Slashdot Mirror
Inside the Booming, Unhinged, and Dangerous Malvertising Menace
mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."
It costs money to vet customers.
For once we get to see the tragedy of the commons at work in an industry that deserves it.
If it's increasing, that means it's profitable. Don't expect things to change until there is an expensive lawsuit.
Until then, practice safe browsing, use ad block......even if you like to support websites by looking at their ads, it's not worth the risk right now.
"First they came for the slanderers and i said nothing."
The X10 browser hijacks weren't even the first, they were just everywhere.
But I agree with the general premise. It's just that the picture generally gets complex - let me explain.
The way an ad gets served is this. Places that show ads (websites, mobile websites, in-app ad spaces) are inventory. Inventory is of varying quality - an ad on the front page of the NYT is costly, whereas an ad on housewiferecipes.com or something is dirt cheap. Small sites sell their inventory to brokers, who pack it up with other sites to sell on advertising exchanges (the firm I work for runs one of these exchanges).
On the other side of the issue, advertisement costs money. A firm wanting to run ads will contract with an online media agency, which will create an ad and then find inventory to place the ad in. The firm commits to spending X amount of money for Y amount of impressions (hits), so if the agency can find inventory that performs (hits whatever ad metrics required, such as 'time in ad' or 'number of clicks') while being dirt cheap, it pockets the rest. If multiple agencies bid on the same inventory, the price of that inventory goes up (and the website runner makes more money), so it's a game of scooping up cheap inventory on random sites at the times they're cheap.
Typically, a given source of inventory (a site) will contract out to a large number of brokers in order to guarantee that at least one of them will, upon request, be able to serve an ad in the space. 90% of ad networks vet their ads to run clean, because running a malware ad is essentially a death sentence if you ever want to run any kind of premium ad (the ones that make you a lot of money) or buy premium ad space (lots of premium advertisers will specify they only want premium space, like the front page of the NYT). Above-the-board ad networks will run clean, vet their stuff, and charge a higher exchange fee, whereas unscrupulous networks (many based in eastern europe) will charge a lower fee and let all sorts of shit go through.
What does this mean? An attacker with a crafted ad that can beat cheapo mal-detection can buy cheap inventory on a shady network, intentionally outbid other people and pay a minor premium for that cheap inventory, and get their ads wherever they want. The ad network will get shut down if it was really egregious (since running a malware ad can theoretically open you to litigation from other advertisers on your network), but for every network that shuts down there's another that can pop up promising minimal overhead and minimal vetting.
The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks, but this segments the internet into the haves (premium inventory, high quality sites, premium ad networks, premium ads, all expensive) and the have nots (mom and pop sites with mediocre inventory that nobody visits because of the chance of getting cancer from the shit networks they have to run). Beyond that, this problem is unlikely to go away - it's simply too easy to game the system and put whatever you want into many adspaces.
Advertising companies obviously cannot ensure clean ads or do not care. Users are responsible for protecting their machines. The only sensible thing is to block all ads without distinction and permanently. This industry has nobody but themselves to blame for their inevitable decline.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is why I am not on board with the idea of https everywhere. Recently, I started seeing obviously malware ads in the middle of Words With Friends (OK, maybe Words with Friends is malware!!). Configuring my squid proxy, I was able to block not only the site that was serving the ads (gaseview.com), but also the ad network that I think was providing the links to the malware ads (mopub.com).
With https everywhere it is much more difficult to block such ads.
The real "Libtards" are the Libertarians!
please forgive my ignorance, if my prejudice is in any way misguided, but i am under the impression that the attack vector, in actual fact, is flash, as i cannot see how a simple image, or even a "normal" video, could possibly compromise a target machine, whereas i understand adobe is full of holes, deliberate or otherwise.
or, to put it another way, i've never seen a machine compromised, to date, after wiping adobe (hack, spit) from the system.
while i'm at it - am i correct to believe the company was actually responsible for jailing a man, a foreign national, without charges, for well over a year, in direct response to his having exposed the insecurity of an adobe "security" mechanism?
I'm more worried about the ads in vuze. i'm sure other freeware has ads .
Well that was mighty TimeCube. I kind of get that you don't like AdBlock+, but I had to engage my geocities -> english translator. Really kind of sad /. won't let you change fonts and colors, because that would have been amazing.
I'm using Ublock myself.
Doubleclick isn't exactly your eastern europe shaddy site : http://www.theverge.com/2014/9...
You are probably not responsible and involved, and thank you for the informative post, I am sorry but your "we are vetting ad" in view of big network serving malware, sounds more like trying to stem the flow of the blood while pretending one is not wounded.
