Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Advertising Businesses Crime Security The Almighty Buck

Inside the Booming, Unhinged, and Dangerous Malvertising Menace 259

mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."
This discussion has been archived. No new comments can be posted.

Inside the Booming, Unhinged, and Dangerous Malvertising Menace

Comments Filter:
  • by Anonymous Coward on Thursday August 27, 2015 @11:39PM (#50407183)

    It costs money to vet customers.

    For once we get to see the tragedy of the commons at work in an industry that deserves it.

    • by gweihir ( 88907 ) on Friday August 28, 2015 @12:27AM (#50407327)

      Very much so. Advertising is a plague and deserves to be eradicated. And don't tell me "it finances content", because so can crime, and apparently the distinction is not entirely clear anymore. There are other ways to finance content, and if you do not qualify, maybe your content was not valuable in the first place.

      • by Mandrel ( 765308 )

        Advertising is a plague

        Here are you only referring to advertising placed in and around content, or all advertising, for example a company's own website, or some point-of-sale display? All advertising is tricksy, but do you ever find it useful?

        • Advertising is a plague

          Here are you only referring to advertising placed in and around content, or all advertising, for example a company's own website, or some point-of-sale display?

          I took it as read that he meant advertising around other content. If I want to buy a camera I go and look at the "advertising" websites of Canon, Pentax etc to see what they have on offer. Of course I look at review sites as well. Adverts that are put in my face annoy me to hell; they have an entirely negative effect on me and I am suprised that the vast majority of people do not react the same.

          • by Mandrel ( 765308 )
            If media placements are a bad form of advertising, what's a good way to help us buy? There's demand-driven advertising, like company websites, but you still have to deal with spin. And there's the professional purchasing assistance media you mention, but how do you fund it if not by interrupting the facts with spin, or by putting spin into some of the content? Subscriptions & micro-payments — who'll pay? Affiliate sales— turns the media into vendors.
            • by Alumoi ( 1321661 )

              If media placements are a bad form of advertising, what's a good way to help us buy?

              The old, trusted word of mouth. The best advertising invented.
              And why would you need someone else help you buy? Are you so stupid that you don't know what you need? Do you need help when deciding what food/clothes/housing/car you buy?

              • by Mandrel ( 765308 )

                The old, trusted word of mouth. The best advertising invented.

                WOM is great, but it's (a), limited, though the Internet has greatly expanded our sources of WOM (but usually via ad-supported websites), and (b), anecdotal—professionals have the time and resources to better check products out, as well as to pool, format, and summarise individual consumer opinions to make them more digestible.

                And why would you need someone else help you buy? Are you so stupid that you don't know what you need? Do you need help when deciding what food/clothes/housing/car you buy?

                Yes, no man is an island. Other people know more than me about some things, so I make smarter choices with their help. I don't want my only advice to come from those with a stak

                • by Alumoi ( 1321661 )

                  Keyword is mouth. Not internet. I may be old fashioned, but I still talk (open my mouth, words come out) with relatives and friends, people I can (usually) trust.

                  • by Mandrel ( 765308 )

                    Keyword is mouth. Not internet. I may be old fashioned, but I still talk (open my mouth, words come out) with relatives and friends, people I can (usually) trust.

                    I for one don't have a ready and willing pool of friends and relations who are experts in every category of product and service. And when I help others, it still usually requires research, research that eats time and makes use of ad-supported sources.

              • Are you so stupid that you don't know what you need?

                You might be surprised at how many people are that stupid. Henry Ford sold his Model T automobile to people who thought they needed a faster horse.

                Do you need help when deciding what food/clothes/housing/car you buy?

                Some people do. In some categories, U.S. consumers can rely on Consumer Reports, a product comparison magazine and website funded by subscribers that takes no advertising. But a lot of things are so hyper-local that a nationwide magazine such as CR can't cover them adequately, such as restaurants and housing. And even then, CR somehow needs to learn that a partic

            • Why does there need to be a way to help us buy? We do pretty well at wasting money without help.

      • so be ready to pay for the sites you like

        • so be ready to pay for the sites you like

          I have several hobby-type websites with no adverts. It costs me only a very small amount to run them. But then perhaps you would not like them.

          • by gweihir ( 88907 )

            I have some too. All self-hosted on a rather cheap vserver. No ads on it ever. I had flattr on it for some time, but removed it again as nobody seemed to care.

          • Post a link to slashdot. I'm sure we can help increase the bill for you.

