Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Malvertising Abuses Real-Time Bidding On Ad Networks

Posted by samzenpus on from the rotten-apples dept.

msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.

62 of 113 comments (clear)

  1. It's all automated by Anonymous Coward · · Score: 2, Insightful

    The second you take the human out of the loop on who approves something going into production, you open up a huge avenue of risk: that the automation will put something you don't want out on the Web.

  2. plagiarism by sribe · · Score: 4, Insightful

    Direct copy-and-paste from an article should be quoted, to make it clear that in fact msm1267 wrote nothing at all.

    Sigh, OTOH, at least the "summary" is not a gross misrepresentation, like so many others.

    1. Re:plagiarism by Noah+Haders · · Score: 3, Insightful

      if it were my summary I would definitely attribute it to somebody else, because it makes absolutely no sense. what does this mean? "But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?" what does the rest of the summary mean?

    2. Re:plagiarism by sribe · · Score: 1

      if it were my summary I would definitely attribute it to somebody else, because it makes absolutely no sense.

      Right. It makes no sense precisely because it is NOT in any way a summary, which would take a few moments' effort to write. It's just a copy and paste of the first few sentences of the article.

      "But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?" what does the rest of the summary mean?

      Exactly. The article goes on to explain that. A summary would at least give some idea. The copy & paste of the first few sentences, cut off at an arbitrary point, totally leaves you hanging.

  3. Anonymous advertisers by kurkosdr · · Score: 5, Informative

    Ahh... The joys of having anonymous advertisers, even on well-known sites: Not only some of the ads are of questionable legality, but some of them may actually hurt you. THIS is why AdBlock Edge is a security policy, not an adblocking policy. Don't give me the "freeloader" talk. Either host your own ads and be responsible for them, or partner with reliable ad agencies (and maybe I will unblock them).

    1. Re:Anonymous advertisers by tepples · · Score: 1

      What makes an ad agency reliable to you?

      And what solutions do you recommend for individual blog authors to implement "host your own ads"?

    2. Re:Anonymous advertisers by kurkosdr · · Score: 3, Interesting

      "Host your own ads" is something only big sites can implement obviously. An ad agency is reliable if all the advertisers are non-anonymous, and hence responsible for the content they push through the ad agency. And don't tell me "it's not possible", there is this thing called HTTPS. Instead, as of now, anyone with a computer and internet connection can be an "advertizer". No eponymity or responsibilities, yay! This was good enough for the first years of the internet. "Freedom", easy, cheap blah blah, now it's not good enough, because there is lots of money to be made for malvertizing, and ad agencies can't keep up with preventing and blacklisting anonymous mal-ads. Unreliable ad agencies that don't care about my security will simply get Ad Blocked and lose my ad impressions (I don't care). Mutual non-caring.

    3. Re:Anonymous advertisers by Anonymous Coward · · Score: 1

      Why should a blog have ads on it? I write a blog too; I don't have any ads there. What makes you think I want to see ads when you write your drivel? (Mine's drivel too; I am not singling you out.). Get real; blogs shouldn't HAVE any ads. Random musings or the like don't need "monetization". They aren't worth anything anyway.

    4. Re:Anonymous advertisers by gstoddart · · Score: 1

      What makes an ad agency reliable to you?

      One in which all of the employees are encased in carbonite, and whose computers and records have all been nuked from orbit.

      Anything less and you have to assume they're still unreliable.

      And what solutions do you recommend for individual blog authors to implement "host your own ads"?

      Not Our Fucking Problem.

      Sorry, but I will continue assuming all ads are crap I don't wish to see, served by companies who don't give a crap about my privacy or security and whom I therefore do not trust.

      The revenue of web sites interests me not even a little.

      Go to a subscription model and see if you can stay in business. Or accept that some fraction of users do not wish to see your advertising, and don't trust the companies serving them.

      --
      Lost at C:>. Found at C.
    5. Re:Anonymous advertisers by sjames · · Score: 1

      Let's start with has effective controls to prevent ever serving malware. Add in no history of serving malware.

      Much like the food industry, I don't care how the grocery store avoids selling arsenic as flour, only that they do. If they claim that they can't, they shouldn't expect to sell much flour.