"The only real market solution is to whitelist a certain number of ad networks"
No the real only solution is to blacklist *all* ad network until they accept responsibility and utterly disable any scripting in their advertising, only serving sanitized text and sanitized image. And that is the minimum.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Interesting.
A problem I have (and a temporary solution) is that ads come from a third party site. Usually the same few networks. I don't like being tracked by third party sites and I see no reason to view their content, so I simply DNS block common ad networks and third-party-content block them in the browser. This is causing the problem that I don't pay for the sites I visit (the adblock problem) and of course I can't visit sites that demand the third party site content to show (DNS block),
but there is at least very low risk for tracking and third party malvertising.
A solution as I see it would be that ads are given as images and reported as statistics, so that the main site can repack them (removing any exploits), display them without tracking me more than usual and report the displays to the advertisement network. (It would also have the benefit that any annoying flash ads and popups would go away, which would benefit the advertisers in the long run - less ad blocking.) (I presume clickthroughs can go to the advertisement network so they can keep track of that part.)
I read the article all the way through, and it SEEMS like you have to click on the ad in order for it to infect you. They don't specifically come out and SAY this, though. So, is this the case? Does not clicking on ads keep you safe? I thought just having a flash ad download and execute on your machine was enough, or are we not talking about this? There are references to "hardened landing pages" that infect the users, so WTF is up with that?
The funny part is that the malware installed is used to install click-fraud bots on infected machines, so the ad networks and/or end clients themselves are the ones being screwed out of money.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
They're getting ever more sophisticated. I got some sort of malware the other day that actually poses as a Windows update, which puts a permanent icon in my system tray with regular (3 or 4 times a day) popups about a "free upgrade to Windows 10". Luckily I don't fall for that kind of thing but I don't know how I got the virus in the first place.
== Jez ==
Do you miss Firefox? Try Pale Moon.
OK, then I'm afraid these 'security responders' were oblivious to the 7 or so years before that, and are therefore suspect.
Malware has been in ads since the friggin' .com era, saying they started in 2007 tells me they weren't paying attention.
Flash has been a vector for security exploits from ads as long as it has existed, as has javascript (popup window hell anybody?).
Sorry, any security researcher who forgets that ads have always been a vector for malware is a little too clueless.
Lost at C:>. Found at C.
FTFY. The phenomenon is not limited to advertising networks.
Also, anyone that tries to make me feel bad about using an ad blocker is trying to tell me that they have a right to shove ads into my eyeballs. They can go fuck themselves with a chainsaw; my eyes, my rules. I am not obligated to punch your monkey.
Never underestimate the power of stupid people in large groups.
People having promiscuous sex should use condoms. Not in the interim while we are working for a cure for HIV, not until there are some better treatments for herpes. If you are engaging in sex with multiple partners, it will ALWAYS BE A GOOD IDEA.
The web is no different. As long as sites can cause local code execution, I don't care if its in a limited environment. I don't care if its in a restricted VM. These environments always end up having holes, and those holes, once widely distributed, will always create a viable market for attacking it. It will always be too high value of a target to trust.
I am ok with promiscuity up to a point. But as someone I know once said "just because I am easy, doesn't mean I am not picky"....but when you are engaging in more risky behaviour, the only sensible option is to slip it on, BEFORE you slip it in.....and install an ad blocker, or better yet, I don't like ad blockers per se....requestpolicy and noscript would be my general choice...and never ever use any of the "allow all" or "temporarily disable" buttons....ever. I would rather not browse a site than be hitting some strange raw.
"I opened my eyes, and everything went dark again"
Are you so stupid that you don't know what you need?
You might be surprised at how many people are that stupid. Henry Ford sold his Model T automobile to people who thought they needed a faster horse.
Do you need help when deciding what food/clothes/housing/car you buy?
Some people do. In some categories, U.S. consumers can rely on Consumer Reports, a product comparison magazine and website funded by subscribers that takes no advertising. But a lot of things are so hyper-local that a nationwide magazine such as CR can't cover them adequately, such as restaurants and housing. And even then, CR somehow needs to learn that a particular product exists and is available to the public, even though it refuses to take product samples.
There are other ways to finance content
What might these be, other than ads and paywalls? Once I know what other ways you're thinking of, I can analyze their suitability for different
and if you do not qualify, maybe your content was not valuable in the first place.
Valuable to readers != valuable to those with money up front.
