UK United Kingdom

Online shoppers: before you click that ad, read this

Christmas is fast approaching, and this year is set to be the biggest ever for online shopping. Hundreds of millions of dollars will be spent by Australians alone. And every year, the flurry of online…

Avoid frustration and tears while shopping online this holiday season. Global Reactions

Christmas is fast approaching, and this year is set to be the biggest ever for online shopping. Hundreds of millions of dollars will be spent by Australians alone.

And every year, the flurry of online activity prompts warnings about the dangers of internet shopping. While this has become less problematic over time as advanced online security technology becomes stronger at both ends of transactions, there is another, lesser-known (and easy) way to fall foul of hackers: malicious advertising.

Web advertising is arguably the most important and lucrative online business. Some 96% of Google’s US$50 billion annual revenue comes from its advertising programs.

Online advertising is becoming more sophisticated. Advertising agencies now specialise in online markets and new analytic tools which can track and profile users to provide highly targeted advertisements with increased revenues.

While these online ads are a convenient way for commercial companies to reach customers, and for internet users to stay in touch with online stores and items they’re interested in, they do bring new risks.

Should I click that ad?


Online ads are increasingly used for illegal purposes such as propagating malicious software (malware), scamming and click fraud.

Hackers have found web ads to be a low-cost and highly effective means to conduct malicious and fraudulent activities. This is often called malvertising.

Malvertising is a vibrant underground business, endangering even those internet shoppers who trust reputable websites. Recent research shows that at least 1% of a set of well-maintained websites have been exploited to deliver malicious content or to conduct fraudulent clicks.

This may seem like a low rate, but when you think about the sheer number of websites you visit, this level of risk is exceptionally high and dangerous – particularly as the malware operates in a different environment from that where anti-virus software expects to detect it.

The fraudulent ad links mimic standard online ads. They can:

  • look like an inoffensive part of a webpage, just an ordinary ad featuring something you might be interested in
  • seem very contextual to the webpage you’re browsing
  • appear to be anti-virus software asking you to update your system; they often provide enough details on your system parameters to be very misleading
  • show a store close to your current location where you could find great deals.

This is by no means an exhaustive list.

Dodgy ads, targeted directly at you

Sophisticated tracking components in today’s advertising eco-system make malvertising even easier to hide. These components give hackers many different ways to provide contextual, user-targeted or location-based “ads”.

Another prominent threat is the “remarketing” ad. These serve ads to users who have shown some interest in a brand, but not until they have left an advertiser’s website.


If you shop online, you’ll have seen these ads, often called personalised retargeting ads. After you search for a particular brand, you will see a display banner featuring the same type of products (often the exact item you previously searched for) popping up again and again on other sites you visit.

Besides the privacy concerns raised by the current high tracking capabilities, this also makes users less suspicious. It increases the attacker’s chances of redirecting them from ad networks to malicious servers, rendering the malvertising problem even more severe.

Keeping yourself safe

Today, there is a plethora of (more or less) user-friendly privacy tools that you can install as add-ons to your browser. These either limit the web tracking capabilities of third parties, or block online advertisement material.

NoScript, Ghostery or BetterPrivacy are very effective ways to limit the damage of tracking components throughout the web. But using them comes at the expense of your web experience; for example, some multimedia content won’t work properly anymore.

AdBlock or AdBlock Plus are alternative solutions. They simply stop ads displaying, but they are a radical solution to the problem; do you really want to see no ads at all?

Blocking all ads is also considered very harmful to the stability of the online eco-system. Internet users benefit from free internet services (such as search engines, email, file sharing, online social networks), but the trade-off is we implicitly agree to be “annoyed” by online ads, and from time to time click on them. It is exactly like being disturbed by commercial breaks while watching broadcast TV.

Probably the best countermeasure though is internet users being conscious of their own behaviour, and trying to distinguish bad from good using intelligence and intuition. But I have to admit, this is really getting more and more difficult!

Sign in to Favourite

Join the conversation

12 Comments sorted by

  1. dhduncan

    logged in via Twitter

    Interesting article. I have to say I was stunned by the description of ad blocking browser extensions as 'radical', followed by the question 'do I really want to see no ads at all?'

    I never, ever want to see ads or mass marketing and I thought that was fairly common. Ad blockers are an essential, unobtrusive part of my browser use and if there is a problem of people inviting malware onto their systems by clicking on them I'd say their use should be encouraged.