          • I think such hobbyists are great. However I am wary of the hobbyist that partners with an advertiser that serves up random ads that take up the bulk of the sites bandwidth. Sure, they say they need to get more money or they can't afford to keep the site open, but it's a fricking hobby not a job, if you can't afford your hobby then stop doing it! Or they want to get a better microphone for the podcast, or bigger ISP pipe, or better proprietary software for their modding, or whatever.

            At the end of the day,

        • by gweihir ( 88907 )

          For some I already do, for the others I do not care if they vanish.

          • do you care that a website you don't visit has ads?

            does it make you angry that a store in a strip mall 3 states away from you that you never visit, leaves their christmas tree lights up all year?

        • And you actually think paying for a subscription is going to stay ad free??LOL where you been living? Have a magazine subscription? many ads in that?
        • I'm ready. I'll probably just not go to any web sites, they add very little value to life. I was around when advertising and doing business on the internet was considered the most egregious breach of manners there was. We got along just fine then.

      • Very much so. Advertising is a plague and deserves to be eradicated. And don't tell me "it finances content", because so can crime, and apparently the distinction is not entirely clear anymore. There are other ways to finance content, and if you do not qualify, maybe your content was not valuable in the first place.

        Uh, because pay walls are so well received?

        • If they are well received or not, it makes no difference. You seem to have the attitude that the content *must* be financed. Some content should go away, if the public isn't going to voluntarily pay for it, it's a better alternative than keeping the content around at the expense of sucking up the public's bandwidth and serving up malware. Probably less than one percent of the web has any inherent value anyway.

      • There are other ways to finance content

        What might these be, other than ads and paywalls? Once I know what other ways you're thinking of, I can analyze their suitability for different

        and if you do not qualify, maybe your content was not valuable in the first place.

        Valuable to readers != valuable to those with money up front.

        • Valuable to readers != valuable to those with money up front.

          There's the key point. Which side of the equation do the content creators care about the most? Would they rather provide the readers with value and treat them with respect, or suck up to those with the money? The problem with advertising on the internet is that it is leaning very heavily towards the model of screw the customer and get your free money. As in web site owners not having to worry about ads, just sign up with an ad server, sit back, and wait for the checks to arrive, then if the checks aren'

          • by tepples ( 727027 )

            Which side of the equation do the content creators care about the most? Would they rather provide the readers with value and treat them with respect, or suck up to those with the money?

            If the choice is between trying to respect visiting readers while showing tasteful ads and trying to respect visiting readers while showing no ads, it depends on how much the authors want to keep a roof over their heads. The alternative (a paywall to cover authors' salaries and server costs) disrespects readers who are visiting, as paywalls lead to bounces, and bounces waste not only the reader's time but also server resources.

      • There are other ways to finance content, and if you do not qualify, maybe your content was not valuable in the first place.

        That invariably leads to tiered and heavily biased content with only the most well funded being widely distributed. Trust me it's not a result you want to see.

        • If we get rid of the junk wannabe journalist bloggers, then why not? Most of the internet is useless drivel, if it vanishes no one will care except those who used to get some money by being an advertising enabler.

    • by Z00L00K ( 682162 ) on Friday August 28, 2015 @12:28AM (#50407335) Homepage Journal

      Yet another reason to make sure you have a good adblocker with a good filter setup.

      At the same time newspapers starts to complain when you use an adblocker, so it means that the use of adblockers are successful and effective.

      Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

      And Android do have some concept of security permissions where the app requests rights before getting installed but at the same time it don't allow the user to actually say no to the request and still install the app. That is something that has to be improved, I as a user can accept that the app I install don't have the full functionality if I for example deny access to the address book.

      • by javaman235 ( 461502 ) on Friday August 28, 2015 @01:49AM (#50407503)

        Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

        A lot of the stuff isn't even hacking, its abuse of permissions. The other day I had a third party tracker request permissions to turn on my mic, and my understanding is if I said yes, the permission would remain across all sites with their tracker on Chrome. So they could listen to me across the Internet. Similar are browser extensions which request the power to read and change data on all pages.These need to come with clear privacy policies, and some kind of audit process to make sure it works.

        The main thing to me is advertising has stopped being advertising: connecting people with products and services they might want - and started being about something else. Since when was "Mad Men" about a wiretap that listens to people in their homes?

        • The goal of an advertising company is not to make a profit. It is to maximize profits. They will do everything the law allows and then a little bit further. And then if nobody goes to jail, even further than that.