If the ad networks stopped using Flash for ads and switched to only using HTML5, the amount of nasty stuff would drop dramatically. Are there exploits in browsers where a dodgy non-Flash ad could get in? Sure there are. But its much harder for malware to exploit those holes, especially if you keep your browser up-to-date (and aren't doing something stupid like connecting a browser that is no longer receiving security updates to the open internet)
At the very least, a non-Flash malware ad would need a bunch of different exploits for various different browsers (Firefox, Chrome, Internet Explorer at the very least) and different versions of those browsers (an explot that works on IE6 on Windows XP isn't going to work on IE11 on Windows 10 for example). Also, non-Flash ads will (by virtue of their HTML/JS source being visible) be easier for ad networks to vet and examine for dodgy stuff.
If access to your mic and camera are *actually* required (e.g. tech support, online chat etc.) you should have to authorise this access each time and the access should be granted for the current page only.
If the user has to re-allow the microphone, re-allow the camera, and re-allow location whenever the user navigates to a different part of a web application, with no way to "always allow" other than by applying a patch to the browser's source code and recompiling the entire browser from source, the user will likely consider it worse than Windows Vista UAC.
WWF is a horrible app.
Yeah, but where else can I watch panda wrestling?
How do you not-click an ad that takes up the entire screen with a transparent hotspot?
Ctrl+W. (Source)
there is no euvertising. Advertisements are spam, thus malware
Would you prefer to have to buy a separate $20 per year subscription for each domain that you visit? Or what third option am I missing?
He's gotten so bad lately, I hear Google is talking about changing the file extension for Android apps.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
...but a day might come when people who want to make money will have to focus on creating something of tangible value to other human beings. Horrors!!!
Hypocrite.
You're spamming right now.
Why would anybody trust your software when you are doing the very thing you claim to be fighting? -Cluttering up the space with self-promotion and hard-sell noise.
One post is sufficient. Dozens are offensive and off-putting.
And seriously: ALL CAPS is the mark of the time-cubed insane. Don't be insane. People avoid the insane.
Good luck.
We have enough ads without your crap as well.
can't see inside it, and i can't find an open source interpreter that works, so i'm deaf as well as blind.
i'm aware windows and macs are vectors also - there is never any security in obscurity, no matter how clever you think you are..
to date linux, without adobe flash, or any other proprietary driver, has served me perfectly well, without any form of virus 'protection', for decades.
i'm aware the community gets hit, sometimes, but it hasn't reached me yet.
perhaps my browsing is somehow more prescient than most?
or maybe i just got lucky.
i remain convinced that the sooner flash is replaced, or forced open, the better for all.
and pdf too, ack thpfft.
I'm not sure how you think that was a correction. I didn't repeat what the article already stated, because the article had already stated it; that doesn't make me wrong or "in need of correction", it makes me "not redundant". Furthermore, you then go on to "invalidate" my mention that there was no patch for XP by stating that XP is no longer supported. Here's a newsflash: XP is still supported on POS platforms, which are widely deployed, so a patch is still necessary there. To top it off, XP was the most prevalent Windows version at the time of the incident, so your claim is really that Microsoft left the majority of their customers vulnerable.
Brilliant.
I know I'm not going to win this argument because you've clearly got nothing but time on your hands with which to craft your arguments so as to appear to be correct and on-topic while simply directing the argument away from what you perceive to be your opponent's area of expertise. That's fine, your tactics make you feel like a big man and the whole exchange is highly entertaining for me, because I know why it appears that I am losing.
Let me ask you this: If your application is so great, why do you have to spam Slashdot to sell it? Your high horse is complaining of back pains. You should get off it.
P.S.=> Spamming a forum about your "awesome" application and how great you think you are is never on topic.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Where's your Mac version?
And my achievements stand quite well on their own, people who need to know have copies of my resume. I sure do quite well in the technical field in which I consult for someone with "no demonstratable technical computing expertise", so I'll let you have that one as long as my bills are paid and there is food on my table and a roof over my head. And a comfortable lifestyle. Very comfortable. So much so, in fact, that I don't feel the need to trumpet all of my accomplishments to the world in some ego-maniacal tantrum.
You wrote a small application that pulls other peoples' domain block lists from the internet and assembles them into a hosts file. The hosts file, of course, being a throwback to ARPANET and not something you created. Now, that would be impressive.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
.. and has been for a long time now.
I was fairly early to the whole "World Wide Web" thing. I remember when AOL opened for business and the collective IQ of the web dropped by 80 points overnight. You know, back in the days when you could have an actual intelligent conversation with a total stranger in an unmoderated public chat room.
I remember when most websites were run by just ordinary people who had interests in things and wanted to share information about those interests. The computer hobbyists still wrote their reviews of whatever new widget they had gotten their hands on, people still swapped recipes and stupid cat pictures.. there were blogs (even though they weren't called that yet..)