    6. Re:Anonymous advertisers by tepples · · Score: 1

      Until September 2013, no major ad network supported HTTPS at all. That is when AdSense added HTTPS support. But for people who wish to avoid AdSense, which other ad networks have HTTPS now? Besides, it's still possible to serve a Flash Player exploit over HTTPS.

    7. Re:Anonymous advertisers by innocent_white_lamb · · Score: 1

      "Host your own ads" is something only big sites can implement obviously.
       
      Obviously?
       
      I can (and occasionally do) sell advertising to local businesses that want to advertise on my website.
       
      No middleman, no profit-share, and I know exactly who and what I'm advertising on what is, after all, MY website.

      --
      If you're a zombie and you know it, bite your friend!
    8. Re:Anonymous advertisers by tepples · · Score: 1

      Why should a blog have ads on it?

      To pay for the VPS that hosts the blog.

  4. Advertisers reeling over this small fix! by Billly+Gates · · Score: 1

    Slashdotters discover cure for malware from infected ad servers from this simple tool

    https://adblockplus.org/

    Advertisers & Malware writters HATE THIS!

    --
    http://saveie6.com/
    1. Re:Advertisers reeling over this small fix! by ColaMan · · Score: 1

      I'm afraid you're going to have to retire the "HATE THIS" meme.

      From now on, you have to write the hooks to ad-laden drivel using the following as a guide:

      <SUBJECT> <ACTION> <ACTION>. <NEXT ACTION> <MY DISPROPORTIONATE RESPONSE>

      eg.

      "He Downloaded Adblock And Installed. When He Reloaded The Page, I Was Amazed."

      Ensure That You Capitalise Every Word For Maximum Impact.

      --

      You are in a twisty maze of processor lines, all alike.
      There is a lot of hype here.
    2. Re:Advertisers reeling over this small fix! by Billly+Gates · · Score: 1

      I'm afraid you're going to have to retire the "HATE THIS" meme.

      From now on, you have to write the hooks to ad-laden drivel using the following as a guide:

      <SUBJECT> <ACTION> <ACTION>. <NEXT ACTION> <MY DISPROPORTIONATE RESPONSE>

      eg.

      "He Downloaded Adblock And Installed. When He Reloaded The Page, I Was Amazed."

      Ensure That You Capitalise Every Word For Maximum Impact.

      SLASHDOT USERS DISCOVER SHOCKING WEBSITE. SEE WHY THIS SITE HAS GEEKS IGNORING THREATS

      LOCAL USER COLAMAN SAVED BIG! CLICK NEXT AT www.adblockplus.com TO SEE HOW??!

      How was that?

      --
      http://saveie6.com/
  5. clean your own stable first by Thud457 · · Score: 4, Insightful

    I'm sorry. Please explain to me again how I'm stealing food from "content creator"'s mouths by running addblock. And why I hate freedom for making Flash click to play.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    1. Re:clean your own stable first by sribe · · Score: 1

      And why I hate freedom for making Flash click to play.

      Because when you do that, your browser still reports to the sites that it supports Flash, which encourages them to continue using it. If you REMOVE Flash, then it's not reported as a supported type, and the statistics skew more and more toward showing Flash being unsupported, which contributes to the ultimate demise of Flash.

      So, THAT is why I say you hate freedom for making Flash click to play ;-)

  6. Why not restrict all ads to GIFs or JPGs? by Anonymous Coward · · Score: 3, Insightful

    Users getting malware infection from ads is a really big problem even when you never click on them.
    Why not restrict all ads to GIFs (static or animated) and JPGs?

    1. Re:Why not restrict all ads to GIFs or JPGs? by Fwipp · · Score: 1

      Because flash/javascript ads pay way more.

    2. Re:Why not restrict all ads to GIFs or JPGs? by Intrepid+imaginaut · · Score: 1

      Do they? I know there's a premium on popup ads and interstitial pages, but I've never met anyone who said "wow, what an amazing ad jumping around and flashing lights at me, let's click on that instead of checking out the content I came for". Maybe some people pay more for them but I wouldn't call it a well advised move.

