Popular celebrity news website TMZ is the latest victim of malware-carrying ad networks.
The site brings in 30 million visitors each month and joins a long list of large publishers affected in recent years.
According to Malwarebyes’ security blog, "The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery."
Malicious advertising or malvertising refers to the use of online adverts to spread malware and infect consumers' computers.
Online ad networks work with real-time bidding based on cookies and other user data to create extremely targeted ads that can infect a PC without even clicking on the advert itself.
For some ad networks the cost per thousand impressions (CPM) is extremely low with ad accounts being created with as little as $5 and getting ads online in just ten minutes.
With so many layers and so many potential interferences, how can companies really know if the ads they display contain malicious content?
The Independent’s blog was one of dozens of Wordpress-operated websites that were hacked in November last year; it performed malicious redirections, without the webmaster’s knowledge.
Who is liable?
Cheap ad platforms make it easy for malicious content to infect countless computers in the blink of an eye.
"The problem is sellers and publishers don't really know who the buyers are, they don't have that much control," says Malwarebytes researcher Jerome Segura.
The Consumer Rights Act does mention digital content and implies that content must be of satisfactory quality and 'fit for purpose'. While this seems relatively straightforward, the Act does require that a contract is present between the content provider and content consumer.
Do you feel as though you are entering a contract with every website you visit? Most likely the answer is no.