Companies had their websites too. Granted, they didn't have much functionality.. but if a company had a website, you could often times look up information about their products, or find contact information to get ahold of someone.
And maybe, just maybe.. there would be a text link, or a banner at the top of the page as advertising. Usually just to another website, but occasionally an image promoting some sale at a brick and mortar place somewhere.. Then came the "banner exchange" programs.. rotating sets of banners that'd swap out..
And then the professional marketing companies jumped aboard, smelling profits.. and there was an explosion of commercial filth that no amount of eye-bleach could get rid of. First it was more and more ads being packed into pages... then it was pages that were almost content-free, but crammed with horrible ads.. blinking, flashing, retina-searing color contrasts..
Then the ad-men hired some unscrupulous nerds to code up ads that launched new windows full of ads.. sometimes so many that it would crash your system... and it became a game of how fast you could click the mouse to close windows before the script driven popups killed your box and forced a reboot..
All because one parasitic industry decided it had a right to make vast sums of money hawking products and services nobody actually wanted, and damn you for denying them that opportunity.
Ad-blockers came into existence not because people inherently object to respectful, reasonable, non-intrustive advertising. They were invented precisely because the advertising industry itself is predatory and abusive and knows no bounds when it comes to forcing shit you don't want onto you.
You pay $2.50 for a bottle of asprin. $0.25 of that $2.50 is the cost of the actual asprin. Perhaps a penny is the cost of the bottle and label. Another penny for the box. Another $0.25 to deliver it and stock it. And then $1.98 for all the advertising to convince you that you want to buy it.. When all that really motivated you to buy that asprin was the hangover you had this morning from too many beers last night.
The vast majority of advertising is simply a giant scam in the first place. False claims repeated ad-nauseum till people don't bother to challenge them anymore. Coke spends over half a billion dollars each year on advertising in the US alone. Does anyone honestly believe that there's a single human being in the US that doesn't know Coke and thus needs informed? Are people really so stupid as to think that a commercial is why someone buys Coke over Pepsi? If I want a Coke, I buy a Coke. If I feel like a Pepsi, I buy a Pepsi. And it doesn't have a bloody blessed thing to do with the millions spent at the Super Bowl or the logo feces that is smeared over the entire environment. And yet that bottle of Coke probably costs twice as much for me to buy because an industry has been pushing that lie.
I eat at McDonalds because they're cheap, quick and everywhere, not because of some irritating bullsh*t commerical that tries to be "hip" or "trendy".
If you offer a good product or service, one that really fills a need, you don't particularly *need* much advertising. Some, sure, to get the word out. But 99% of what is advertised is either redundant or duplicitous BS that's just trying to sell s
but, you guys constantly "harass" me
Which is funny to me, considering that our first interaction was you harassing me. As for whether or not I was on topic with my post earlier in this thread (in reply to the AC who first mentioned your name); the topic of the post I was replying to was how unwelcome your posts are and I was exactly on that topic. The AC may have been off-tpoic with his post, but my post was definitely in line with the topic he opened up.
Either way, I think the whole thing is rather amusing. Honestly, your constant posts about the hosts file are hilarious. Other than the repetitive and rambling nature of your posts, I don't see why people take such issue. Had you not attacked me in that other thread (unprovoked, at that) I'd have nothing against you; but you did, and I do. Mind you, I'd still have posted the same thing in this thread, but would have done so in a joking manner; now, I'm dead serious, you've really gotten that bad.
And yes, dozens of similar posts in a single thread is spam, I don't care how on-topic it may or may not be. To be clear, I'm referring to the following wording from that page: "Forum spam is the creation of advertising messages on Internet forums" and, as Slashdot (like other forums) is modeled after Usenet, "Usenet convention defines spamming as excessive multiple posting, that is, the repeated posting of a message (or substantially similar messages)".
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Shut up, apk. It's bad enough that you spam every single discussion of ad blockers on Slashdot, now you have to prop up your own posts by acting as your own fanclub?
You're a sad little man with a horrible delusion. Every single post you write reeks of conspiracy theory and tinfoil-hattery. It's blatantly obvious by the way you write, with SPURIOUS CAPITALIZATION, &s instead of 'and', and ellipses all over the place. It's a sure sign of someone I would never trust to write a safe piece of software.
And what's more, all your little script does is pull blocklists from various sites, blocklists that have been made by other people. All you did was write a simple shellscript. It's a worthless piece of shit, no-effort junk.
Eat the rich.
The very post you referenced where you were "correcting" me. I had never so much as uttered your name prior to that.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
See APK's delusional responses to my post.
I rest my case.
Eat the rich.