Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malvertising Campaign Hits MSN, NY Times, BBC, AOL

Posted by msmash on from the news-outlets-offering-ransomware dept.

An anonymous reader quotes an article on Help Net Security: In the last couple of days, visitors of a number of highly popular media outlets including the NY Times, the BBC, and Newsweek have been targeted with malicious adverts that attempted to install malware (mostly ransomware, but also various Trojans) on their systems. The websites themselves weren't compromised as the problem was with the ad networks these sites use -- Google, AppNexus, AOL, Rubicon. The ad networks were tricked into serving malicious ads to the visitors.

28 of 159 comments (clear)

  1. Ad Blocking by Anonymous Coward · · Score: 5, Insightful

    And then they'll tell us to please unblock them so they can make money on our misfortune.

    1. Re:Ad Blocking by Sax+Russell+5449D29A · · Score: 5, Insightful

      I always thought their pleas to unblock their sites should reflect reality: "Please let us serve you malware!"

      Malware distribution via ad networks is a very old an well-known scheme. It would be stupid not to block all ads. As no point can effectively be made without a car analogy; would you not wear your seatbelt if the owner of the road came to you with such plea?

      --
      -SR
    2. Re:Ad Blocking by wulfhere · · Score: 2, Insightful

      Here's an idea: How about someone writes an ad blocker that DOWNLOADS the ads, just like normal, but simply does not RENDER them on the screen, or execute any code? Seems like the best of both worlds: users that don't want to see the ads don't see them, and websites still get paid, since there's no way to tell if they actually got shown?

      --
      -- Sent from a computer.
    3. Re:Ad Blocking by KGIII · · Score: 2

      The developer version of Opera now has built-in ad blocking. One of the neat things that it includes is the chance to load a page without it and with it, in a side-by-side comparison, and it's rather interesting because it also gives you a loading speed and then shows you the differences.

      I've done some playing with it...

      Normally, I block ads and scripting that's not from the originating domain. I don't see ads, I don't like ads, I will happily donate (and I often do) to keep a site up if it is looking like they need money. If a site requests that I disable my ad-blocking, I leave. I do not still use the site while blocking ads - I respect their property.

      If I allow remote scripts to run and then use the ad-blocking comparison tool with Opera, it tells me that the average site I visit loads from 40 to 50% more quickly. Those are actual load times. I have no idea how much bandwidth is being saved. I usually have a fairly secure operating system so I'm not too worried that it's going to result in malware infections but that's probably a good metric to consider as well.

      The gist of this post is that it's just practicing safe hex to block ads. It's not just good to block the ads but it's good to block third party scripts in general. One might go so far as to suggest blocking all of them - which I do, by default. I doubt most people are willing to go through that effort so I'm not going to suggest that everyone try that. I block all third party scripts by default. It does actually eat up some time BUT that time is well spent. I use a whitelist-based approach. I only visit so many sites and I do so with least privilege and then only enable what is needed for functionality and some cosmetics. I then save it and it gets pushed out to other machines that I use - it's actually fairly automated and I use a central repository that I can even access remotely.

      I only visit so many sites where I want any additional features. I keep a lot of that stuff from even entering. I've got uMatrix set to, "Holy Shit Batman" mode. I block a lot of stuff and then just whitelist as I go. I even block some stuff on the first-party domain by default. Yup... Even that gets initially whitelisted and added as needed. If I don't need the cookie to function, I don't load it. If I don't need the script to run, I don't load that either. Hell, I've had images disabled by default but, gotta be honest, that kind of sucks.

      So no, I don't recommend that folks do that. That's a lot of work - but only at first. After the work is done, it's saved forever and gets pushed out to my other devices so I need only do it once. Somewhere between doing that (or browsing in Lynx) is a viable solution that people should make educated and informed choices about. Security is a process, not an application. It's about trade-offs, pragmatism, and deciding what risks one will take in order to perform the desired task.

      Basically, the web's dangerous. Practice safe hex.

      --
      "So long and thanks for all the fish."
    4. Re:Ad Blocking by wulfhere · · Score: 2

      I suppose that's possible. I'm definitely not an expert on the ad networks, or how they calculate ad impressions, but I fail to see how they could distinguish between an ad that's on my screen but that I don't interact with in any way (which is the vast majority of them) vs. an ad that was served, but not displayed on my screen. It's not like I'm doing a captcha on each ad to prove I'm a human and not a computer.

      --
      -- Sent from a computer.
    5. Re:Ad Blocking by wulfhere · · Score: 2

      If the code is not executed in a browser. Just download anything from any of the ad networks to /dev/null.

