Inside the Booming, Unhinged, and Dangerous Malvertising Menace

mask.of.sanity writes: The Register has a feature on the online malicious advertising (malvertising) menace that has become an explosively potent threat to end-user security on the internet. Experts say advertising networks and exchanges need to vet their customers, and publishers need to vet the third party content they display. Users should also consider script and ad blockers in the interim. From the article: "Ads as an attack vector was identified in 2007 when security responders began receiving reports of malware hitting user machines as victims viewed online advertisements. By year's end William Salusky of the SANS Internet Storms Centre had concocted a name for the attacks. Since then malvertising has exploded. This year it increased by more than 260 percent on the previous year, with some 450,000 malicious ads reported in the first six months alone, according to numbers by RiskIQ. Last year, security firm Cyphort found a 300 percent increase in malvertising. In 2013, the Online Trust Alliance logged a more than 200 percent increase in malvertising incidents compared to 2012, serving some 12.4 billion malvertisement impressions."

Advertisers, worry about security? Get real

It costs money to vet customers.

For once we get to see the tragedy of the commons at work in an industry that deserves it.

Re:Advertisers, worry about security? Get real

[gweihir]

Very much so. Advertising is a plague and deserves to be eradicated. And don't tell me "it finances content", because so can crime, and apparently the distinction is not entirely clear anymore. There are other ways to finance content, and if you do not qualify, maybe your content was not valuable in the first place.

Re:Advertisers, worry about security? Get real

[Z00L00K]

Yet another reason to make sure you have a good adblocker with a good filter setup.

At the same time newspapers starts to complain when you use an adblocker, so it means that the use of adblockers are successful and effective.

Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

And Android do have some concept of security permissions where the app requests rights before getting installed but at the same time it don't allow the user to actually say no to the request and still install the app. That is something that has to be improved, I as a user can accept that the app I install don't have the full functionality if I for example deny access to the address book.

Re:Advertisers, worry about security? Get real

[javaman235]

Now web browsers need to work on improving security even more to avoid cross-site content and block suspicious sources even better. This is not only the ordinary cookies or injected ads that are to be considered but also "super-cookies" and cookies/caching of plugin data. Virtualization by default may also be useful - so that each program runs in its own sandbox.

A lot of the stuff isn't even hacking, its abuse of permissions. The other day I had a third party tracker request permissions to turn on my mic, and my understanding is if I said yes, the permission would remain across all sites with their tracker on Chrome. So they could listen to me across the Internet. Similar are browser extensions which request the power to read and change data on all pages.These need to come with clear privacy policies, and some kind of audit process to make sure it works.

The main thing to me is advertising has stopped being advertising: connecting people with products and services they might want - and started being about something else. Since when was "Mad Men" about a wiretap that listens to people in their homes?

Re:Advertisers, worry about security? Get real

[Mandrel]

Advertising is a plague

Here are you only referring to advertising placed in and around content, or all advertising, for example a company's own website, or some point-of-sale display? All advertising is tricksy, but do you ever find it useful?

Re:Advertisers, worry about security? Get real

[circletimessquare]

so be ready to pay for the sites you like

Re:Advertisers, worry about security? Get real

[Anne+Thwacks]

The goal of most advertising companies appears to be to kill the goose that lays the golden egg. Indeed, the entire industry appears totally committed to this goal.

The problem started with allowing sites to serve executable code. it seems it will end with users having to block all executable code - short of nuking from high orbit, it is the only way to be safe.

In the case of Flash, nuking from high orbit is probably essential.

Disclaimer: My Government sells nukes.

Re:Advertisers, worry about security? Get real

[nukenerd]

Advertising is a plague

Here are you only referring to advertising placed in and around content, or all advertising, for example a company's own website, or some point-of-sale display?

I took it as read that he meant advertising around other content. If I want to buy a camera I go and look at the "advertising" websites of Canon, Pentax etc to see what they have on offer. Of course I look at review sites as well. Adverts that are put in my face annoy me to hell; they have an entirely negative effect on me and I am suprised that the vast majority of people do not react the same.

It's profitable

[phantomfive]

If it's increasing, that means it's profitable. Don't expect things to change until there is an expensive lawsuit.

Until then, practice safe browsing, use ad block......even if you like to support websites by looking at their ads, it's not worth the risk right now.

