Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Malvertising Abuses Real-Time Bidding On Ad Networks

Posted by samzenpus on from the rotten-apples dept.

msm1267 writes Dark corners of the Internet harbor trouble. They're supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That's the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks. Hackers are thriving in this arena because they have found an unwittingly complicit partner in the sundry ad networks to move malicious ads through legitimate processes. Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold. RTB enables better ad targeting for advertisers and less unsold inventory for publishers. Hackers can also hitch a ride with RTB and target malicious ads on any site they wish, much the way a legitimate advertiser would use the same system.

15 of 113 comments (clear)

  1. It's all automated by Anonymous Coward · · Score: 2, Insightful

    The second you take the human out of the loop on who approves something going into production, you open up a huge avenue of risk: that the automation will put something you don't want out on the Web.

  2. plagiarism by sribe · · Score: 4, Insightful

    Direct copy-and-paste from an article should be quoted, to make it clear that in fact msm1267 wrote nothing at all.

    Sigh, OTOH, at least the "summary" is not a gross misrepresentation, like so many others.

    1. Re:plagiarism by Noah+Haders · · Score: 3, Insightful

      if it were my summary I would definitely attribute it to somebody else, because it makes absolutely no sense. what does this mean? "But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors?" what does the rest of the summary mean?

  3. Anonymous advertisers by kurkosdr · · Score: 5, Informative

    Ahh... The joys of having anonymous advertisers, even on well-known sites: Not only some of the ads are of questionable legality, but some of them may actually hurt you. THIS is why AdBlock Edge is a security policy, not an adblocking policy. Don't give me the "freeloader" talk. Either host your own ads and be responsible for them, or partner with reliable ad agencies (and maybe I will unblock them).

    1. Re:Anonymous advertisers by kurkosdr · · Score: 3, Interesting

      "Host your own ads" is something only big sites can implement obviously. An ad agency is reliable if all the advertisers are non-anonymous, and hence responsible for the content they push through the ad agency. And don't tell me "it's not possible", there is this thing called HTTPS. Instead, as of now, anyone with a computer and internet connection can be an "advertizer". No eponymity or responsibilities, yay! This was good enough for the first years of the internet. "Freedom", easy, cheap blah blah, now it's not good enough, because there is lots of money to be made for malvertizing, and ad agencies can't keep up with preventing and blacklisting anonymous mal-ads. Unreliable ad agencies that don't care about my security will simply get Ad Blocked and lose my ad impressions (I don't care). Mutual non-caring.

  4. clean your own stable first by Thud457 · · Score: 4, Insightful

    I'm sorry. Please explain to me again how I'm stealing food from "content creator"'s mouths by running addblock. And why I hate freedom for making Flash click to play.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  5. Why not restrict all ads to GIFs or JPGs? by Anonymous Coward · · Score: 3, Insightful

    Users getting malware infection from ads is a really big problem even when you never click on them.
    Why not restrict all ads to GIFs (static or animated) and JPGs?

  6. Meh by grimmjeeper · · Score: 2

    Reason number 48372534786 why it's better just to universally block advertisements on the internet.

    1. Re:Meh by Noah+Haders · · Score: 4, Informative

      Reason number 48372534786 why it's better just to universally block advertisements on the internet.

      Apple has been leading on this front with several initiatives to protect users from malicious ads. One of them was a setting in Safari to only accept cookies from the first-party site, so when you go to cnn.com the browser accepts a cookie from cnn.com but not from malvertiser.com, who has a banner ad on the site.

      This upset google because it cut into their business model of selling effective ad space. So google inserted malicious code into webpages to hack the safari browser and override security settings so it could download unwanted and potentially malicious files onto users computers. Because of this, google received the biggest fine in FTC history and is being sued for privacy violations in the UK.

      Think about this for a second, and what it means. A website overriding browser security settings to serve unwanted and possibly malicious files. This is outrageous and unethical, and if it were Microsoft then the entire internet community would be enraged. Also think about it in light of this article on malvertisements, which google was actively propagating.

      Apple has since taken the cat and mouse game further, so the setting is "allow from current website only". I expect malvertisers to scramble to overcome this block, but I hope that legitimate respected top tier internet companies act a little more ethically.

    2. Re:Meh by sconeu · · Score: 2, Informative

      Yeah, Apple *really* led with that. Firefox has had a "block third party cookies" setting since day one.

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    3. Re:Meh by Anonymous Coward · · Score: 2, Insightful

      but never as the default.

  7. Why don't they recompress all the images? by Ambassador+Kosh · · Score: 3, Insightful

    Aren't most exploits removed by loading the image and then recompressing it? Why would you ever serve the raw binary for an image at least that was directly given to you by an advertiser? Isn't that just asking for an exploit?

    I understand flash is much harder to deal with. Maybe the ad networks need some kind of template for allowed flash so they can take the flash file, take it apart, recompress all the images in and and then load it into their own template so that any exploits in it are probably removed.

    --
    Computer modeling for biotech drug manufacturing is HARD! :)
  8. Liability by Ryanrule · · Score: 4, Interesting

    Make sites FULLY liable for problems caused by malware they serve up. Problem solved.

    1. Re:Liability by sunderland56 · · Score: 2

      If media sites become financially liable for the harm that their content does, Fox News is in deep trouble.

  9. No one cares by Runaway1956 · · Score: 3, Insightful

    Absolutely NO ONE cares that some individual blogger makes a dollar from his blogging. Not the readers, not the corporations, not your ISP/host, not even the government, NO ONE. None of us gives a small rat's ass. But, yes, you CAN negotiate with some advertiser whom you deem to be reputable, and not suck at the Google teat, or whatever. Host your own ads, or I won't see them, it's really that simple. All the big ad servers are blocked on my machines.

    Reliable ad agency? Yeah, I gotta agree, that's kinda funny. It may even qualify as a full fledged oxymoron.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br