      --
      -- Sent from a computer.
    6. Re:Ad Blocking by The-Ixian · · Score: 2

      The good news is that with a script blocker you also effectively cut out the malicious ads while still allowing the non-exectable ads to come through. This, to me, is a good compromise as it still allows for ad supported content from ad vendors that don't use obnoxious/dangerous ads.

      No need for an ad blocker unless your actual motivation is just to not see ads period

      --
      My eyes reflect the stars and a smile lights up my face.
  2. And they wonder why I use an adblocker.... by QuietLagoon · · Score: 4, Insightful
    I need to protect myself from their security incompetence.

    The websites themselves weren't compromised

    The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware.

    1. Re:And they wonder why I use an adblocker.... by nospam007 · · Score: 2

      "The ads appeared when I visited those websites, therefore it appears the websites are responsible for spreading the malware."

      And if they tell us to switch off our adblocker, it's aiding and abetting.
      Somebody has to sue those idiots some time.

    2. Re:And they wonder why I use an adblocker.... by Aighearach · · Score: 4, Insightful

      These companies forget why google exists, why they are successful. In the 90s, there were 2 choices; use an add aggregator and get lots of malware, or manage all the ads in-house and lose money because it isn't your core competency and is hard. Google was the one that didn't shop the ads out to fourth parties, they didn't let advertisers choose the HTML code. That meant no malware.

      Users who don't have their own protection will rightly blame the website who exposed them. The scammers basically "are" the NY Times. It is like signing an "online power of attorney" when you let external ad networks choose what HTML you'll serve from your site. They won't ask for that ability in the first place because they have good intentions. If they had good intentions, they'd just want to provide their media, instead of code.

      Not only are they responsible for what they serve, they explicitly chose to give these people the power to do this.

    3. Re:And they wonder why I use an adblocker.... by Zaowulf · · Score: 2

      Ads are served from other networks through a really long and overly-complex system of stuff I don't care enough about to explain. Basically, they sell page space to other companies and set it up so those companies can inject their content into the site. Those advertising companies were compromised which caused the ads they provided to deliver the malware. "BBC" wasn't hacked but their ads were. The average user won't really know the difference, and because it's all so convoluted and everybody is sleeping with everybody, the best (and only) defense is to block all ads regardless of whether it's a site you trust. Until "the way things are" changes there is no other acceptable response.

    4. Re:And they wonder why I use an adblocker.... by tnk1 · · Score: 3, Insightful

      It is sort of a Catch-22 for the providers. They get money from the ad networks, who are all compromised, but have no way of stopping what is served themselves.
      So, the right solution is to block ads.

      However, if the ad blockers aren't turned off, they get no money from the ad networks.

      Ultimately it is the ad networks who are responsible, and no one is able to hold them accountable except maybe some top flight content providers.

      It would be better for the content providers if they could just shut off ads and find another way to pay for creating their content, but no one wants to reach into their wallets and pay money to do so.

      The one thing that the ad networks do is that they do tend to make getting money to content providers a more simple matter than attempting to obtain and keep subscribers. Subscribers aren't sticker shocked for paying $10 for a site that they just wanted to read one story on, so the general public is paying indirectly by buying products and paying into a pool of advertising money.

  3. Re:Maybe by Lunix+Nutcase · · Score: 2

    Some was probably pimping their shitty blog for ad impressions. Here is a link from Ars Technica.

  4. Re:BBC? by Richard_at_work · · Score: 3, Interesting

    Adverts are shown to users visiting from non-UK IP addresses on all participating BBC websites.

  5. So, Forbes, Wired, et all by Snotnose · · Score: 4, Interesting

    wanna tell me again why it's wrong of me to run an ad-blocker? Try to use bigger words this time, cuz when you use the smaller ones I understand 100% what you're telling me and my Deja-Moo detector goes off.

    Deja-Moo - that feeling you've heard this bull before.

  6. Adblocker = Malware blocker by Anonymous Coward · · Score: 5, Interesting

    Adblocker & related tools should change their marketing from 'helping you to block ads' to 'helping you avoid Malware/trojans etc.'...e.g. they should advertise & promote themselves as a 'security tool'...everything out of their mouths, on their website etc should be focused on that use case. Any time some politician opens their mouth about how adblockers are 'stealing' or 'ruining' some business the makers of adblocking tools should retort with statements about 'helping users security' etc.

  7. By what definition were they not compromised? by Anubis+IV · · Score: 5, Insightful

    The websites themselves weren't compromised as the problem was with the ad networks these sites use

    If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.

