When HTML5 was being promoted as a replacement for Adobe’s Flash, security was a key reason.
But, according to Media Trust CEO Chris Olson, “HTML5 is not this panacea and safe haven.” In fact, his company — which monitors third-party code and advertising for brands — has come across a wave of malware on HTML5 ads on mobile and desktop web, with some wavelets beginning to hit HTML5 ads on apps.
“We are seeing more badness in HTML5,” he told me, such as a higher frequency of incidents and bigger attacks.
The malware does such badness as auto-directs that automatically steer users to unsafe sites, or pop-up windows that urgently ask users for confidential info.
Currently, Media Trust says, “dozens” of online publications have been affected, plus at least 15 ad networks. And iOS devices, which have often been spared the worse of previous waves of malicious software, are seeing a huge jump in malware from the cross-platform HTML5 ads, according to the company.
One of the most problematic characteristics of the way in which HTML5 malware is delivered, Olson said, is that it is taking advantage of “obfuscated code” populating HTML5 ads. This obfuscation, he said, is “like a kind of encryption,” used by many legitimate developers to keep their software tricks from competitors.
But that “makes it extremely difficult to understand” and to find the delivery mechanisms used to carry the malware.
“It’s the perfect crime,” Olson said, because its crimes are often hidden.
To combat the rise of malware in HTML5 ads — which could damage an advertiser’s or a publisher’s reputation, as well as bring down regulatory consequences — Olson advises that marketers know who their ad and publishing partners are, and that they directly or through a service monitor how those ads perform across devices and conditions.
It’s only then, he said, that marketers will be able to see if their campaigns are delivering more than pitches for their products.