    1. Dali Kaafar

      Principal Researcher in Online Privacy and Security at NICTA

      In reply to dhduncan

      I believe some people are still eager to see ads, which from time to time can be useful, highly targeted, etc…But again, this comes at the expanse of user privacy!
      Personally, I don't think blocking ads is a long term solution. At some point somebody, somehow, has to pay for the Internet services people are using … This now is being done through the display of "annoying" Ads...

    2. Robert McDougall

      Small Business Owner

      In reply to dhduncan

      I am with you, dont want to see ads and i dont know any difference with my "internet experience" nor do i care. So adblocker all the way thanks.

      Re the artifical shock about not viewing ads and how it deprives those poor marketers through some dire impact on the eco-system of the net (whatever that means) not everyone is an acolyte of the "consume" religion, but you can relax Dali, because there are plenty out there that are.

    3. Stephen McCormick

      Ph.D. Candidate at School of Mathematical Sciences, Monash University

      In reply to dhduncan

      The problem with ad blockers is that if they ads don't show up then the website receives no money. I use ad blocking software myself, but I try to only use it for websites with painfully obtrusive ads. I certainly don't want to see the ads, but I feel guilty taking money out of the pockets of websites that provide otherwise free content to me.

    4. dhduncan

      logged in via Twitter

      In reply to Dali Kaafar

      I am not entirely unsympathetic to your remarks about the potential impact of widespread blocking of ads on the internet 'ecosystem'.

      My preference has always been subscription models for media / information (community radio to avoid commercial radio, in preference to 'free' social media) and upgrading apps to remove advertising. However, if any and all of these behaviours were the mainstream, maybe a question of fundamental infrastructure has to arise at some point.

      In the meantime, the general approach to advertising from a great many web-sites seems to be fairly indiscriminate, and I don't feel troubled by blocking out the lot.

      Interestingly, one site I visited recently popped up a note in response to the ad-blocker asking if perhaps, since i wasn't viewing ads, I would like to pay for the premium model. I imagine there will be more of that.

    5. Sonia Hines

      Internerd at Queensland University of Technology

      In reply to Dali Kaafar

      There are people who are eager to see ads and who aren't creeped out by targeted advertising? Who knew? I haven't run a browser without ad-blocking in so long that it's startling to me when I do see ads (if you don't count those annoying promoted tweets on twitter). I do almost all my shopping online, so it's not like the internet doesn't get my money anyway.

  2. John Crest

    logged in via email

    If you needed to read this, you're probably too stupid to use the internet.

    1. Dali Kaafar

      Principal Researcher in Online Privacy and Security at NICTA

      In reply to John Crest

      It can be a bit more tricky that it may look like at a first glance. These are malvertising content, that can go through well-known ad networks, i.e. Doubleclick network and alike…We are working on a kind of sandboxed malware analyser embedded into the browser to be able to tell whether it's a legitimate Ad or a bad one!

    2. Meg Thornton


      In reply to Dali Kaafar

      I've had Doubleclick blocked for years in NoScript, because for years, they've been well known for being purveyors of malware, broken pop-up scripts (that keep spawning new popups on infinite loop, for example), and other such monstrosities. Basically, Doubleclick doesn't care who you are or what you're giving them to embed in their stream so long as you pay them on time - the amount of oversight they give is absolutely minimal. "Well-known" is not the same thing as "reputable".

  3. Paul Burns


    Stuff the internet eco-system.
    Always user Adblock. If you don't, you're stupid.
    And its not radical at all. Its a common-sense protective measure.

  4. Meg Thornton


    Put me down as another person who doesn't want to see advertising when I'm browsing the internet (I use NoScript and AdBlock Plus on Firefox, which pretty much blocks out the vast majority of the advertising out there). Mainly because the majority of the so-called "targeted" advertising out there strikes me as basically obeying the Idiot's Law of Duck-Hunting - "If I just put enough lead in the air, I'm bound to hit something!". This would probably explain why my "reward" for marking down weight-loss…

    Read more
  5. Alexander Rosser


    A little bit off topic but be aware that "bait and switch" is alive and well, even from firms that one would consider legitimate.

    If you are buying wine on-line, you may find that the wine you ordered has been swapped for a different vintage. When I complained the vendor pointed out the fine print which say they may substitute but did say "take it to a store for a refund". They did refund.But I ordered on-line to save the inconvenience of traveling to-from the store. I still went to-fro and ended up without any wine.