 2002 to present (in billions)

The global spam kingdom is ruled by 10 to 12 botnets, networks of infected PCs controlled by fraudsters that send spam, malware and phishing emails anonymously at a massive scale. As Symantec dramatically intones, “Their distribution is like a rash on the world map: where there are PCs, there are bots.”

There are two or three big-timers among the dirty dozen: Rustok has risen to the top in the past two years, accounting for about 41% of span in June (an average of 46 billion messages a day), while Grum trailed with 16% of spam (18.5 billion messages a day). Despite an attempted takedown in August, Cutwail has resumed a 5%-10% share of all spam.

Then in September, both Rustok and Grum significantly declined, sputtered a few times, and then reached the low of Oct. 3.

Spam per minute from major botnets, August 2010 to present (billions)

Symantec goes into some detailed (and head-pinching) analysis about why this occurred before suggesting that the self-shuttering of spam affiliate Spamit was the key reason behind the silence of the spam. However, it appears Rustock is back on the rise — cut off the head, another one grows.

And when something is out of human control, someone is going to cheat. And because of that one bad apple, an industry is born.

We are big supporters of ad verification and what it’s doing to keep the DSP and network industry honest. But with all good things come some inherent trade-offs. Who hasn’t received a verification report with malware, profanity, nudity, pornography and other categories in big bold letters as to say your client is only running on the worst inventory possible? You’d think there is nothing good about online advertising — until you look more closely.

The reality is that some malware, at some point, may have been posted on some of these sites. Or profanity may have been on a user-engaged site but was quickly removed. Or maybe they showed a stock image with someone in a bikini.

It seems that right now the categorization engine companies are making a whole lot of money by using scare tactics and not as much for doing an accurate job of portraying reality to their clients.

So, the next time you get your verification report, forget the scare tactics and big bold letters. Actually click on the sites and go there. See if it’s truly objectionable content, or if somewhere in some corner of the site someone may have gotten away with something by mistake. Lest we forget, there is carnage, murders, and terrorism reported in our newspapers and nightly local news every single day.

What might make the most sense is the outline an industry Bill of Rights for agencies and publishers around transparency. If you agree, here is a first draft for your consideration and if you like it, let’s submit to the IAB for a look!

1. You have every right to know that your ads only appeared within the provided site list during and after the campaign, and to see the URLs of any sites on which your ads appeared outside of that pre-approved site list.

2. You have every right to not be victimized by click or action fraud, to know when it happens, and to receive a full refund on any monies spent which enabled or allowed such activity.

3. You have every right to know if more than 50 percent of the impressions within a buy occur on just one site within the site list.

4. You do not have the right to know the list of sites on which your ad appeared during the campaign. Rights No. 1 and No. 3 ensure your safety here, and could cause publishers to withdraw from the unsold inventory space, adversely affecting your ability to secure reach, frequency, and results at attractive price points.

5. You do not have the right to know how many impressions ran on specific sites within the campaign. This will cause publishers to withdraw from the space and will cause the same problems listed in No. 4.

6. You have the right to know where on the page your ads appeared, by percentage value.

7. You have the right to geography verification and validation

8. You have a right to a full refund of money spent on any inventory that violates the above rules.

How would you change this? Would you get behind this with the IAB? Let me know!

The new research arm will incorporate ad verification, security and antivirus experts to hunt down fraudulent sites and all the bad -wares: malware, spyware and adware. The team will be on the lookout for any type of advertising that could lead to wasted spend or legal concerns for advertisers.

The usual suspects include affiliate fraud, stacked ads, invisible ads and misplaced — DoubleVerify’s got you all under surveillance with its Virtual Visitors verification tech.

In addition, the lab strives to build a coalition — a “neighborhood watch” if you will — between advertisers, ad networks and publishers to take on malicious activities that harm all the law-abiding brands and publishers in the space.

“The Rubi-’con’ Project,” wrote one smarmy, anonymous fellow. Making light of Rubicon’s successful venture capital funding, he/she added: “The $42 million joke is on the investors!”

