Inside the Booming, Unhinged, and Dangerous Malvertising Menace

mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."

Advertisers, worry about security? Get real

It costs money to vet customers.

For once we get to see the tragedy of the commons at work in an industry that deserves it.

Re:Advertisers, worry about security? Get real

[Z00L00K]

Yet another reason to make sure you have a good adblocker with a good filter setup.

At the same time newspapers starts to complain when you use an adblocker, so it means that the use of adblockers are successful and effective.

Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

And Android do have some concept of security permissions where the app requests rights before getting installed but at the same time it don't allow the user to actually say no to the request and still install the app. That is something that has to be improved, I as a user can accept that the app I install don't have the full functionality if I for example deny access to the address book.

Re:Advertisers, worry about security? Get real

[javaman235]

Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

A lot of the stuff isn't even hacking, its abuse of permissions. The other day I had a third party tracker request permissions to turn on my mic, and my understanding is if I said yes, the permission would remain across all sites with their tracker on Chrome. So they could listen to me across the Internet. Similar are browser extensions which request the power to read and change data on all pages.These need to come with clear privacy policies, and some kind of audit process to make sure it works.

The main thing to me is advertising has stopped being advertising: connecting people with products and services they might want - and started being about something else. Since when was "Mad Men" about a wiretap that listens to people in their homes?

Re:Advertisers, worry about security? Get real

[Anne+Thwacks]

The goal of most advertising companies appears to be to kill the goose that lays the golden egg. Indeed, the entire industry appears totally committed to this goal.

The problem started with allowing sites to serve executable code. it seems it will end with users having to block all executable code - short of nuking from high orbit, it is the only way to be safe.

In the case of Flash, nuking from high orbit is probably essential.

Disclaimer: My Government sells nukes.

It's profitable

[phantomfive]

If it's increasing, that means it's profitable. Don't expect things to change until there is an expensive lawsuit.

Until then, practice safe browsing, use ad block......even if you like to support websites by looking at their ads, it's not worth the risk right now.

Re:It's profitable

[Dutch+Gun]

What we really need is to put some pressure on advertising companies to stop allowing anyone to run unvetted, arbitrary Javscript code in served advertisements. How stupidly dangerous is that? It's like using a flamethrower to take down a hornet's nest. Yes, it works, but it's a ridiculous amount of overkill, and can be insanely dangerous if pointed at the wrong target. It's in the advertising agencies own interest to clean up it's act. At some point, most people are going to figure out that it's simply too dangerous to run a web browser without noscript or an ad blocker.

Honestly, the only way I can think of putting enough pressure on them is for as many people as possible to install ad-blockers. Once they get the hint that they need to back down, they can come up with some more creative solutions. For instance, introduce a specialized tag in HTML that allows the display of a static image, embedded links, and some anonymous token to help count unique visitors, but NO JAVASCRIPT. It's the notion of running arbitrary script that's so insanely dangerous. Plus, a tag like this would help to ensure that ads don't misbehave, like popping up, animating, or playing audio or video.

Or, ad agencies can be more responsible and run curated ads, with only vetted Javascript in pre-packaged modules, rather than letting anyone execute code from anywhere in the world. There are solutions out there, but no agency wants to be the first to tie their own hands. Honestly, I don't care at this point. It's their fault it's come to this in the first place. Something's got to change.

Why block "in the interim"?

[gweihir]

Advertising companies obviously cannot ensure clean ads or do not care. Users are responsible for protecting their machines. The only sensible thing is to block all ads without distinction and permanently. This industry has nobody but themselves to blame for their inevitable decline.

Re:I work in online advertising

[rsborg]

Thanks for the explanation of how the advertising industry works. I really do think that commoditizing things that should really never be commoditized (i.e., home loans, ad placements, etc) creates a perverse incentive to such razor thin margins that cheating or lying becomes the only way to stay profitable.

In a larger sense, commoditization prevents competition on value. Everything competes on price, and quality isn't quantifiable as easily as price, and so there's a race to the bottom. Even if you build up a good name, a bigger player can undercut you on both price and quality for a while, drive you out of business and then completely drop the ball on quality and still rake in the profits (send a few $$ to reviewers or quality inspectors and buy a higher rating than you deserve).

Doubleclick serve malware

[aepervius]

Doubleclick isn't exactly your eastern europe shaddy site : http://www.theverge.com/2014/9...

You are probably not responsible and involved, and thank you for the informative post, I am sorry but your "we are vetting ad" in view of big network serving malware, sounds more like trying to stem the flow of the blood while pretending one is not wounded.

"The only real market solution is to whitelist a certain number of ad networks"
No the real only solution is to blacklist *all* ad network until they accept responsibility and utterly disable any scripting in their advertising, only serving sanitized text and sanitized image. And that is the minimum.