      The most interesting part of the article for me is the idea of real time bidding - maybe web adverts will finally start paying as well as print adverts.

    3. Re:Why not restrict all ads to GIFs or JPGs? by Joshua+Fan · · Score: 1

      That's from your own anecdotal evidence. Advertisers use what statistics tells them works. They may even be happy with accidental clicks caused by javascript ads that jump under your cursor.

    4. Re:Why not restrict all ads to GIFs or JPGs? by ColdWetDog · · Score: 1

      Do they? I know there's a premium on popup ads and interstitial pages, but I've never met anyone who said "wow, what an amazing ad jumping around and flashing lights at me, let's click on that instead of checking out the content I came for".

      Apparently you don't interact with my family - it is a sad, strange world out there.

      --
      Faster! Faster! Faster would be better!
    5. Re:Why not restrict all ads to GIFs or JPGs? by Crashmarik · · Score: 1

      What i have been seeing are the adds that disguise themselves and then make it impossible to navigate away from them. One of these days I would love to see one of these clowns in court explaining how it was just good business to trick the viewer and then trap them.

    6. Re:Why not restrict all ads to GIFs or JPGs? by YrWrstNtmr · · Score: 1

      You fail to understand law talking guy speak

      -So the user clicked on our ad. That means he wanted that content delivered.
      -And then he clicked in the window again. That means he wanted the next level. So we delivered it to him.
      -Your honor, it clearly states, "Click here if you want to exit" (said 'exit' looks completely different to a normal OS 'exit' thingie)

  7. Meh by grimmjeeper · · Score: 2

    Reason number 48372534786 why it's better just to universally block advertisements on the internet.

    1. Re:Meh by Noah+Haders · · Score: 4, Informative

      Reason number 48372534786 why it's better just to universally block advertisements on the internet.

      Apple has been leading on this front with several initiatives to protect users from malicious ads. One of them was a setting in Safari to only accept cookies from the first-party site, so when you go to cnn.com the browser accepts a cookie from cnn.com but not from malvertiser.com, who has a banner ad on the site.

      This upset google because it cut into their business model of selling effective ad space. So google inserted malicious code into webpages to hack the safari browser and override security settings so it could download unwanted and potentially malicious files onto users computers. Because of this, google received the biggest fine in FTC history and is being sued for privacy violations in the UK.

      Think about this for a second, and what it means. A website overriding browser security settings to serve unwanted and possibly malicious files. This is outrageous and unethical, and if it were Microsoft then the entire internet community would be enraged. Also think about it in light of this article on malvertisements, which google was actively propagating.

      Apple has since taken the cat and mouse game further, so the setting is "allow from current website only". I expect malvertisers to scramble to overcome this block, but I hope that legitimate respected top tier internet companies act a little more ethically.

    2. Re:Meh by Anonymous Coward · · Score: 1

      Adblock+ (Or whatever your favorite variant/flavor/fork/alternative is) is the best security suite you can install on any computer.

      Attack surface reduction is among the most basic and important of security practices.

    3. Re:Meh by sconeu · · Score: 2, Informative

      Yeah, Apple *really* led with that. Firefox has had a "block third party cookies" setting since day one.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    4. Re:Meh by grimmjeeper · · Score: 1

      Adblock+ by itself isn't enough. You need a script blocker, set up your browser to not accept third party cookies, and, most importantly, stop running flash.

    5. Re:Meh by Anonymous Coward · · Score: 2, Insightful

      but never as the default.

    6. Re:Meh by amicusNYCL · · Score: 1

      A website overriding browser security settings to serve unwanted and possibly malicious files. This is outrageous and unethical

      And a major security bug in Safari, apparently.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    7. Re:Meh by bhcompy · · Score: 1

      ABP and NoScript basically handle most of that. Flashblock isn't necessary with NoScript unless you want to enable a website and keep Flash disabled until you want to use it

    8. Re:Meh by grimmjeeper · · Score: 1

      There's a reason I specifically called out getting rid of flash. Every legitimate website should be going to HTML5 if they aren't there already. There is no reason to be sticking with flash exclusively in 2015. It's vulnerable but at the same time doesn't give you anything you can't do in a more safe framework. It is a relic that needs to die sooner rather than later. If a website isn't switching over, you have to ask yourself why.

