If the biggest online technology companies like Microsoft, Google and Yahoo have all themselves acknowledged or apologized in the past for serving malware to consumers via their own advertising code, what about the hundreds of other companies with far fewer resources that are right now executing bits of code and scripts on the thousands of websites you visit?
Reuters' site was compromised by the Syrian Electronic Army to post a political message. They did so by hacking the software of an ad-network, Taboola. They also claimed to have gained access to Taboola's Paypal account and to prove it posted a screenshot of a $600k+ balance.According to the article, Taboola works with sites:
"including Time.com, USA Today, the New York Times, BBC, TMZ, The Hollywood Reporter, Politico.com, Examiner and others. Taboola acknowledged being the source of the compromise and said that SEA hacked one of its widgets used on Reuters.com."
When I used to run an adtech vendor we could see ad tracking, retargeting or analytics pixels sitting on website pages for years after all business relationships between the vendor and the advertiser had ceased. Unless something breaks the page and causes it to stop loading, the hassle-factor and inertia outweigh good security policy, stop it from being changed or removed, and little bits of seemingly benign code persist over time on tens of thousands of websites.
Who is the Weakest Link?
Reuters may have opened itself up to vulnerability by having over 40 advertising and analytics vendors whose code was tracked as coming from its pages.
These technologies may also slow down the website. On a recent visit to Reuters.com, even after the compromise had happened and Taboola's code disabled (6/23/2014) my visit started at 12:41:39 PM, it loaded over 100 different http requests, and the page took about 34 seconds to finish loading. As we have all probably experienced, any one of these could potentially "hang" the page leaving us frustrated with a partially-blank screen. Some of these bits of code are from data companies like Bizo or Exelate, that resell access to behavioral data they gather to advertisers that may change what ads you see on other sites. Many of them pay the publisher (like Reuters) a monthly fixed or variable fee (or sometimes a revenue share) based on the volume of users their code is able to "see". Reuters may not have direct relationships with all of these companies since many ad or data companies often "piggyback" in turn yet more code or scripts to help their advertisers or agencies identify users, or track impressions or clicks on their advertisements.
Typically ad-supported websites like newspapers trying to eke out a profitable digital existence have more than their share of these vendor scripts running on their sites, which when combined with large numbers of people visiting their sites on daily basis, only serves to magnify the attractiveness of their known or unknown script-slinging ad tech partners as targets.
Publishers can't shift all responsibility to networks and tech vendors, however. In 2009, the New York Times succumbed to malicious ads, not from a third-party network, after the ads (and an unknown 'ad serving technology vendor') was "approved by the site's advertising operations team".
As consumers we need to ask the companies whose sites we are visiting who they are working with, and be really clear what steps they are taking to prevent themselves being the weakest security link in what is an already weak website technology chain.