          Also, please stop with "Mad Men" analogies, that is a fictional TV show that has nothing to do with reality. Might as well try to connect the oil companies to "Mad Max".

          • by Anne Thwacks ( 531696 ) on Friday August 28, 2015 @04:46AM (#50407873)
            The goal of most advertising companies appears to be to kill the goose that lays the golden egg. Indeed, the entire industry appears totally committed to this goal.

            The problem started with allowing sites to serve executable code. it seems it will end with users having to block all executable code - short of nuking from high orbit, it is the only way to be safe.

            In the case of Flash, nuking from high orbit is probably essential.

            Disclaimer: My Government sells nukes.

            • Noscript has been around for a long time, and many of us have been using it for a long time. I used to use Flashblock, back before malicious javascript became a serious thing, but then I switched to using Noscript, which also flashblocks.

              It might be a hassle figuring out which script sources to enable, or to have some sites just never work. It's a bigger hassle to reinstall Windows.

            • The goal of advertisers these days is to make a ton of money as middle men without ever producing anything of value themselves. So it's no surprise that this has become the number one industry in America because money for nothing is the American dream.

        • by mlts ( 1038732 )

          Exactly. Advertising has morphed from showing a static picture of a product or a few lines of text to trying to be as intrusive as possible. If an advertiser could scan your HDD, encrypt your documents and sell you "protection", they would.

          Realistically, why do advertisers need to fingerprint your browser, add "supercookies", demand a per device/computer identifier, constantly track your location, go through your contacts, pictures, music, and whatever is asked for? All they need to know is that their ad

      • by Burz ( 138833 )

        I remember when Are Technica whined about their users' ad-blockers: My suggestion to them in the comment section was to use their fine technical chops to explore alternatives to the current model where the advertiser doesn't trust the content site. If they could resolve that trust issue, they could serve the ads from their own site and exercise some quality control while they're at it.

        But maybe being embedded inside giant Conde Nast doesn't allow for that kind of experimentation.

    • Web sites that use advertisers certainly need to become responsible here and vet their advertisers. That's a big chunk of the problem, they small time hobbyist will often let the advertisers do whatever they want as long as some money comes in. The never even look at the ads before they're served up to the site's visitors. That's irresponsible and certainly not the way that most non-internet advertising is done. No bus lets you put any random ad on its side, there's always some transit employee who appr

  • It's profitable (Score:5, Insightful)

    by phantomfive ( 622387 ) on Thursday August 27, 2015 @11:46PM (#50407197) Journal
    If it's increasing, that means it's profitable. Don't expect things to change until there is an expensive lawsuit.

    Until then, practice safe browsing, use ad block......even if you like to support websites by looking at their ads, it's not worth the risk right now.
    • Re:It's profitable (Score:5, Insightful)

      by Dutch Gun ( 899105 ) on Friday August 28, 2015 @12:12AM (#50407281)

      What we really need is to put some pressure on advertising companies to stop allowing anyone to run unvetted, arbitrary Javscript code in served advertisements. How stupidly dangerous is that? It's like using a flamethrower to take down a hornet's nest. Yes, it works, but it's a ridiculous amount of overkill, and can be insanely dangerous if pointed at the wrong target. It's in the advertising agencies own interest to clean up it's act. At some point, most people are going to figure out that it's simply too dangerous to run a web browser without noscript or an ad blocker.

      Honestly, the only way I can think of putting enough pressure on them is for as many people as possible to install ad-blockers. Once they get the hint that they need to back down, they can come up with some more creative solutions. For instance, introduce a specialized tag in HTML that allows the display of a static image, embedded links, and some anonymous token to help count unique visitors, but NO JAVASCRIPT. It's the notion of running arbitrary script that's so insanely dangerous. Plus, a tag like this would help to ensure that ads don't misbehave, like popping up, animating, or playing audio or video.

      Or, ad agencies can be more responsible and run curated ads, with only vetted Javascript in pre-packaged modules, rather than letting anyone execute code from anywhere in the world. There are solutions out there, but no agency wants to be the first to tie their own hands. Honestly, I don't care at this point. It's their fault it's come to this in the first place. Something's got to change.

      • Re:It's profitable (Score:5, Interesting)

        by gstoddart ( 321705 ) on Friday August 28, 2015 @07:03AM (#50408287) Homepage

        What we really need is to put some pressure on advertising companies

        No, see that implies we trust them, wish to engage with them, and want to negotiate a future in which they are an integral part of the web.

