Slashdot Mirror
Inside the Booming, Unhinged, and Dangerous Malvertising Menace
mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."
No, the ads just move out of ad spaces into 'native' space, embedded with content and interspersed into feeds and streams. That's what all those sponsored articles and stuff are, and it's really terrible. Don't get me wrong, I'm not particularly pro-advertising, but I see polite, safe ads that are placed into their own corner of a page as a good compromise in order to avoid the corruption of actual page content. I've seen (and run) enough high quality content sites that can't pay for their own hosting or bandwidth, and it sucks to see them go away.
Thanks for this explanation. As nobody in their right mind wants ads, anybody looking for a solution will arrive at complete blocking. The underlying problem is of course that the whole market structure is fundamentally broken, much like the stock market in 2008 with the sub-prime crisis: People brokering things without knowing anything about quality. If enough of that happens, the market collapses.
I expect that in the not too distant future, complete blocking of all ads will be a security best-practice.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Very much so. Advertising is a plague and deserves to be eradicated. And don't tell me "it finances content", because so can crime, and apparently the distinction is not entirely clear anymore. There are other ways to finance content, and if you do not qualify, maybe your content was not valuable in the first place.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Actually, I don't detest ads per se. I held off for using an adblocker for a long time, because there were a few sites I frequented that I knew were unlikely to be able to stay in operation on anything other than the advertising model. Static-image ads or even tastefully animated ones (ie. a selection of items from a product range which changes every 20 seconds or so) don't bother me, provided they don't fill half the screen.
But I'm on an adblocker now, as of around 9 months ago. Malvertising was a factor in this move, but the biggest factor were auto-playing video-ads with sound. I got bored of clicking through browser tabs playing the game of "spot where the noise is coming from". Oh, and those full-site wrap-around ads that leave almost no room on the screen where you can click-for-focus without clicking the ad are infuriating as well.
This is an industry that seems set for self-destruction. I've no doubt that there are responsible, legitimate advertising firms out there, as described by the GP (I still see plenty of "inoffensive" ads). There are also, as I said above, a lot of useful resources that would either require subscriptions or shut down without advertising. But it doesn't take many bad apples to sour the public on the whole idea. Adblockers are getting traction even with people who were uncomfortable with them to begin with on ethical grounds (like me) and from what we've seen out of the courts so far, they're not getting banned any time soon (and the growth of malvertising makes this even more of an unlikely prospect).
I suspect the onus is going to be on the industry to sort this out, through creating a trade association with some real teeth and buy-in from the major customers, plus potentially co-operation with search engines to help identify dodgy sites.
All of which is probably a recipe for a cartel 10 years down the line. Solve one problem and another replaces it...
The "mom and pop" sites point rings amusingly true for me.
Around a year ago, my dad went through a wave of really nasty malware infections. The ones that block your AV software, redirect your DNS and generally embed themselves right across the OS.
Now, my dad has historically been a bit of a malware-magnet. He falls into the category of "knows just about enough to think he knows everything", which used to lead him into some really poor security practices. But after a really nasty infection in 2012 which resulted in him losing quite a significant chunk of personal data, I thought he'd finally learned his lesson. He was keeping on top of Windows Update, keeping an updated AVG install, running weekly Malwarebytes scans and had finally, finally, stopped opening dodgy e-mail attachments from his perpetually-malware-infested dickhead golf-buddy friends.
I'd also put him on an adblocker. I wasn't using one myself at the time (though I am now), but I was sick of making the 4-hour-each-way journey to his place to fix his machine, so I'd held nothing back.
So a wave of four or five infections in the space of a month came as a bit of a shock. What was surprising was that he was getting re-infected very quickly after each disinfection (including one which involved a full format-reinstall of Windows).
Eventually, after going through his browser history after two consecutive infections (and half-expecting to find a megaton of pr0n), I track down the source.
And it's not pr0n, it's his bloody family history club website. Some online forum he participates in for people who are trying to trace their ancestry in a particular area. It has under 50 regular participants. It also has a prominent notice about how much the site depends on advertising income to stay in operation and asking users to disable or make an exception in their adblocker (with instructions on how to do so).
My dad has, of course, been making an exception for this site, which is then pushing a remarkably concentrated and toxic cocktail of malware-infested ads almost every time it is accessed. We actually ended up on the phone to the guy who ran the site, begging him to switch to another advertising provider. He wasn't exactly enthusiastic, so the adblocker remained in place. Don't know where things have got to since then.
No, see that implies we trust them, wish to engage with them, and want to negotiate a future in which they are an integral part of the web.
That means they've won.
Yes, installing ad blockers will put pressure on them. But let's make it perfectly clear: we don't see it as their right to track us, collect data about us, and inject themselves into the conversation.
Cut them out entirely, and leave them cut out. The 7 analytics companies on this page right now, and the dozens I see on every page I visit ... I have no intention of ever giving them access to my machine as long as I have technology to prevent it.
But not for a minute will I pretend that this is a negotiation with them. Once you install things like HTTP Switchboard, or Request Policy, or Script Safe and realize just how much shit is in the average web page, you realize that trying to find a good solution is a losing prospect.
Don't pander to corporate greed, and don't act like you will find a solution which is equitable. Because they're not interested in giving it to you, so don't get suckered into giving it to them.
Most of these ad and analytics companies are just parasites. And there's way too damned many of them to think you'll ever come out well in that conversation.
Lost at C:>. Found at C.