    Take responsibility, show some respect for your viewers, and stop making excuses. Vet your ads. Serve them from your own servers. Make them first-party. Compelling us to turn off ad-blockers to access your content while not taking steps on your end to protect us from malicious content is sloppy, negligent, and shows an utter and complete disregard for your customers.

    1. Re:By what definition were they not compromised? by Anubis+IV · · Score: 2

      Slashdot CONFIGURED their site to allow arbitrary content from third parties (me) [...]

      Our comments are not "arbitrary content" in the sense that I intended it with my previous comment. Our comments have a strictly enforced format made up of text and HTML tags that have been vetted to prevent abuse. Not so with ads, which oftentimes include some combination of iframes, Javascript, cookies, images, Flash, and any number of other objects, none of which have gone through the sort of vetting process that the permissible HTML tags have gone through here.

      And I was speaking ethically, not legally. Whether or not they can be held legally liable, I have no clue, but as a customer, I hold them liable. If I as their customer view their site and then get a malware infection as a result of having viewed their site, then they're the ones that caused it as far as I'm concerned, if not directly, then through their negligence.

    2. Re:By what definition were they not compromised? by Anubis+IV · · Score: 3, Insightful

      The sites' customers are not you; you are the fucking product, dipshit. You are what they are selling to the advertisers, durrr.

      Setting aside the silly ad hominem, let's go ahead and approach it from that angle, since I agree that it's a valid way to view the situation (it's the view I typically espouse, in fact). Our attention is a limited resource, and it's the product that these sites are packaging up and delivering to their actual customers. But just as loggers or fishermen will quickly find themselves in an untenable position if they show a complete and utter disregard for the natural resource they collect, so too will these sites find themselves in a similar position if they do the same. Even if they don't pay me the attention I'm due as a customer, they should still show a proper regard for me as the resource that they deliver to their customer. Or, at least, that's what they should do if they want to stay in business.

      Incidentally, you've mistaken my thinking poorly of their design decisions for outrage. I think it's their prerogative to serve third-party ads if they want, just as it's my prerogative to block third-party content by default. I think it's their prerogative to block me because I'm blocking their ads, just as it's my prerogative to stop visiting their site in response to that block. They're acting within their rights, but as with pretty much any business decision, there are consequences, and I believe that they haven't yet weighed the pros and cons correctly.

    3. Re:By what definition were they not compromised? by cweber · · Score: 2

      If you've configured your site to allow arbitrary content from unknown third-parties, your site is compromised by design. If the mere act of rendering the content that your site is sufficient to get malware, then, yes, your page is compromised. Doesn't matter if the source of the malware was in somebody else's ad service. If that service feeds data directly into your site that you then present to your visitors without any sort of vetting or filtering, then you've allowed that malware to compromise your site.

      You do realize that a site only embeds the ad network code, not the final downloaded content? I.e. yes, a site takes some sort of responsibility when deciding to run ads from an ad network. Beyond that, however, every user gets potentially different ads. There are real time bidding platforms and user profiling code in the middle, completely outside the direct control of the website.

    4. Re:By what definition were they not compromised? by Anubis+IV · · Score: 2

      You do realize that a site only embeds the ad network code, not the final downloaded content?

      Yup. And that's exactly the problem. Just as we'd question the judgment of a ship designer who put a gaping hole below the waterline that let seawater and sea life in, and just as we'd question home builders who decided it was better to simply leave out one of the walls from the final construction, so too should we question any website design choice that entrails giving unknown, untrusted third-parties free access to put anything they want on a site. The fact that the hole was placed there intentionally by embedding the ad network code doesn't excuse the sites. Rather, it makes them responsible for anything that gets in through the holes they chose to add intentionally.

      But, going back to your initial question, yes, I'm quite familiar with how this stuff works. My graduate research focused on topological approaches to spam site identification for use in optimizing web crawlers, which, while certainly not this exact area, should at least tell you that I have a decent interest in this sort of stuff. ;)

    5. Re:By what definition were they not compromised? by ChristophWeber · · Score: 2

      Fair enough. Thanks for your clarification. In the interest of full disclosure: I head up the tech teams behind this and its sister site, but not adops or sales. Posting from my corporate account this time.

    6. Re:By what definition were they not compromised? by Anubis+IV · · Score: 2

      Backing up for a sec, thank you. You guys have been rocking it recently. Love the addition of HTTPS, and it's great to hear that you're bringing UTF-8 support as well in the future.

      And back on topic, I'm know I'm being idealistic (perhaps even naive) in my viewpoint, since there are business realities about the world as it exists today that make the "right" way of doing things difficult or impossible. Even so, the way that ads are delivered today is broken by design and NEEDS to be fixed. That these techniques are ubiquitous cannot be used as an excuse for not trying to find better ways to safely deliver ads to site visitors.