        That means they've won.

        Yes, installing ad blockers will put pressure on them. But let's make it perfectly clear: we don't see it as their right to track us, collect data about us, and inject themselves into the conversation.

        Cut them out entirely, and leave them cut out. The 7 analytics companies on this page right now, and the dozens I see on every page I visit ... I have no intention of ever giving them access to my machine as long as I have technology to prevent it.

        But not for a minute will I pretend that this is a negotiation with them. Once you install things like HTTP Switchboard, or Request Policy, or Script Safe and realize just how much shit is in the average web page, you realize that trying to find a good solution is a losing prospect.

        Don't pander to corporate greed, and don't act like you will find a solution which is equitable. Because they're not interested in giving it to you, so don't get suckered into giving it to them.

        Most of these ad and analytics companies are just parasites. And there's way too damned many of them to think you'll ever come out well in that conversation.

    • by Zocalo ( 252965 )

      Until then, practice safe browsing, use ad block......even if you like to support websites by looking at their ads, it's not worth the risk right now.

      Good advice, but I think the flaw (if you can call it that) in the proposal will be convincing people to stop using ad blockers when (ha!) it's safe to do so after they've seenthe difference an ad-free Internet makes to the experience and got used to it. Still, that's going to be a problem for the advertising companies and content providers to solve, and

      • Still, that's going to be a problem for the advertising companies and content providers to solve, and since the longer they wait before fixing the problem with malvertising the harder it will be to fix the effects of that foot dragging it's a classic case of reaping what you sow, so screw 'em. If they want to try and destroy their entire industry, I certainly don't have a problem with that.

        Bill Hicks had it right. He didn't even include any exceptions for people who have landed an advertising job which doesn't include lying to people. He just said kill yourself and the world would be a better place if all the marketers did that. Sadly, only the ones who are closest to having a soul would do so. The rest will continue to exist just to shit up our landscape.

      • Not my problem. My problem is defending myself, and people I know, from malware.
  • The X10 browser hijacks weren't even the first, they were just everywhere.

    • by 0123456 ( 636235 )

      The X10 browser hijacks weren't even the first, they were just everywhere.

      Well, that's because they could hijack your PC through the power lines...

    • Malvertising dates back to at least 2004, maybe even sooner. I noticed customers at the computer store I worked at started reporting malware infections by just browsing the web on mainstream sites at the time.
  • by FireballX301 ( 766274 ) on Friday August 28, 2015 @12:10AM (#50407273) Journal
    But I agree with the general premise. It's just that the picture generally gets complex - let me explain.

    The way an ad gets served is this. Places that show ads (websites, mobile websites, in-app ad spaces) are inventory. Inventory is of varying quality - an ad on the front page of the NYT is costly, whereas an ad on housewiferecipes.com or something is dirt cheap. Small sites sell their inventory to brokers, who pack it up with other sites to sell on advertising exchanges (the firm I work for runs one of these exchanges).

    On the other side of the issue, advertisement costs money. A firm wanting to run ads will contract with an online media agency, which will create an ad and then find inventory to place the ad in. The firm commits to spending X amount of money for Y amount of impressions (hits), so if the agency can find inventory that performs (hits whatever ad metrics required, such as 'time in ad' or 'number of clicks') while being dirt cheap, it pockets the rest. If multiple agencies bid on the same inventory, the price of that inventory goes up (and the website runner makes more money), so it's a game of scooping up cheap inventory on random sites at the times they're cheap.

    Typically, a given source of inventory (a site) will contract out to a large number of brokers in order to guarantee that at least one of them will, upon request, be able to serve an ad in the space. 90% of ad networks vet their ads to run clean, because running a malware ad is essentially a death sentence if you ever want to run any kind of premium ad (the ones that make you a lot of money) or buy premium ad space (lots of premium advertisers will specify they only want premium space, like the front page of the NYT). Above-the-board ad networks will run clean, vet their stuff, and charge a higher exchange fee, whereas unscrupulous networks (many based in eastern europe) will charge a lower fee and let all sorts of shit go through.

    What does this mean? An attacker with a crafted ad that can beat cheapo mal-detection can buy cheap inventory on a shady network, intentionally outbid other people and pay a minor premium for that cheap inventory, and get their ads wherever they want. The ad network will get shut down if it was really egregious (since running a malware ad can theoretically open you to litigation from other advertisers on your network), but for every network that shuts down there's another that can pop up promising minimal overhead and minimal vetting.

