Malvertising Campaign Hits MSN, NY Times, BBC, AOL

An anonymous reader quotes an article on Help Net Security: In the last couple of days, visitors of a number of highly popular media outlets including the NY Times, the BBC, and Newsweek have been targeted with malicious adverts that attempted to install malware (mostly ransomware, but also various Trojans) on their systems. The websites themselves weren't compromised as the problem was with the ad networks these sites use -- Google, AppNexus, AOL, Rubicon. The ad networks were tricked into serving malicious ads to the visitors.

Ad Blocking

And then they'll tell us to please unblock them so they can make money on our misfortune.

Re:Ad Blocking

[Sax+Russell+5449D29A]

I always thought their pleas to unblock their sites should reflect reality: "Please let us serve you malware!"

Malware distribution via ad networks is a very old an well-known scheme. It would be stupid not to block all ads. As no point can effectively be made without a car analogy; would you not wear your seatbelt if the owner of the road came to you with such plea?

Re:Ad Blocking

[wulfhere]

Here's an idea: How about someone writes an ad blocker that DOWNLOADS the ads, just like normal, but simply does not RENDER them on the screen, or execute any code? Seems like the best of both worlds: users that don't want to see the ads don't see them, and websites still get paid, since there's no way to tell if they actually got shown?

And they wonder why I use an adblocker....

[QuietLagoon]

I need to protect myself from their security incompetence.

The websites themselves weren't compromised

The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware.

Re:And they wonder why I use an adblocker....

[Aighearach]

These companies forget why google exists, why they are successful. In the 90s, there were 2 choices; use an add aggregator and get lots of malware, or manage all the ads in-house and lose money because it isn't your core competency and is hard. Google was the one that didn't shop the ads out to fourth parties, they didn't let advertisers choose the HTML code. That meant no malware.

Users who don't have their own protection will rightly blame the website who exposed them. The scammers basically "are" the NY Times. It is like signing an "online power of attorney" when you let external ad networks choose what HTML you'll serve from your site. They won't ask for that ability in the first place because they have good intentions. If they had good intentions, they'd just want to provide their media, instead of code.

Not only are they responsible for what they serve, they explicitly chose to give these people the power to do this.

Re:And they wonder why I use an adblocker....

[tnk1]

It is sort of a Catch-22 for the providers. They get money from the ad networks, who are all compromised, but have no way of stopping what is served themselves.
So, the right solution is to block ads.

However, if the ad blockers aren't turned off, they get no money from the ad networks.

Ultimately it is the ad networks who are responsible, and no one is able to hold them accountable except maybe some top flight content providers.

It would be better for the content providers if they could just shut off ads and find another way to pay for creating their content, but no one wants to reach into their wallets and pay money to do so.

The one thing that the ad networks do is that they do tend to make getting money to content providers a more simple matter than attempting to obtain and keep subscribers. Subscribers aren't sticker shocked for paying $10 for a site that they just wanted to read one story on, so the general public is paying indirectly by buying products and paying into a pool of advertising money.

By what definition were they not compromised?

[Anubis+IV]

The websites themselves weren't compromised as the problem was with the ad networks these sites use

If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.

Take responsibility, show some respect for your viewers, and stop making excuses. Vet your ads. Serve them from your own servers. Make them first-party. Compelling us to turn off ad-blockers to access your content while not taking steps on your end to protect us from malicious content is sloppy, negligent, and shows an utter and complete disregard for your customers.

Re:By what definition were they not compromised?

[Anubis+IV]

The sites' customers are not you; you are the fucking product, dipshit. You are what they are selling to the advertisers, durrr.

Setting aside the silly ad hominem, let's go ahead and approach it from that angle, since I agree that it's a valid way to view the situation (it's the view I typically espouse, in fact). Our attention is a limited resource, and it's the product that these sites are packaging up and delivering to their actual customers. But just as loggers or fishermen will quickly find themselves in an untenable position if they show a complete and utter disregard for the natural resource they collect, so too will these sites find themselves in a similar position if they do the same. Even if they don't pay me the attention I'm due as a customer, they should still show a proper regard for me as the resource that they deliver to their customer. Or, at least, that's what they should do if they want to stay in business.

Incidentally, you've mistaken my thinking poorly of their design decisions for outrage. I think it's their prerogative to serve third-party ads if they want, just as it's my prerogative to block third-party content by default. I think it's their prerogative to block me because I'm blocking their ads, just as it's my prerogative to stop visiting their site in response to that block. They're acting within their rights, but as with pretty much any business decision, there are consequences, and I believe that they haven't yet weighed the pros and cons correctly.

Running Ad Blocker like running Antivirus

[Chas]

Seriously.

Sure, some people can (and do) run for extended periods of time without getting compromised without ad blockers or AV.
In the end, it's just a matter of time before they're infested.

And yes, compromises on large ad networks like Google may be somewhat rare. But that doesn't help me when a website using their network gives me a drive-by install of Locky or or something that totally hoses all my (or my company's) data.

As such, there is NO negotiation about ad blocking. It's happening. PERIOD.

Until the entire ad industry formulates an acceptable ad policy that people can live with, that DOESN'T pose a danger to its users, ad blocking will continue.

Now content providers are free to take their ball and go home. I don't much give a shit. If given a choice between having my personal and company data destroyed/stolen and watching every content provider on the Internet crash and burn due to lack of ad revenue? Let the fuckers crash and burn!

Re:GAY NIGGERS OF AMERICA - We wan to fuck ASS!

[KGIII]

I hope you die horribly.

Why? I don't like what they have to say and, as is known, I'm even part black. It neither bothers me nor does it make me wish death (or even horrific death) on them. There's lots of things that people say and do that I don't particularly like. I don't have to like everything.

If we eliminate things we don't like then, eventually, there will come a time when you're in the group of people that is disliked. You don't think morality stops with just what you want, do you? I can assure you, there are people who don't like the things you say - and want you to die, horribly. If we could all just get a little bit past that sort of thinking, the world might actually be a nicer place - even though we'd still have people trolling like the AC that you responded to.

Hell, as I said, I'm part black and I'm not even the least bit offended by them. No, the word nigger does not offend me - even when used as a pejorative. Hell, if anything, I'm more unhappy (but not wanting them to die horribly) when it is used in a non-pejorative way.

I don't get why you'd want someone to be dead just because you don't like what they are saying. That literally makes no sense to me. None. I've tried to suss it out and reason my way to understanding but humans confuse me. Yeah, they're idiots. Oh well... The world is full of idiots. I can't imagine why I'd want anyone to die horribly. To me, that would make me equally horrible.

Shit, I agree with the death penalty (just be honest about it) and I still don't want them to die horribly. No, I want it to be as painless as possible. I'm not really sure what that has to do with it but it seemed salient so I figured I'd add it. It's right up there with wanting people to be raped and beaten in prison or hoping they never get out of jail. No, I hope they get better and they're in jail as punishment and not for additional punishment.

Seriously, explain your reasoning/logic to me - if you can. I've asked others before (in very similar circumstances) and (ironically) gotten replies like, "Fuck you faggot." Yup... From the same person I've asked to explain. So far, not one has ever been able to explain how they reasoned themselves into holding and voicing such a position. It's not like you're the first person to express such views. Others do advocate for censoring them, that's a little more logical than wanting them to die. Others often express a desire to be the person who physically harms the individual, that's even less logical.