Re:It's profitable

[Dutch+Gun]

What we really need is to put some pressure on advertising companies to stop allowing anyone to run unvetted, arbitrary Javscript code in served advertisements. How stupidly dangerous is that? It's like using a flamethrower to take down a hornet's nest. Yes, it works, but it's a ridiculous amount of overkill, and can be insanely dangerous if pointed at the wrong target. It's in the advertising agencies own interest to clean up it's act. At some point, most people are going to figure out that it's simply too dangerous to run a web browser without noscript or an ad blocker.

Honestly, the only way I can think of putting enough pressure on them is for as many people as possible to install ad-blockers. Once they get the hint that they need to back down, they can come up with some more creative solutions. For instance, introduce a specialized tag in HTML that allows the display of a static image, embedded links, and some anonymous token to help count unique visitors, but NO JAVASCRIPT. It's the notion of running arbitrary script that's so insanely dangerous. Plus, a tag like this would help to ensure that ads don't misbehave, like popping up, animating, or playing audio or video.

Or, ad agencies can be more responsible and run curated ads, with only vetted Javascript in pre-packaged modules, rather than letting anyone execute code from anywhere in the world. There are solutions out there, but no agency wants to be the first to tie their own hands. Honestly, I don't care at this point. It's their fault it's come to this in the first place. Something's got to change.

Re:It's profitable

[gstoddart]

What we really need is to put some pressure on advertising companies

No, see that implies we trust them, wish to engage with them, and want to negotiate a future in which they are an integral part of the web.

That means they've won.

Yes, installing ad blockers will put pressure on them. But let's make it perfectly clear: we don't see it as their right to track us, collect data about us, and inject themselves into the conversation.

Cut them out entirely, and leave them cut out. The 7 analytics companies on this page right now, and the dozens I see on every page I visit ... I have no intention of ever giving them access to my machine as long as I have technology to prevent it.

But not for a minute will I pretend that this is a negotiation with them. Once you install things like HTTP Switchboard, or Request Policy, or Script Safe and realize just how much shit is in the average web page, you realize that trying to find a good solution is a losing prospect.

Don't pander to corporate greed, and don't act like you will find a solution which is equitable. Because they're not interested in giving it to you, so don't get suckered into giving it to them.

Most of these ad and analytics companies are just parasites. And there's way too damned many of them to think you'll ever come out well in that conversation.

I work in online advertising

[FireballX301]

But I agree with the general premise. It's just that the picture generally gets complex - let me explain.

The way an ad gets served is this. Places that show ads (websites, mobile websites, in-app ad spaces) are inventory. Inventory is of varying quality - an ad on the front page of the NYT is costly, whereas an ad on housewiferecipes.com or something is dirt cheap. Small sites sell their inventory to brokers, who pack it up with other sites to sell on advertising exchanges (the firm I work for runs one of these exchanges).

On the other side of the issue, advertisement costs money. A firm wanting to run ads will contract with an online media agency, which will create an ad and then find inventory to place the ad in. The firm commits to spending X amount of money for Y amount of impressions (hits), so if the agency can find inventory that performs (hits whatever ad metrics required, such as 'time in ad' or 'number of clicks') while being dirt cheap, it pockets the rest. If multiple agencies bid on the same inventory, the price of that inventory goes up (and the website runner makes more money), so it's a game of scooping up cheap inventory on random sites at the times they're cheap.

Typically, a given source of inventory (a site) will contract out to a large number of brokers in order to guarantee that at least one of them will, upon request, be able to serve an ad in the space. 90% of ad networks vet their ads to run clean, because running a malware ad is essentially a death sentence if you ever want to run any kind of premium ad (the ones that make you a lot of money) or buy premium ad space (lots of premium advertisers will specify they only want premium space, like the front page of the NYT). Above-the-board ad networks will run clean, vet their stuff, and charge a higher exchange fee, whereas unscrupulous networks (many based in eastern europe) will charge a lower fee and let all sorts of shit go through.

What does this mean? An attacker with a crafted ad that can beat cheapo mal-detection can buy cheap inventory on a shady network, intentionally outbid other people and pay a minor premium for that cheap inventory, and get their ads wherever they want. The ad network will get shut down if it was really egregious (since running a malware ad can theoretically open you to litigation from other advertisers on your network), but for every network that shuts down there's another that can pop up promising minimal overhead and minimal vetting.