    The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks, but this segments the internet into the haves (premium inventory, high quality sites, premium ad networks, premium ads, all expensive) and the have nots (mom and pop sites with mediocre inventory that nobody visits because of the chance of getting cancer from the shit networks they have to run). Beyond that, this problem is unlikely to go away - it's simply too easy to game the system and put whatever you want into many adspaces.
    • And thus adblockers will become more common, and the whole industry will collapse.

      • by FireballX301 ( 766274 ) on Friday August 28, 2015 @12:19AM (#50407301) Journal
        No, the ads just move out of ad spaces into 'native' space, embedded with content and interspersed into feeds and streams. That's what all those sponsored articles and stuff are, and it's really terrible. Don't get me wrong, I'm not particularly pro-advertising, but I see polite, safe ads that are placed into their own corner of a page as a good compromise in order to avoid the corruption of actual page content. I've seen (and run) enough high quality content sites that can't pay for their own hosting or bandwidth, and it sucks to see them go away.
        • No, the ads just move out of ad spaces into 'native' space, embedded with content and interspersed into feeds and streams.

          Or the adverts become articles, with no indication that they are sponsored. One newspaper website that I read has a "monthly limit" (not effective when you use private browsing) of 10 pages. But even after this limit is reached, some articles can still be read. I assume that the the newspaper is receving payment when someone reads the article. However, there is nothing to indicate that

          • by Mashiki ( 184564 )

            If you're in the US, said articles must be clearly labeled as sponsored content. It's big FTC fines if they don't label them as such.

    • by gweihir ( 88907 ) on Friday August 28, 2015 @12:22AM (#50407309)

      Thanks for this explanation. As nobody in their right mind wants ads, anybody looking for a solution will arrive at complete blocking. The underlying problem is of course that the whole market structure is fundamentally broken, much like the stock market in 2008 with the sub-prime crisis: People brokering things without knowing anything about quality. If enough of that happens, the market collapses.

      I expect that in the not too distant future, complete blocking of all ads will be a security best-practice.

      • by RogueyWon ( 735973 ) on Friday August 28, 2015 @03:20AM (#50407705) Journal

        Actually, I don't detest ads per se. I held off for using an adblocker for a long time, because there were a few sites I frequented that I knew were unlikely to be able to stay in operation on anything other than the advertising model. Static-image ads or even tastefully animated ones (ie. a selection of items from a product range which changes every 20 seconds or so) don't bother me, provided they don't fill half the screen.

        But I'm on an adblocker now, as of around 9 months ago. Malvertising was a factor in this move, but the biggest factor were auto-playing video-ads with sound. I got bored of clicking through browser tabs playing the game of "spot where the noise is coming from". Oh, and those full-site wrap-around ads that leave almost no room on the screen where you can click-for-focus without clicking the ad are infuriating as well.

        This is an industry that seems set for self-destruction. I've no doubt that there are responsible, legitimate advertising firms out there, as described by the GP (I still see plenty of "inoffensive" ads). There are also, as I said above, a lot of useful resources that would either require subscriptions or shut down without advertising. But it doesn't take many bad apples to sour the public on the whole idea. Adblockers are getting traction even with people who were uncomfortable with them to begin with on ethical grounds (like me) and from what we've seen out of the courts so far, they're not getting banned any time soon (and the growth of malvertising makes this even more of an unlikely prospect).

        I suspect the onus is going to be on the industry to sort this out, through creating a trade association with some real teeth and buy-in from the major customers, plus potentially co-operation with search engines to help identify dodgy sites.

        All of which is probably a recipe for a cartel 10 years down the line. Solve one problem and another replaces it...

    • by rsborg ( 111459 ) on Friday August 28, 2015 @12:30AM (#50407343) Homepage

      Thanks for the explanation of how the advertising industry works. I really do think that commoditizing things that should really never be commoditized (i.e., home loans, ad placements, etc) creates a perverse incentive to such razor thin margins that cheating or lying becomes the only way to stay profitable.

      In a larger sense, commoditization prevents competition on value. Everything competes on price, and quality isn't quantifiable as easily as price, and so there's a race to the bottom. Even if you build up a good name, a bigger player can undercut you on both price and quality for a while, drive you out of business and then completely drop the ball on quality and still rake in the profits (send a few $$ to reviewers or quality inspectors and buy a higher rating than you deserve).