The reaction lacked the vitriol on display when Rubicon released its manifesto, “Principles of a REVVolution, or the Ad Server Is Dead,” in February and the trolls swarmed on TechCrunch. Some called the company worthless, saying it didn’t live up to its promises, while others claimed that the bold words outlined in the strategy signaled a company in its death throes.

Even before the launch of the REVV platform in October and the company’s strategic shift from optimizing ad networks to enabling publisher management of all non-guaranteed inventory, Rubicon has found a flurry of vocal, faceless detractors in various online forums that claim it merely sells snake oil.

However, the company’s rapid growth during less than two years in operation, impressive client list and now the acquisition of SiteScout would seem to refute some of the venomous accusations. Some of the complainants fail to recognize that results may vary: REVV doesn’t work for everyone.

“We were the first to admit it,” says COO and founder Craig Roah. “When we launched the product, we said we think this is the right solution for everybody. Our technology was ready to support the blogs, but the demand side of the business wasn’t there…. Ad networks wouldn’t buy on publishers they didn’t know.”

Rubicon doesn’t advertise its solution as a miracle cure to instantly win over the affection of ad networks. If a publisher has lackluster traffic, it’s not worthwhile for ad networks to apply their technology and run campaigns, especially when a good deal of manual input is still required. Although advertisers talk a good game about audience, they still actually crave brand when it comes to where their ads show up.

Google aggregates smaller publishers well with AdSense, but the demand is lacking to “drive the needle for a lot of these small players,” Roah says. “We think that’s going to change.”

While Rubicon aims to work its way further down the tail, not on the top of the agenda. “We’re still building out the platform,” he adds. “Once we make it work for the head, it will be a lot easier to adapt for the tail.”

The latest step is buffering brand protection through integrating SiteScout’s technology. While malvertising and malware have been causing malcontent for a long time, they’ve been making headlines in the last year as big publishers like NYTimes.com and Gawker fell prey to massive attacks. As Rubicon has prided itself on improving based on client feedback, it saw a response was in order to publisher concerns stemming from the very public attacks.

Over the last seven years, SiteScout has built technology that examines online advertising streams and websites for malicious content — many times codes that infect computers or download malware or some other nasty bit that will play havoc with a user’s system and possibly try to steal personal information

“These days there’s all kinds of traffic, from direct tags to ad network tags, and all of it is a fertile ground for the bad guys,” says Rob Lipschutz. “We’ve built a system that helps publishers find and detect malvertising proactively and get rid of it before it starts causing problems for their customers and their brands. With Rubicon in the center of the publishers and the revenue departments, it’s a great place for us to sit and uncover malicious content.”

The two companies partnered at the beginning of the year and were impressed that their technologies were highly compatible. Discussions about merging began a few months ago.

“It just made sense,” Roah says. “We looked at a lot of other players in the space and SiteScout’s technology was better at finding malvertising, faster and more consistent.”

But while the move to merge was based in technology — the corporate cultures were also compatible. As they sit in the dim hotel restaurant, buoyant Spanish music in the background, the ease Roah and Lipschutz share with one another is infectious. They pass conversational cues like a basketball and even complete the each others sentences.

“Integration is always a dirty word, but this going to be an easy one,” Lipschutz comments.

“It’s really just tying in their back-end stuff to our front-end [user-interface] so its one platform for our publishers,” Roah adds.

Already they’ve found that the system detects a great deal of malware, including a wide variety of species — some that show their ugly faces immediately while others lie dormant until the user performs a certain action.

When malvertising does show up on a site, the blame almost immediately falls on ad networks. A publisher will shut down the ad tech and go hunting for the culprit — and costing ad revenue.

“They’re running around, chasing a bouncy ball, and eventually the problem will get solved most times, but it’s a totally inefficient process without technology that will typically catch it before any of that happens,” Roah says.

Rubicon’s brand protection solution monitors both third-party and direct ad sales (another offering manages a publisher’s entire site — user-generated content can spring up some nasty stuff) as research shows two-thirds of malvertising comes from the former, but one-third is from the latter. Both the high-profile NYTimes and Gawker fiascos were the results of direct buys.