      And yes, I know there is a huge code base for flash based games and the lot. But that's no reason to refuse to switch over to a better platform in the long term. It may take a while to move everything. But if they're not making the effort to move to a better, more secure platform I question their motives.

    9. Re:Meh by Anonymous Coward · · Score: 1

      Opera and Firefox have had such a setting (to allow only cookies from the server, and no third party cookies) since long before Safari. Curiously, they don't have the same security flaw that Safari has, and simply don't accept third party cookies when told by the user to do so.

    10. Re:Meh by hairyfeet · · Score: 1

      That is why I said the guy who came up with "Don't be evil" should have been given a new car and a million in cash, because no matter how much Google fucks over consumers, no matter how nasty they get, hell they can do shit that would make Gates in the 90s cringe and they will ALWAYS get a legion willing to defend them because of one stupid advertising slogan.

      Think the most effective ad campaign was "have a coke and a smile" or "where's the beef?", not a chance in hell as "Don't be evil" has worked like a magic cloak for fricking years. Gotta give the man credit, its the most brilliant piece of marketing since Jobs sold the world that Apple was a bunch of t-shirt wearing rebels.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  8. Why don't they recompress all the images? by Ambassador+Kosh · · Score: 3, Insightful

    Aren't most exploits removed by loading the image and then recompressing it? Why would you ever serve the raw binary for an image at least that was directly given to you by an advertiser? Isn't that just asking for an exploit?

    I understand flash is much harder to deal with. Maybe the ad networks need some kind of template for allowed flash so they can take the flash file, take it apart, recompress all the images in and and then load it into their own template so that any exploits in it are probably removed.

    --
    Computer modeling for biotech drug manufacturing is HARD! :)
    1. Re:Why don't they recompress all the images? by thsths · · Score: 1

      Yes, the system as it is at the moment is just asking for trouble.

      Google tends to host a lot of the ads themselves, which makes it slightly more reliable. But they have had their fair share of trouble, too.

  9. Paging Samuel L Jackson... by sunderland56 · · Score: 1

    Mr. Jackson: your editorial advice is clearly needed here at Slashdot. Article summaries have become a leading cause of frustration for those of us who can actually read and write English.

    1. Re:Paging Samuel L Jackson... by 6Yankee · · Score: 1

      I have had it with these motherf*cking ads on this motherf*cking site!

    2. Re:Paging Samuel L Jackson... by Spy+Handler · · Score: 1

      Javascript, motherfucker! Do you run it?

  10. Liability by Ryanrule · · Score: 4, Interesting

    Make sites FULLY liable for problems caused by malware they serve up. Problem solved.

    1. Re:Liability by sunderland56 · · Score: 2

      If media sites become financially liable for the harm that their content does, Fox News is in deep trouble.

    2. Re:Liability by kurkosdr · · Score: 1

      Someone really needs to cast the first lawsuit, and see how those "disclaimers" and "terms of use" hold up.

    3. Re:Liability by LessThanObvious · · Score: 1

      As much as I'd hate to see a circus of lawsuits around this issue, it's clear there is an ethical obligation of sites to warranty their advertisements to do no harm. A user willingly goes to www.reputablesite.com, but they have no informed consent over all the advertisements and other links that site displays, they just load along with the requested page. If the requested page is loading third party content and getting paid to do so, then clearly they should make every effort to screen for malware or abuse.

    4. Re:Liability by sjames · · Score: 1

      I swear the first time I glanced at your post I read it as 'media shites'. I may have been right the first time in light of the end of your sentence.

  11. No one cares by Runaway1956 · · Score: 3, Insightful

    Absolutely NO ONE cares that some individual blogger makes a dollar from his blogging. Not the readers, not the corporations, not your ISP/host, not even the government, NO ONE. None of us gives a small rat's ass. But, yes, you CAN negotiate with some advertiser whom you deem to be reputable, and not suck at the Google teat, or whatever. Host your own ads, or I won't see them, it's really that simple. All the big ad servers are blocked on my machines.