    • The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks

      Which ad networks haven't served malware?

      (Also, the free market solution is for everyone to use ad block).

    • by aepervius ( 535155 ) on Friday August 28, 2015 @01:39AM (#50407481)
      Doubleclick isn't exactly your eastern europe shaddy site : http://www.theverge.com/2014/9... [theverge.com]

      You are probably not responsible and involved, and thank you for the informative post, I am sorry but your "we are vetting ad" in view of big network serving malware, sounds more like trying to stem the flow of the blood while pretending one is not wounded.

      "The only real market solution is to whitelist a certain number of ad networks"
      No the real only solution is to blacklist *all* ad network until they accept responsibility and utterly disable any scripting in their advertising, only serving sanitized text and sanitized image. And that is the minimum.
      • they vet, but they problem is they don't serve. I assume due to bandwidth issues (why pay for it when the advertiser will). In any case, malvertising is very sophisticated and the ads are often *not* malicious. But an approved ad is swapped out with the malicious (even if only 0.1% of the time) so the brokers are not aware.

        The system is broken and advertisers are floundering. It used to be a small minority group who blocked ads (I still have a custom stylesheet in place that marks ads as being "unimportant"

    • Interesting.

      A problem I have (and a temporary solution) is that ads come from a third party site. Usually the same few networks. I don't like being tracked by third party sites and I see no reason to view their content, so I simply DNS block common ad networks and third-party-content block them in the browser. This is causing the problem that I don't pay for the sites I visit (the adblock problem) and of course I can't visit sites that demand the third party site content to show (DNS block),
      but there is at

    • The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks, but this segments the internet into the haves (premium inventory, high quality sites, premium ad networks, premium ads, all expensive) and the have nots (mom and pop sites with mediocre inventory that nobody visits because of the chance of getting cancer from the shit networks they have to run). Beyond that, this problem is unlikely to go away - it's simply too easy to game the system and put whatever you want into many adspaces.

      Many of us are already doing that, using adblock to blacklist everything by default, and whitelisting ads on a case by case basis.

      I'm glad that someone in the online advertising industry is finally advocating for this strategy. It took you guys a while.

    • by RogueyWon ( 735973 ) on Friday August 28, 2015 @03:35AM (#50407737) Journal

      The "mom and pop" sites point rings amusingly true for me.

      Around a year ago, my dad went through a wave of really nasty malware infections. The ones that block your AV software, redirect your DNS and generally embed themselves right across the OS.

      Now, my dad has historically been a bit of a malware-magnet. He falls into the category of "knows just about enough to think he knows everything", which used to lead him into some really poor security practices. But after a really nasty infection in 2012 which resulted in him losing quite a significant chunk of personal data, I thought he'd finally learned his lesson. He was keeping on top of Windows Update, keeping an updated AVG install, running weekly Malwarebytes scans and had finally, finally, stopped opening dodgy e-mail attachments from his perpetually-malware-infested dickhead golf-buddy friends.

      I'd also put him on an adblocker. I wasn't using one myself at the time (though I am now), but I was sick of making the 4-hour-each-way journey to his place to fix his machine, so I'd held nothing back.

      So a wave of four or five infections in the space of a month came as a bit of a shock. What was surprising was that he was getting re-infected very quickly after each disinfection (including one which involved a full format-reinstall of Windows).

      Eventually, after going through his browser history after two consecutive infections (and half-expecting to find a megaton of pr0n), I track down the source.

      And it's not pr0n, it's his bloody family history club website. Some online forum he participates in for people who are trying to trace their ancestry in a particular area. It has under 50 regular participants. It also has a prominent notice about how much the site depends on advertising income to stay in operation and asking users to disable or make an exception in their adblocker (with instructions on how to do so).

      My dad has, of course, been making an exception for this site, which is then pushing a remarkably concentrated and toxic cocktail of malware-infested ads almost every time it is accessed. We actually ended up on the phone to the guy who ran the site, begging him to switch to another advertising provider. He wasn't exactly enthusiastic, so the adblocker remained in place. Don't know where things have got to since then.

      • We actually ended up on the phone to the guy who ran the site, begging him to switch to another advertising provider. He wasn't exactly enthusiastic, so the adblocker remained in place. Don't know where things have got to since then.

        Probably nowhere, and fast. Dude is willfully aiding and abetting crime by carrying a known-malicious ad network. What scum.

