So...
An advertising love canal?
(And what is a "corrupted creative"? Should that be a "corrupted vital revenue?")
A chap who might just be the world's worst malvertising marauder has popped MSN, potentially compromising some of the site's 10 million daily visitors with an exploit kit so capable it p0wns almost half of those who encounter it. The attacker, understood to be an individual dubbed Fessleak, smashed MSN after popping Yahoo!, …
An advertising love canal?
(And what is a "corrupted creative"? Should that be a "corrupted vital revenue?")
Initially I thought in terms of civil liability but with the problem becoming so widespread it might be difficult to prove which site delivered the fatal blow. So we have to think in terms of criminal offences.
The article gives an example of an analysis which, if presented in court by a suitably qualified expert, should be acceptable evidence against any of the actors who can be identified provided. That would be one aspect of proving guilt. The other would be to have participation in such a chain, either deliberately or negligently, found to be an offence. What I'm wondering is whether there is a basis for this in existing law (Computer Misuse Act and equivalents in other jurisdictions or criminal negligence) to be a criminal offence.
Keeping it a civil offense would be a better move. In a criminal case, the burden of proof is on the prosecutor to convince a jury that the defendant is Guilty beyond a reasonable doubt. Whereas a Civil trial, the burden is on the defendant to prove that they are innocent beyond a reasonable doubt (This is why OJ Simpson walked free in the criminal trial but was found guilty in a civil court). In a criminal court, the defense attorney would just need to argue that the victim's DNS settings or the routing of the poackets were tampered with and the malicious code came from a faked website (In which case the prosecutor would need to gather every packet from the transaction to to actually prove that the code came from the defendant's servers). Beside, a private citizen cannot gain anything from a civil trial, so any fines or punishments would go right to the state.
What is really needed is a bunch of high-end lawyers working on such a case pro-bono to counter the lawyers the large advertisers employ. You;d also need some large organization to shoulder the burden if the case is lost (In the US, the loser pays the legal fees of whoever wins).
" Whereas a Civil trial, the burden is on the defendant to prove that they are innocent beyond a reasonable doubt "
Actually, no. Civil cases are found on balance of probabilities. And I think even on that basis the plaintiff would have problems in proving that his loss stemmed from a particular site given that he would have visited many.
OTOH if the offence is to serve up - or participate in serving - malware then that would be provable by the sort of analysis in the article but without the need to prove which particular user was infected by which particular server. Several of the participants at the head of the chain could become liable to prosecution or, to put it another way, they would have good reason to put in place a vetting procedure. The chains which failed to apply vetting might have lower costs immediately but they might find themselves out of business a lttle later.
that the first broker to vet or limit the content is going to be more expensive than its less responsible competitors and thus shut itself down.
This means that only widespread ad-blocking or government enforcement are the only workable options.
Blocking ads remains a foot-shooting option but seems economically inevitable for the advertisers.
Check the view link for Allow some non-intrusive advertising in ABP, and do a ctrl+f for "Adspirit.de", now remove the check mark from Allow some non-intrusive advertising if this convinces you they are whitelisted there. I have done since this is the second major posting I have seen related to Adspirit.de slinging malvertising this month. Also it might be good to run MBAM to clean off the Angler PuP as I had to do for my wife's system. Her start page is MSN=( BTW I don't read code I'm just assuming they are a whitelisted advertiser as I found 4 lines pertaining to them on "The List".
Cheers