    Reliable ad agency? Yeah, I gotta agree, that's kinda funny. It may even qualify as a full fledged oxymoron.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:No one cares by kurkosdr · · Score: 1

      "Reliable ad agency? Yeah, I gotta agree, that's kinda funny." If you can just sit back and be a middleman collecting his sweet cut (while pretending to care about user's security), why bother caring about who your advertisers are and expend effort to make sure they are non anonymous? After all, you have the disclaimer. Thank (insert name of deity here), users have adblock.

    2. Re:No one cares by tepples · · Score: 1

      Then how should individuals recover the $120/yr for a VPS?

    3. Re:No one cares by Runaway1956 · · Score: 1

      Huh? Why should you recover it? ISP fees, VPN, VPS - all of those are something that YOU pay for, because YOU want to be "out there". Why SHOULD you recover it?

      Of course, you could do what so many others do. Put your paypal account on your home page, and solicit funds in the form of "donations". I've actually sent donations now and then. I block the ads though.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    4. Re:No one cares by tepples · · Score: 1

      $120 per year for one thing, $120 per year for another, and pretty soon all these recurring fees add up to real money that exceeds the income from an entry-level job.

  12. There's a lot of filtering and checking by Anonymous Coward · · Score: 1

    All of the RTB platforms put a great deal of effort into validating adverts before they run, and are *very* responsive to anythingn which gets passed those filters and checks.

  13. Security Assessments and 3rd party Ad providers by mike2006 · · Score: 1

    No doubt these companies went through network, server and application security assessments and then completely ignored their 3rd party Ad provider that hosts their Ads on a hacked shared host.

  14. Old news by simplypeachy · · Score: 1

    This article is about 15 years late. Malware via adverts/trackers has been around since before the word "phishing" was coined. If the advertising industry gave any shits about fixing this, they'd have done it by now as it's a very simple problem to fix. But surprise surprise - they don't care, and neither do the sites complicit in selling their users to the advertisers!

  15. Re:Accountability. by grimmjeeper · · Score: 1

    The trouble is, how do you identify where the malware comes from? Sifting through the outrageous numbers of ads on so many of the random click-bait web pages full of kitten videos linked to on Facebook is hard enough. Trying to nail down exactly which ad gave you the infection would be pretty much impossible. So there's no way to really know who to sue.

    The only solution is to approach the internet like you would approach a lady of the evening. Don as much protection as you can before you interact because there's no telling what dangers lurk in the dark places. Because if you come away with an infection, there's nothing you can do but treat it as an afterthought.

  16. Re:Accountability. by hairyfeet · · Score: 1

    Simple, when sites are caught serving malware all those whose browser history shows they visited the site during the time in question should be assumed to have gotten any infections on their machine from the site in question, problem solved.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  17. "effective controls" by tepples · · Score: 1

    What would you define as "effective controls"? And for how many years is a well-known ad network going to be able to keep a spotless record? Which if any existing network qualifies?

    1. Re:"effective controls" by sjames · · Score: 1

      Given the amount of malware served up by ad networks these days, I'd have to say better than they have now. I haven't really considered the question any further since that determination was all I needed to enable ad-blocking.

      Let's just say it'll be up to them to make the case to me that they are now free and clear of malware. Since I have no actual desire to consume their content, the burden of proof will be quite high.

  18. And THIS is why I run AdBlock by jonwil · · Score: 1

    Until ad networks can ensure that EVERY ad they run is 100% free of malware, I will continue to block their ads.

  19. Please disable your ad blocker to view this page by tepples · · Score: 1

    Since I have no actual desire to consume their content

    Until you hit a site that has Adblockblock. I've noticed that a lot of sites are doing this nowadays for videos and even for text beyond the first couple paragraphs.

  20. Re:Please disable your ad blocker to view this pag by sjames · · Score: 1

    I have seen a few of those. Just highlight a relevant bit of text and search it on google. It's rare that a page will have exclusive information anymore.

  21. Re:I asked AdBlock's creator those questions... ap by goose-incarnated · · Score: 1

    I am intrigued by your ideas and would like to subscribe to your newsletter.

    --
    I'm a minority race. Save your vitriol for white people.