      • which resulted in him losing quite a significant chunk of personal data, I thought he'd finally learned his lesson. He was keeping on top of Windows Update, keeping an updated AVG install, running weekly Malwarebytes scans and had finally, finally, stopped opening dodgy e-mail attachments from his perpetually-malware-infested dickhead golf-buddy friends.

        I don't see where you put him on some kind of backup system.

    • Hum... A few suggestions for you. The first and most fundamental is to try to prevent your ad can run any script, so even if it is malicious it will not be able to do anything, I do not believe that an ad with animations and sounds to be more effective than a simple link or a still image.

      Second, you know those ads that offer X but clicking on them you are directed to Y? Avoid them as if they were radioactive. No more annoying thing for a user to click on a picture thinking it will for one thing (the down
    • by Sloppy ( 14984 )

      90% of ad networks vet their ads to run clean

      Are you saying that if I send them an .swf file, they'll say, "no, send us the source, and we'll audit it and then compile it ourselves?"

      Because if they don't do that, then they're not vetting jack shit.

      (Putting aside the fact that Flash ads have mercifully fallen out of fashion in the last few years.)

  • by gweihir ( 88907 ) on Friday August 28, 2015 @12:17AM (#50407295)

    Advertising companies obviously cannot ensure clean ads or do not care. Users are responsible for protecting their machines. The only sensible thing is to block all ads without distinction and permanently. This industry has nobody but themselves to blame for their inevitable decline.

    • Advertising companies are much more focused on getting rid of click-fraud and improving targeting abilities, because the people who pay them want that. If you visit an ad network, that is all you will hear, "improved targeting!"
      • by gweihir ( 88907 )

        They seem to have forgotten that they are parasites and must not do any real damage to their hosts or they will be fought and neutralized.

  • by whoever57 ( 658626 ) on Friday August 28, 2015 @12:29AM (#50407341) Journal

    This is why I am not on board with the idea of https everywhere. Recently, I started seeing obviously malware ads in the middle of Words With Friends (OK, maybe Words with Friends is malware!!). Configuring my squid proxy, I was able to block not only the site that was serving the ads (gaseview.com), but also the ad network that I think was providing the links to the malware ads (mopub.com).

    With https everywhere it is much more difficult to block such ads.

    • Re: (Score:2, Informative)

      WWF is a horrible app. After exiting, it's still running...draining your battery, sending annoying notifications 24/7, and reporting back who knows what information. I liked the game itself, but the battery drain and notifications was too much and now it's gone.
    • You can use your own proxy to essentially do a MITM attack on your own connection and remove the ads or do anything else you would like and still have encrypted connecteion over the public internet.

      • How would you break into the encrypted stream?
        • Set up transparent proxy, redirect all connections to outside server ports 443 to the transparent proxy server. Set the proxy (squid can do this) so it generates a certificate on connection using your own self-signed CA certificate to sign it. Install the CA certificate on your PC.

          Now your proxy server is the man-in-the-middle - having encrypted connection from it to you and from it to the origin server, but also having access to the unencrypted content. This is exactly like a MITM attack, except you are do

          • Cool, thanks
  • please forgive my ignorance, if my prejudice is in any way misguided, but i am under the impression that the attack vector, in actual fact, is flash, as i cannot see how a simple image, or even a "normal" video, could possibly compromise a target machine, whereas i understand adobe is full of holes, deliberate or otherwise.

    or, to put it another way, i've never seen a machine compromised, to date, after wiping adobe (hack, spit) from the system.

    while i'm at it - am i correct to believe the company was actual

    • as i cannot see how a simple image... could possibly compromise a target machine

      It can [nist.gov]. I believe libjpeg was the first image parser to have a vulnerability, but LibPNG has had quite a few. Image and Video parsers are complex, and complex code means high chances for vulnerabilities.

      Is your browser complex? You better believe it's full of vulnerabilities. We only hear about Flash vulns because they are the low-hanging fruit.

      • It's not just that they're complex. The code for decoding them is also not usually with security in mind. Remember that libjpeg was written in an era when a 486 was a high-end machine and all three sites on the web that contained images were pretty trustworthy. It needed to be able to decode and display the image in a limited amount of RAM, on a slow CPU, without the user complaining about the time it took (and it didn't - it was slow, and we complained). Modern CPUs are fast enough that even an interpr
        • It's not just that they're complex.

