Gee, what to do?
Perhaps... require traceable contact information for the people buying ad space? Somehow banks, car dealerships, etc, usually manage to ensure that people using their services are who they say they are. Somehow, though, pay-per-click ad distributors seem to have missed that class on the way to their MBAs.
Or, of course, they know damned well what they're doing, and prefer to siphon off the revenue they get from criminals while waving their hands in the air and professing impotence.
I ran into the same thing a few years ago when I investigated the people behind the ads served on browser-hijack pages which were forced on users who got the CoolWebSearch trojan, a piece of malware so ... well, mal, that even completely patched systems were no match for it. The malware hijacked the victims' browsers and pointed them to various "search" pages, which were jammed with banner and context ads served by several major PPC players.
I traced down the IPs, put together detailed trails that led to the PPC companies and the trojan writers' ISPs, and got the runaround from everyone. The PPC companies said that they honestly didn't give a damn, and the ISPs said they had to get a certain number of complaints, and they hadn't quite got enough yet...
I shopped the story around to a few tech rags, but while the guys who read it thought it was pretty damning, none of their editors would run it - it basically ran a direct trail showing how Yahoo, Overture, and major ISPs were helping malware authors launder PPC money. Why bite the hand that feeds you?
So. Yeah. Of *course* Yahoo feeds trojan-laced ads to MySpace and PhotoBucket. They've got practice in the field.