雙語新聞:網絡廣告銷售混亂 電腦病毒乘虛而入

Web Ad Sales Open Door To Viruses

On a Saturday night at the end of May, visitors to the forums section of Digital Spy, a British entertainment and media news Web site, were greeted with an ad that loaded malicious software onto their computers. The Web site's advertising system had been hacked.

A number of such attacks have occurred this year, as perpetrators exploit the complex structure of business relationships in the online advertising, with its numerous middlemen and resellers. Web security experts say they have seen an uptick in the number of ads harboring malware as the economy has soured and publishers, needing to boost their ad revenues, outsource more of their ad-space sales.

Viruses can be incorporated directly within an ad, so that simply clicking on the ad or visiting the site can infect a computer, or ads can be used to direct users to a nefarious Web site that aims to steal passwords or identities. In most cases, the problem becomes apparent within a matter of hours and quick fixes are put in place, but that's not fast enough for Internet surfers whose computers end up infected or compromised.

'The system is only as safe as its least secure members, and some of these members can be strikingly insecure,' says Ben Edelman, an assistant professor at Harvard Business School who researches Web security issues.

, a technology news site owned by Ziff Davis Enterprise, in February displayed an ad on its homepage masquerading as a promotion for LaCoste, the shirt maker. The retailer hadn't placed the ad -- a hacker had, to direct users to a Web site where harmful programs would be downloaded to their computers, says Stephen Wellman, director of community and content for Ziff Davis.

Similar attacks occurred across a series of News Corp.-owned sites in February, including , and . In January, clicking on an ad on Major League Baseball's led visitors to a site with malware.

Digital Spy, Ziff Davis, Fox and MLB all say that immediately after they detected the incidents, they isolated the ads and removed them from their sites.

Digital Spy sells the ad space on its forums section, visited by three million unique visitors a month, through a number of other companies, called ad networks. If one ad network doesn't sell the space to a marketer directly, it often will sell it to another network. The space also can be outsourced to ad exchanges, another set of companies, which hold an electronic auction for online ads.

'As that chain gets longer, it becomes more and more difficult to vet the ads to make sure there are no viruses in them,' says James Welsh, co-founder of Digital Spy, owned by Hachette Filipacchi. 'There was a lack of scrupulous checking somewhere along that line, and an attacker seized upon this and used it as a route to inject some very nasty malware onto our site.'

'Hackers are like any other criminal out there. They look for opportunities where there is the largest number of people gathered, because they will get the best return on their efforts,' says Hemanshu Nigam, who oversees safety, security and privacy for News Corp.'s online properties, including MySpace. News Corp. also owns Dow Jones, publisher of The Wall Street Journal.

Web publishers say they have started limiting the number of companies they outsource their ad selling to and are working with security vendors, such as San Francisco-based ClickFacts, to detect malicious software on their networks and remove it as quickly as possible.

Ad technology companies and Internet companies say they, too, are making efforts to boost the security of their systems. Microsoft, Google and Time Warner's AOL say they use a series of technical and manual procedures to scan for malicious code in their systems.

AOL says that in addition to digital virus scans, it employs a team of people to review each of the thousands of Web sites interested in entering its ad network and each of the advertisers that want to run an ad campaign across these sites. Microsoft says it verifies the legitimacy of the companies it does business with and deploys technologies that scan ads and Web sites to mitigate attacks.

'It is an issue that we take very seriously,' says Alex Gounares, corporate vice president of ads and commerce research and development at Microsoft, which operates some of the largest online ad technology systems. 'I don't know if it will ever go away. The world has evildoers.'

