Banner advertising on the Internet

There are many factors behind the Internet's success, one of which is that it costs users nothing to visit a website. It does cost money, however, to maintain the site, pay for the energy to run it and pay the wages of the people looking after it. That is why website operators are keen to use online advertising to fund their free content (such as news portals).

A typical tool in this particular arsenal are advertising banners, which usually appear at the top or side of the website. Advertisers seeking to promote a specific product by means of an advertising campaign and appropriate advertising materials (such as advertising banners) will commission an agency or a marketer to place the banners on a range of the most suitable websites, for example. Marketers purchase advertising space from website operators (publishers) to do this — then sell that space on to the advertisers.

How does banner advertising work? From a technical point of view, the advertising content is delivered by ad servers: when a user visits a website funded by ads (such as a news portal), the website first establishes a connection to the stored ad servers.

The ad server then selects advertising materials tailored to that particular user and sends it back to the website visitor directly. These advertising materials are sometimes selected with the help of tracking technology. This means that websites the user has visited in the past, online purchases they have made or videos they have watched will affect which product is advertised.

What is tracking and how does it work?

Tracking refers to methods that identify users and analyse their movements online. Taking it a step further, it is possible to assign personal characteristics or interests to specific users. Marketers harness this information to create profiles and deliver advertising banners in a targeted way.

Tracking is carried out by means of cookies or fingerprinting technology, for example. These tracking methods enable various data, including the user's location (IP address), the websites they have visited previously (history) or the software they use to make those visits (browser), to be collected whenever any website is visited.

Example: If a company that makes umbrellas wants to advertise in the north of Germany only, the marketer can analyse users' location data that has been collected via tracking and ensure website visitors from the south of the country, where it is usually sunny, will not see any adverts for umbrellas. Another advantage of this approach is that small, regional businesses, for instance, can advertise only in those places where they have branches or where they offer a delivery service.

Social networks such as Instagram, Facebook or Twitter are classed as marketers too. They use their Tweet or Like buttons to collect user data on websites, even if the visitor does not actually click the button. If a user spends most of their time online browsing sports websites, for example, the companies will collect this information, then serve that user personalised advertising related to sport.

This even happens if the user is not logged in to, or not even a member of, the social network in question. Since personal data is transmitted during tracking, it can be prevented or made more difficult with a few relatively simple settings.

Cyber attacks via online advertising

There have been repeated incidents of malicious programs being hidden and distributed in advertising banners (malvertising) in the past. Examples include attackers compromising existing, poorly secured ad servers or using stolen credit cards to purchase advertising space from marketers in order to spread malware.

The websites themselves often do not contain any malicious programs. Instead, the harmful code is downloaded to the banner area via the ad server. The malware is therefore found within the advertising banner and exploits vulnerabilities in the browser and its plug-ins. Simply opening the website triggers an infection.

Malvertising victims often suffer significant damage, since the malware spread by online advertising frequently takes the form of trojans or ransomware. Trojans, also known as trojan horses, can be used to commit online banking fraud on the user's accounts, to spy on confidential data (e.g. login details) or to send spam e-mails en masse. Ransomware encrypts the user's data and demands a ransom must be paid in order to decrypt it.

Unlike many other modes of infection, such as downloading suspicious e-mail attachments, users will not usually have actually done anything to cause their system to become infected. However, there are solutions available that stop advertising banners being downloaded by dubious ad servers, thus preventing a damaging infection.

Ad blockers: Protection from malicious online advertising

Ad blockers are one way of protecting yourself from malware that is delivered via advertising banners. These programs ensure adverts on websites in the form of images, videos or pop-ups are blocked or not displayed. Ad blockers are also designed to prevent users being tracked by stopping certain marketers from storing cookies, for example.

The ad blockers use blacklists1 or whitelists2 for this purpose, where they manage links to advertising banners and trackers. If an ad blocker detects a link belonging to an advertising banner or tracker that is stored in the blacklist when a page is requested, the ad blocker stops the request and the advertising banner or tracker does not load.

By the same token, any link stored in the whitelist is allowed. These blacklists and whitelists are usually public and can be viewed on the websites in question. Many ad blockers also offer an option to modify whitelists, so your favourite ad pages will still be displayed.

Security requirements for ad blockers

To make it easier for users to choose the right ad blocker product for them, this cyber security recommendation sets out requirements (or criteria) for ad blockers. The points below cover the key criteria that users must bear in mind when selecting an ad blocker.

Transparency: make sure the software provider's website answers the following questions:

• Who produces the blacklist?
• How is the blacklist preconfigured?
• How can users add more blacklists?
• Can users add websites to the whitelist so that specific websites are not restricted?
• Are regular updates provided?
• Is this an open or closed source product?

Data protection and IT security

• In terms of data protection and IT security, it is important that the ad blocker does not create any user profiles itself (tracking) and that it does not send any data (e.g. websites that have been visited) to third parties.

• Personal data should only ever be collected as necessary to provide the service. This means, for example:

  • No tracking of the user's surfing behaviour
  • No use of the URL outside of the particular blocking process without the user's prior consent

• In addition, user data must not be 'sold'.

Integrity: an ad blocker must only hide advertising on a website as per the blacklist. It must not alter the content of a website in any other way.

• It must not be possible for sources outside of the application (e.g. authors of filter lists or websites) to insert script or other program code.
• It must not be possible to insert additional advertising or replace existing advertising on websites.
  

Individual settings: an ad blocker should offer the option to make individual adjustments, e.g. to exclude specific websites from ad blocking.

Updates and support: it is vital for the manufacturer to make security updates available for the ad blocker promptly. The manufacturer should also respond quickly to instances of overblocking, which in this context is when content is filtered incorrectly due to having multiple, contradictory filters, for example.

What should I take away from all this?

Ad blockers are an important way of safeguarding users online, since they effectively protect against malware attacks carried out by externally embedded advertising.

Note: It is still possible to fund a website by displaying advertising even when ad blockers are used, provided that the advertising is stored on the website operator's web server directly and not downloaded to an external ad server. In this case, the website operator itself has technical control and can put appropriate security safeguards in place directly. However, storing advertising on the website operator's web server can result in lower ad revenue, as doing without the links to marketers means there is no tracking function. Consequently, the advertising is not as targeted, which means it is less profitable.