Once the malvertising is cornered, the SiteScout’s technology identifies its make, model and entry point and then assesses the entire system to make sure the offensive tag is purged from all of Rubicon’s publishers. If the malvertising makes it onto the site, Rubicon alerts the publisher of all the relevant information so it can quarantine the tag.

SiteScout’s technology allows Rubicon to compare the tag with the rest of an ad network’s property to determine whether the issue is limited or global. As soon as an anomaly is discovered, Rubicon jumps on the phone with the ad network and helps solve the issue.

The addition of malware protection is a big step in making publishers feel secure in using more demand sources and furthers Rubicon’s goal of becoming a platform built for publishers to meet all their advertising needs. Roah notes there are hundreds of various demand sources out there — each time you add another layer, you need to make sure you do it in a safe, efficient and automated way.

The move also supports Rubicon’s the traditional ad server is dead. As a standalone product, Roah says, the adserver is an antiquated and poor solution on the indirect front. The rise of DSPs in particular have show ad servers to be a thing of the past.

“Just having a solution that delivers ads based on something that’s sold is okay; it serves a purpose,” Roah says. “but we’re trying to build a platform — and we’ve built a good portion of it — that helps publishers find the right way to access sources of demand, not just deliver campaigns.

“Our job is to make sure we’re tight with all the non-direct advertiser-agency dollars,” he continues. “If there are dollars being spent by advertisers with a third-party we should be connected. Are we connected to everyone? No, but we’re connected to the best.”

For several days last week, most visitors to Gawker Media sites were treated to their usual spicy content, but a number were also greeted with an unexpected installation of malware. The Suzuki ads certainly looked legitimate and were provided by Sparks SMG, a division of Publicis Groupe, but in actuality the buyers were impostors using similar email addresses. The scammers had enough knowledge of Sparks clients and the advertising world to fool Gawker employees.

But displaying almost frightening complexity, the ads only infected visitors in intervals. It took days for Gawker to realize something was awry.

It’s a traditional con game with a technological twist — something that should keep all sides of the online ad community on their toes.

Sophos, an online security software and hardware company, caught the malware on video and posted it to YouTube.

The Wall Street Journal noted Kawaski apologized for the accident and a possible bigger problem:

Mr. Kawasaki isn’t the only victim of this attack (it’s one of several malware schemes popping up on Twitter), but his relative celebrity on the microblogging service makes such an incident even more troublesome since so many people see it, said Graham Cluley, a senior technology consultant at Sophos. “It has the potential to do much more damage than if maybe 14 people were following him.

It showed a web page, and in the background a special script loaded over 1000 different “hidden” advertisements. According to the man who caught the click fraud on video, Vizi CEO Pesach Lattin, former publisher of Adotas, it then tries to install an https hijack on a users computer to create a bunch of fake fraudulent clicks to search engines.

But the larger menace behind such ads, according to security experts and industry leaders who have seen the video, is malware and spyware, which are primarily there to steal identities and take over personal computers.

“A lot of ways that these ad networks get into the market is that they are buying through the ad exchanges,” he said. “What we do is block the (offending) ad networks through our publishers, but we also block the ad networks through the exchanges that end up on our publishers. That second part is a lot harder than the first part. Because we found ad networks that specifically do what you just spoke about. They are inject malware and spyware.”

Security experts say that malware and spyware has little to do with click fraud, it’s about 1 percent of the total. A large majority, between 30 to 40 percent, are data theft trojans being widely distributed through compromised websites. While Conficker has received much of the media attention lately, and understandably, the most dangerous data theft trojans go unnoticed. According to Symantec, hackers are inventing up to 15,000 new infections every day.

“Click fraud is an issue, impression fraud is an important issue,” said Michael Caruso, CEO of ClickFacts. “But the bigger issue is the bots aren’t just clicking on ads. The bots and the bad guys are actually out there to steal identities.”

– Express your opinion, comment below.