Emily Steel

今年5月底的一個週六晚上，訪問者只要打開英國娛樂和媒體新聞網站Digital Spy的論壇部分，就會激活一個會自動下載惡意軟件的廣告。原因是網站的廣告系統此前被黑客攻擊了。

今年已經發生了多起此類網絡攻擊事件，攻擊者利用了網絡廣告銷售的複雜結構，以及爲數衆多的廣告中間商和分銷商。網絡安全專家表示，由於經濟形勢黯淡，發行商爲了提高廣告收入將更多的廣告空間銷售外包，專家們已經發現內嵌惡意軟件的廣告數量有所增加。

由於廣告可以直接內嵌病毒，因此單是點擊廣告或是訪問網站就可以令電腦受到感染，或者通過廣告引導用戶進入一個意在盜取密碼或ID的惡意網站。在大多數情況下，問題會在幾個小時就被發現，然後迅速得到解決，但對電腦中毒或受到影響的網民來說，這個解決速度還不夠快。

哈佛商學院研究網絡安全問題的助理教授艾德爾曼(Ben Edelman)說，廣告系統非常不安全，一些成員容易遭受攻擊的程度令人吃驚。

Ziff Davis Enterprise旗下的科技新聞網站今年2月份在主頁上顯示了一則廣告，似乎是爲服裝品牌LaCoste做廣告。但Ziff Davis的社區和內容主管威爾曼(Ziff Davis)說，這則廣告實際上並不是該網站發佈的，而是一名黑客所爲；這則廣告會將用戶引導到一個惡意網站，向用戶的電腦下載有害軟件。

新聞集團(News Corp.)旗下的一系列網站2月份頻頻遭受類似的攻擊，包括了、福克斯新聞網()以及。今年1月份，美國職棒大聯盟網站上面出現了一則廣告，訪問者點擊之後就會被帶到一個惡意軟件網站。

Digital Spy、Ziff Davis、福克斯以及MLB均表示，他們發現問題之後就立即隔離了廣告，並從網站上將它們刪除了。

Digital Spy通過諸多被稱爲廣告網絡的其他公司在論壇上銷售廣告空間，論壇每個月有300萬訪問者。如果一個廣告網絡沒有將空間直接賣給一家推廣商，那麼通常就會賣給另外一個網絡。廣告空間還可以外包給另外一系列公司，對網絡廣告進行電子拍賣。

Digital Spy創始人之一威爾斯(James Welsh)說，隨着這個鏈條變得更長，檢測廣告是否有病毒也變得越來越難。Digital Spy 是 Hachette Filipacchi 旗下的一家公司。威爾斯說，這個過程中缺乏謹慎檢測，黑客抓住了這一點，並以此爲路徑將一些非常討厭的惡意軟件嵌入到了我們網站。

負責爲新聞集團旗下MySpace等網站監控安全和隱私問題的尼甘(Hemanshu Nigam)表示，黑客們就象犯罪分子。他們在人羣最爲密集的地方尋找作案機會，因爲這樣就可以獲取最大的回報。新聞集團是《華爾街日報》發行商道瓊斯公司(Dow Jones)的母公司。

網站發行商表示，他們已經開始限制外包廣告銷售的公司數量，並正在與舊金山ClickFacts等安全維護公司合作，對網站進行惡意軟件檢測，一旦發現就儘快刪除。

廣告技術公司和網絡公司表示，他們也在努力提高自己系統的安全性。微軟(Microsoft)、谷歌(Google)和時代華納(Time Warner)旗下美國在線(AOL)表示，他們使用了一系列技術和人工程序，在自己的系統裏搜索惡意代碼。

美國在線表示，除了進行數字病毒掃描，他們還僱傭了一隊人馬對有意進入其廣告網絡的數千個網站、希望在這些網站上打廣告的每個廣告商進行逐一評估。微軟表示，會對和微軟打交道的每家公司進行合法性驗證，微軟還藉助技術對廣告和網站進行掃描以減少攻擊事件。

微軟負責廣告和商業研究與開發的企業副總裁古納里斯(Alex Gounares)說，我們非常重視這個問題。我不知道這個麻煩問題是否會得到解決，這個世界總有作奸範科的人。微軟運營着一些全球最大的網絡和技術系統。

Emily Steel