The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks, but this segments the internet into the haves (premium inventory, high quality sites, premium ad networks, premium ads, all expensive) and the have nots (mom and pop sites with mediocre inventory that nobody visits because of the chance of getting cancer from the shit networks they have to run). Beyond that, this problem is unlikely to go away - it's simply too easy to game the system and put whatever you want into many adspaces.

Re:I work in online advertising

[FireballX301]

No, the ads just move out of ad spaces into 'native' space, embedded with content and interspersed into feeds and streams. That's what all those sponsored articles and stuff are, and it's really terrible. Don't get me wrong, I'm not particularly pro-advertising, but I see polite, safe ads that are placed into their own corner of a page as a good compromise in order to avoid the corruption of actual page content. I've seen (and run) enough high quality content sites that can't pay for their own hosting or bandwidth, and it sucks to see them go away.

Re:I work in online advertising

[gweihir]

Thanks for this explanation. As nobody in their right mind wants ads, anybody looking for a solution will arrive at complete blocking. The underlying problem is of course that the whole market structure is fundamentally broken, much like the stock market in 2008 with the sub-prime crisis: People brokering things without knowing anything about quality. If enough of that happens, the market collapses.

I expect that in the not too distant future, complete blocking of all ads will be a security best-practice.

Re:I work in online advertising

[rsborg]

Thanks for the explanation of how the advertising industry works. I really do think that commoditizing things that should really never be commoditized (i.e., home loans, ad placements, etc) creates a perverse incentive to such razor thin margins that cheating or lying becomes the only way to stay profitable.

In a larger sense, commoditization prevents competition on value. Everything competes on price, and quality isn't quantifiable as easily as price, and so there's a race to the bottom. Even if you build up a good name, a bigger player can undercut you on both price and quality for a while, drive you out of business and then completely drop the ball on quality and still rake in the profits (send a few $$ to reviewers or quality inspectors and buy a higher rating than you deserve).

Re:I work in online advertising

[phantomfive]

The only real market solution is to whitelist a certain number of ad networks, and have sites commit to only running ads from those ad networks

Which ad networks haven't served malware?

(Also, the free market solution is for everyone to use ad block).

Re:I work in online advertising

[RogueyWon]

Actually, I don't detest ads per se. I held off for using an adblocker for a long time, because there were a few sites I frequented that I knew were unlikely to be able to stay in operation on anything other than the advertising model. Static-image ads or even tastefully animated ones (ie. a selection of items from a product range which changes every 20 seconds or so) don't bother me, provided they don't fill half the screen.

But I'm on an adblocker now, as of around 9 months ago. Malvertising was a factor in this move, but the biggest factor were auto-playing video-ads with sound. I got bored of clicking through browser tabs playing the game of "spot where the noise is coming from". Oh, and those full-site wrap-around ads that leave almost no room on the screen where you can click-for-focus without clicking the ad are infuriating as well.

This is an industry that seems set for self-destruction. I've no doubt that there are responsible, legitimate advertising firms out there, as described by the GP (I still see plenty of "inoffensive" ads). There are also, as I said above, a lot of useful resources that would either require subscriptions or shut down without advertising. But it doesn't take many bad apples to sour the public on the whole idea. Adblockers are getting traction even with people who were uncomfortable with them to begin with on ethical grounds (like me) and from what we've seen out of the courts so far, they're not getting banned any time soon (and the growth of malvertising makes this even more of an unlikely prospect).

I suspect the onus is going to be on the industry to sort this out, through creating a trade association with some real teeth and buy-in from the major customers, plus potentially co-operation with search engines to help identify dodgy sites.

All of which is probably a recipe for a cartel 10 years down the line. Solve one problem and another replaces it...

Re:I work in online advertising

[RogueyWon]

The "mom and pop" sites point rings amusingly true for me.

Around a year ago, my dad went through a wave of really nasty malware infections. The ones that block your AV software, redirect your DNS and generally embed themselves right across the OS.

Now, my dad has historically been a bit of a malware-magnet. He falls into the category of "knows just about enough to think he knows everything", which used to lead him into some really poor security practices. But after a really nasty infection in 2012 which resulted in him losing quite a significant chunk of personal data, I thought he'd finally learned his lesson. He was keeping on top of Windows Update, keeping an updated AVG install, running weekly Malwarebytes scans and had finally, finally, stopped opening dodgy e-mail attachments from his perpetually-malware-infested dickhead golf-buddy friends.

I'd also put him on an adblocker. I wasn't using one myself at the time (though I am now), but I was sick of making the 4-hour-each-way journey to his place to fix his machine, so I'd held nothing back.