      To me, advertising as it exists today is more or less in slash-and-burn mode: they're reaping easy short-term profits at the cost of their long-term profitability. As others are pointing out in the comments, it's no longer simply a matter of blocking eyesores; it's about having malware-free pages that load in reasonable times. Adblockers are quickly becoming the Internet-equivalent of installing antivirus and are no longer relegated to power users and technophiles. The usable farmland is shrinking at a faster and faster rate.

      To be clear, by no means am I against advertising as a business model, but I am against the means and methods of advertising delivery as they primarily exist today. I want great sites (like Slashdot!) to continue being freely available while also enjoying profitability, but I also want us, as a technology industry, to be forward-looking in our approach to the problem of delivering ads safely to our users. We should be trying to figure out what model comes next, because the one we're using today is insecure and unsustainable.

  8. I love host file ad blocking for this reason by millertym · · Score: 2

    The guy at this site maintains a crazy list of advertisers and malicious site DNS records... then points them all to 0.0.0.0 using host file format. It has served me well for years now.

    http://winhelp2002.mvps.org/ho...

  9. Re:Maybe by RavenLrD20k · · Score: 5, Funny

    Has anyone found a Forbes Link on this? I can't search there because I won't turn off my ad-blocker and Forbes won't let me past their page requesting that I turn off the blocker. It just goes through an endless loop.

  10. Running Ad Blocker like running Antivirus by Chas · · Score: 5, Insightful

    Seriously.

    Sure, some people can (and do) run for extended periods of time without getting compromised without ad blockers or AV.
    In the end, it's just a matter of time before they're infested.

    And yes, compromises on large ad networks like Google may be somewhat rare. But that doesn't help me when a website using their network gives me a drive-by install of Locky or or something that totally hoses all my (or my company's) data.

    As such, there is NO negotiation about ad blocking. It's happening. PERIOD.

    Until the entire ad industry formulates an acceptable ad policy that people can live with, that DOESN'T pose a danger to its users, ad blocking will continue.

    Now content providers are free to take their ball and go home. I don't much give a shit. If given a choice between having my personal and company data destroyed/stolen and watching every content provider on the Internet crash and burn due to lack of ad revenue? Let the fuckers crash and burn!

    --


    Chas - The one, the only.
    THANK GOD!!!
  11. Damnit by JustAnotherOldGuy · · Score: 2

    I guess I'll have to turn off Adblock and NoScript so I can take advantage of this wonderful opportunity to get my free malware.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  12. Re:GAY NIGGERS OF AMERICA - We wan to fuck ASS! by KGIII · · Score: 2, Insightful

    I hope you die horribly.

    Why? I don't like what they have to say and, as is known, I'm even part black. It neither bothers me nor does it make me wish death (or even horrific death) on them. There's lots of things that people say and do that I don't particularly like. I don't have to like everything.

    If we eliminate things we don't like then, eventually, there will come a time when you're in the group of people that is disliked. You don't think morality stops with just what you want, do you? I can assure you, there are people who don't like the things you say - and want you to die, horribly. If we could all just get a little bit past that sort of thinking, the world might actually be a nicer place - even though we'd still have people trolling like the AC that you responded to.

    Hell, as I said, I'm part black and I'm not even the least bit offended by them. No, the word nigger does not offend me - even when used as a pejorative. Hell, if anything, I'm more unhappy (but not wanting them to die horribly) when it is used in a non-pejorative way.

    I don't get why you'd want someone to be dead just because you don't like what they are saying. That literally makes no sense to me. None. I've tried to suss it out and reason my way to understanding but humans confuse me. Yeah, they're idiots. Oh well... The world is full of idiots. I can't imagine why I'd want anyone to die horribly. To me, that would make me equally horrible.

    Shit, I agree with the death penalty (just be honest about it) and I still don't want them to die horribly. No, I want it to be as painless as possible. I'm not really sure what that has to do with it but it seemed salient so I figured I'd add it. It's right up there with wanting people to be raped and beaten in prison or hoping they never get out of jail. No, I hope they get better and they're in jail as punishment and not for additional punishment.

    Seriously, explain your reasoning/logic to me - if you can. I've asked others before (in very similar circumstances) and (ironically) gotten replies like, "Fuck you faggot." Yup... From the same person I've asked to explain. So far, not one has ever been able to explain how they reasoned themselves into holding and voicing such a position. It's not like you're the first person to express such views. Others do advocate for censoring them, that's a little more logical than wanting them to die. Others often express a desire to be the person who physically harms the individual, that's even less logical.

    --
    "So long and thanks for all the fish."