          The complexity definitely matters. I only realized this when I wrote a decoder myself, and saw the many places for bugs to hide (it can seem like everything is working great.......but there are so many corner cases that don't come up with normal testing).

    • by jafiwam ( 310805 )

      please forgive my ignorance, if my prejudice is in any way misguided, but i am under the impression that the attack vector, in actual fact, is flash, as i cannot see how a simple image, or even a "normal" video, could possibly compromise a target machine, whereas i understand adobe is full of holes, deliberate or otherwise.

      or, to put it another way, i've never seen a machine compromised, to date, after wiping adobe (hack, spit) from the system.

      while i'm at it - am i correct to believe the company was actually responsible for jailing a man, a foreign national, without charges, for well over a year, in direct response to his having exposed the insecurity of an adobe "security" mechanism?

      You are forgetting a whole class of those malware attempts (not ads, ads are just a subclass of malware) that masquarade as parts of windows, updates, parts of anti-virus programs, nVidia driver updates, etc. You know, the ones that old people can't quite figure out so they click anyway just to be sure.

      You don't need a security hole if you can convince the user the malware is legit and should be installed.

      The thing is, that type of festering garbage comes through the SAME ad network as the ads for the ne

  • I read the article all the way through, and it SEEMS like you have to click on the ad in order for it to infect you. They don't specifically come out and SAY this, though. So, is this the case? Does not clicking on ads keep you safe? I thought just having a flash ad download and execute on your machine was enough, or are we not talking about this? There are references to "hardened landing pages" that infect the users, so WTF is up with that?

    The funny part is that the malware installed is used to inst

    • by jafiwam ( 310805 )

      I read the article all the way through, and it SEEMS like you have to click on the ad in order for it to infect you. They don't specifically come out and SAY this, though. So, is this the case? Does not clicking on ads keep you safe? I thought just having a flash ad download and execute on your machine was enough, or are we not talking about this? There are references to "hardened landing pages" that infect the users, so WTF is up with that?

      The funny part is that the malware installed is used to install click-fraud bots on infected machines, so the ad networks and/or end clients themselves are the ones being screwed out of money.

      How do you not-click an ad that takes up the entire screen with a transparent hotspot?

  • by jez9999 ( 618189 ) on Friday August 28, 2015 @06:08AM (#50408027) Homepage Journal

    They're getting ever more sophisticated. I got some sort of malware the other day that actually poses as a Windows update, which puts a permanent icon in my system tray with regular (3 or 4 times a day) popups about a "free upgrade to Windows 10". Luckily I don't fall for that kind of thing but I don't know how I got the virus in the first place.

  • Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements.

    OK, then I'm afraid these 'security responders' were oblivious to the 7 or so years before that, and are therefore suspect.

    Malware has been in ads since the friggin' .com era, saying they started in 2007 tells me they weren't paying attention.

    Flash has been a vector for security exploits from ads as long as it has existed, as has javascript

  • People having promiscuous sex should use condoms. Not in the interim while we are working for a cure for HIV, not until there are some better treatments for herpes. If you are engaging in sex with multiple partners, it will ALWAYS BE A GOOD IDEA.

    The web is no different. As long as sites can cause local code execution, I don't care if its in a limited environment. I don't care if its in a restricted VM. These environments always end up having holes, and those holes, once widely distributed, will always creat

    • People having promiscuous sex should use condoms. Not in the interim while we are working for a cure for HIV, not until there are some better treatments for herpes. If you are engaging in sex with multiple partners, it will ALWAYS BE A GOOD IDEA.

      Well, perhaps someday we will reach the point where phage therapy is more reliable than condoms. At that point, it will be largely irrelevant. Of course, that's assuming our society makes it long enough to develop that far...

    • I'm guesstimating that we'll have no need for condoms in something like 40-50 years. (You may wish to wash your hands after handling my guesstimates.) I'm interested in how society will evolve when the only reason to not have sex with someone is that you don't want to, but I doubt I'll be around to observe personally.

  • If the ad networks stopped using Flash for ads and switched to only using HTML5, the amount of nasty stuff would drop dramatically. Are there exploits in browsers where a dodgy non-Flash ad could get in? Sure there are. But its much harder for malware to exploit those holes, especially if you keep your browser up-to-date (and aren't doing something stupid like connecting a browser that is no longer receiving security updates to the open internet)

    At the very least, a non-Flash malware ad would need a bunch o

Like punning, programming is a play on words.

Working...