So a wave of four or five infections in the space of a month came as a bit of a shock. What was surprising was that he was getting re-infected very quickly after each disinfection (including one which involved a full format-reinstall of Windows).

Eventually, after going through his browser history after two consecutive infections (and half-expecting to find a megaton of pr0n), I track down the source.

And it's not pr0n, it's his bloody family history club website. Some online forum he participates in for people who are trying to trace their ancestry in a particular area. It has under 50 regular participants. It also has a prominent notice about how much the site depends on advertising income to stay in operation and asking users to disable or make an exception in their adblocker (with instructions on how to do so).

My dad has, of course, been making an exception for this site, which is then pushing a remarkably concentrated and toxic cocktail of malware-infested ads almost every time it is accessed. We actually ended up on the phone to the guy who ran the site, begging him to switch to another advertising provider. He wasn't exactly enthusiastic, so the adblocker remained in place. Don't know where things have got to since then.

Why block "in the interim"?

[gweihir]

Advertising companies obviously cannot ensure clean ads or do not care. Users are responsible for protecting their machines. The only sensible thing is to block all ads without distinction and permanently. This industry has nobody but themselves to blame for their inevitable decline.

Re:Why block "in the interim"?

[phantomfive]

Advertising companies are much more focused on getting rid of click-fraud and improving targeting abilities, because the people who pay them want that. If you visit an ad network, that is all you will hear, "improved targeting!"

HTTPS everywhere

[whoever57]

This is why I am not on board with the idea of https everywhere. Recently, I started seeing obviously malware ads in the middle of Words With Friends (OK, maybe Words with Friends is malware!!). Configuring my squid proxy, I was able to block not only the site that was serving the ads (gaseview.com), but also the ad network that I think was providing the links to the malware ads (mopub.com).

With https everywhere it is much more difficult to block such ads.

Re:HTTPS everywhere

[Pentium100]

You can use your own proxy to essentially do a MITM attack on your own connection and remove the ads or do anything else you would like and still have encrypted connecteion over the public internet.

is the problem not ADOBE FLASH?

[rewindustry]

please forgive my ignorance, if my prejudice is in any way misguided, but i am under the impression that the attack vector, in actual fact, is flash, as i cannot see how a simple image, or even a "normal" video, could possibly compromise a target machine, whereas i understand adobe is full of holes, deliberate or otherwise.

or, to put it another way, i've never seen a machine compromised, to date, after wiping adobe (hack, spit) from the system.

while i'm at it - am i correct to believe the company was actually responsible for jailing a man, a foreign national, without charges, for well over a year, in direct response to his having exposed the insecurity of an adobe "security" mechanism?

Re:AdBlock+ = inferior & 'souled-out' vs. host

[Sarusa]

Well that was mighty TimeCube. I kind of get that you don't like AdBlock+, but I had to engage my geocities -> english translator. Really kind of sad /. won't let you change fonts and colors, because that would have been amazing.

I'm using Ublock myself.

Doubleclick serve malware

[aepervius]

Doubleclick isn't exactly your eastern europe shaddy site : http://www.theverge.com/2014/9...

You are probably not responsible and involved, and thank you for the informative post, I am sorry but your "we are vetting ad" in view of big network serving malware, sounds more like trying to stem the flow of the blood while pretending one is not wounded.

"The only real market solution is to whitelist a certain number of ad networks"
No the real only solution is to blacklist *all* ad network until they accept responsibility and utterly disable any scripting in their advertising, only serving sanitized text and sanitized image. And that is the minimum.

It's getting really bad now

[jez9999]

They're getting ever more sophisticated. I got some sort of malware the other day that actually poses as a Windows update, which puts a permanent icon in my system tray with regular (3 or 4 times a day) popups about a "free upgrade to Windows 10". Luckily I don't fall for that kind of thing but I don't know how I got the virus in the first place.

Re:Suicide

[BVis]

Most for-profit companies are trading long term sustainability for short term profits.

FTFY. The phenomenon is not limited to advertising networks.

Also, anyone that tries to make me feel bad about using an ad blocker is trying to tell me that they have a right to shove ads into my eyeballs. They can go fuck themselves with a chainsaw; my eyes, my rules. I am not obligated to punch your monkey.

WWF (disambiguation)

[tepples]

WWF is a horrible app.

Yeah, but where else can I watch panda wrestling?